Chapter 5 - Risk Management Processes
Chapter 5 - Risk Management Processes
Chapter 5 - Risk Management Processes
Enterprise risk management is a process, effected by an entity’s board of directors, management and other
personnel, applied in strategy setting and across the enterprise, designed to identify potential events that
may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance
regarding the achievement of entity objectives.
Determining whether risk management processes are effective is a judgment resulting from the internal
auditor’s’ assessment that:
• Organizational objectives support and align with the organization’s mission;
• Significant risks are identified and assessed;
• Appropriate risk responses are selected that align risks with the organization’s risk appetite; and
• Relevant risk information, is captured and communicated in a timely manner across the
organization,
enabling staff, management, and the board to carry out their responsibilities .
2120.A1—The internal audit activity must evaluate risk exposures relating to the organization’s
governance, operations, and information systems regarding the:
• Reliability and integrity of financial and operational information.
• Effectiveness and efficiency of operations.
• Safeguarding of assets; and
• Compliance with laws, regulations, and contracts.
Risk Matrix
Risk is usually defined as the possibility that an event will occur (that is, a threat will materialise) and
adversely affect the achievement of objectives. It is measured in terms of the degree of likelihood that
the event might occur, coupled with the probable impact should the event occur.
The circle represents either the inherent risk (which is the level of risk that the organisation would be
exposed to if there were no mitigating measures in place) or the gross risk (which is the level that the
organisation is exposed to if it takes no further mitigating actions). The triangle is the level of risk
remaining after the chosen mitigating actions have been introduced and applied.