RISK-ACADEMY’S GUIDE TO

AUDITING RISK
MANAGEMENT
Structure of the guide
Guide to auditing risk management 3

Introduction 3
Step 1. Audit how well risk management is integrated into decision making 4

Step 2. Audit how well risk thinking is integrated into culture 5

Step 3. Audit how well risk information is integrated into disclosure and reporting 6

Step 4. Audit whether risk management team is adequate to support organisa… 7

Lessons learned from recent failures 8
Inadequate risk identification and assessment 8
Insufficient risk mitigation and response 8
Inadequate risk monitoring and reporting 8
Weak collaboration and communication 8

Trends in risk management and auditing 9

Emphasis on quantitative risk analysis 9
Integration of behavioral economics and neuroscience 9

Agile risk management and auditing 9

Risk management and auditing in the digital age 9
Action plan 10
Additional resources 11

Useful videos on the topic 12

Recommended reading 13
Contact the author 16
Legal disclaimer and copyright notice 17
Guide to auditing risk management

Introduction
Welcome to the RISK-ACADEMY's Auditing Risk Management Guide, a comprehensive
resource designed to help organizations assess and improve the effectiveness of their risk
management practices. In today's complex and uncertain business environment, effective risk
management is more important than ever. As such, this guide aims to provide practical
insights and recommendations for evaluating and enhancing your organization's risk
management efforts.
This guide covers four key components of effective risk management: integrating risk into
decision-making, building a strong risk management culture, disclosing risk information, and
continuously improving risk management practices. Each of these components is explored in
depth, with real-world examples and actionable strategies to help you better understand and
implement these critical aspects of risk management.
Throughout the guide, you will discover:
• How to integrate risk management into your organization's decision-making processes,
ensuring that potential risks are considered and addressed when making strategic and
operational decisions.
• The importance of cultivating a strong risk management culture, which fosters
awareness, understanding, and proactive management of potential risks.
• The value of disclosing risk information, both internally and externally, to promote
transparency, accountability, and stakeholder confidence.
• The need for continuous improvement in your organization's risk management
practices, ensuring that your risk management processes remain up-to-date and
effective in the face of evolving risks and industry best practices.
By focusing on these four components, this guide aims to equip you with the knowledge and
tools needed to assess and enhance your organization's risk management effectiveness.
Whether you are new to risk management or a seasoned professional, the RISK-ACADEMY's
Auditing Risk Management Guide offers valuable insights and practical recommendations to
help you navigate the challenges and uncertainties of today's business landscape.
Step 1. Audit how well risk management is integrated
into decision making
One of the most important tests of true risk management effectiveness is the level of risk
management integration into decision making, planning and performance management.
Companies capable of systematically integrating risk management into planning, budgeting
decisions, investment decisions, core operational business processes, and key supporting
functions achieve long-term sustainable advantages compared to organisations who build risk
management frameworks and process as per COSO ERM or ISO 31000.
Examples of successful risk integration:
• Large Investment Fund: This organization makes investment decisions only after
conducting independent risk analyses and performing simulations to test the effect of
uncertainty on key project assumptions and forecasts. This approach ensures that the
fund considers potential risks when making investment decisions.
• Large Airline: When making strategic decisions, this company evaluates several
alternatives and performs risk assessments for each alternative. By considering the
potential risks associated with each option, the airline can make better-informed
decisions that align with its objectives and risk appetite.
To assess the integration of risk management into decision-making processes, consider the
following steps:
Review documentation and processes
• Request and review relevant documents, including strategic plans, budgets, investment
proposals, and risk management policies.
• Assess the extent to which risk assessments are incorporated into these documents
and processes.
Interview key stakeholders
• Conduct interviews with senior management, board members, and employees across
various departments to gauge their understanding and application of risk management
in their decision-making processes.
• Ask about the tools and techniques used to identify, assess, and prioritize risks, as well
as the frequency of risk assessments.
Evaluate risk management tools and techniques
• Review the risk assessment methodologies used by the organization, such as stress
tests, assumptions checks, decision trees or other quantitative risk analysis tools.
• Assess the adequacy of these methodologies in addressing the organization's specific
risks and ensuring that risk management is effectively integrated into decision-making
processes.
Examine risk communication and reporting
 • Determine whether risk information is communicated effectively to support decision-
making processes across the organization.
Observe risk management in action
• Attend key decision-making meetings, such as strategy sessions, budget reviews, or
investment committee meetings, to observe how risk management is integrated into
discussions and decision-making processes.
• Take note of the extent to which risks are actively considered and incorporated into
decisions, as well as any gaps or areas for improvement.
Provide feedback and recommendations
• Based on your findings, provide feedback and recommendations to the organization on
how to improve the integration of risk management into decision-making processes.
• Identify any areas where risk management integration may be weak, and offer
suggestions for enhancing risk management practices, tools, and methodologies to
better support decision-making.
Step 2. Audit how well risk thinking is integrated into
culture
Human psychology and the ability of business managers to make decisions in situations of
great uncertainty have a significant impact on risk management effectiveness. A robust risk
management culture is fundamental to effective risk management, as it encourages
awareness and understanding of potential risks and promotes informed decision-making.
Examples of organizations with strong risk management cultures:
• Large Petrochemical Company: This organization used online and face-to-face training
to raise risk management awareness and competencies across all staff levels.
Additionally, the company allocated resources to integrate risk management principles
into its overall culture, fostering an environment where risk is openly acknowledged and
addressed.
• Government Agency: This agency documented transparent discussion and sharing of
information about risks as one of its corporate values, later communicated to all
employees. By promoting openness and collaboration around risk management, the
agency fosters a culture that values informed decision-making and proactive risk
management.
To assess the strength of an organization's risk management culture and decision makers
attitudes to risk taking, consider the following steps:
Review risk management policies and corporate values
• Request and review the organization's risk management policies, corporate values, and
any other documents that outline the company's approach to risk management and risk
culture.
• Assess how these policies and values promote risk awareness and understanding, and
how they are communicated to employees.
Evaluate training and development programs
• Review the organization's risk management training and development programs,
including online and face-to-face training initiatives, to gauge their effectiveness in
raising risk awareness and competencies across all staff levels.
• Request and review training materials, attendance records, and feedback from
participants.
Interview key stakeholders and employees
• Conduct interviews with senior management, board members, and employees from
various departments to gauge their understanding of risk management principles and
their attitude towards risk taking and risk-based decision making.
• Inquire about individual decision-makers' biases and risk appetites, and how these may
impact the integration of risk management within the organization.
Assess communication and collaboration around decision making
 • Analyze the channels and mechanisms used by the organization to facilitate open
discussion and sharing of risk-related information as part of planning, budgeting,
investment decision making and performance reviews.
• Assess the extent to which risks and their effects on decisions are discussed openly
and collaboratively across the organization.
Review the decision makers approach to risk-taking
• Assess the decision makers attitude towards risk-taking, including its tolerance for risk
and the strategies they use to balance risk and reward.
• Determine whether risk-taking within the company is informed by a solid understanding
of potential risks and a robust risk management processes.
Examine initiatives to improve risk culture and risk-taking attitude
• Investigate any ongoing or planned initiatives aimed at enhancing the organization's
risk culture and risk-taking attitude, such as targeted training programs, risk awareness
campaigns, or the introduction of new risk management tools and techniques.
• Evaluate the effectiveness of these initiatives in fostering a culture that values informed
decision-making and proactive risk management.
Provide feedback and recommendations
• Based on your findings, provide feedback and recommendations to the organization on
how to strengthen its risk management culture and promote informed risk-taking.
• Identify any areas where the organization's risk culture may be weak, and offer
suggestions for enhancing awareness, communication, and collaboration around risk
management.
Step 3. Audit how well risk information is integrated
into disclosure and reporting
The willingness and ability of an organization to document and disclose risk-related
information, both internally and externally, are critical aspects of effective risk management.
Mature companies document the results of risk analyses in internal decision-making
processes and disclose information about risks and their mitigation to relevant stakeholders,
where appropriate.
While actual risk information may be sensitive and contain commercial secrets, the focus of
disclosure should be on the risk management framework, executive commitment to managing
risks, and the organization's culture. Many organizations treat risk disclosure formally, often
copying risk management information in external reporting without updating it.
Disclosing risk management information allows companies to both make and save money. For
example, the insurance market reacts positively to a company's ability to disclose information
about the effectiveness of its risk management and control environment, offering reductions in
insurance premiums. Banks and investors also view risk disclosure positively, allowing
companies to lower their financing costs.
To assess the quality and extent of an organization's level of integration of risk information into
management reporting and disclosure, consider the following steps:
Review management and performance reporting
• Request and review internal management performance reports to assess how well the
organization documents the results of risk analyses in its performance measurement,
key performance metrics and action plans.
• Examine the quality, depth, and comprehensiveness of the documented risk
information.
Assess external risk disclosure practices
• Review the organization's annual reports, investor presentations, and other external
communications to evaluate the extent and quality of risk disclosure.
• Determine whether the focus of disclosure is on the risk management framework,
executive commitment to managing risks, and the organization's culture, rather than on
specific risks that may be sensitive or contain commercial secrets.
Interview management and risk personnel
• Conduct interviews with senior management, risk management personnel, and other
key stakeholders to understand the organization's approach to documenting and
disclosing risk information.
• Discuss the organization's rationale behind the level of disclosure, and inquire about
any challenges or barriers to more comprehensive risk disclosure.
Evaluate stakeholder communication
 • Assess the organization's communication with relevant stakeholders, such as
investors, regulators, and customers, regarding risk management information.
• Examine the quality and frequency of these communications, and whether they provide
a clear and accurate picture of the organization's risk management efforts.
Benchmark against industry standards and best practices​
• Compare the organization's risk documentation and disclosure practices to industry
standards and best practices.
• Identify any gaps or areas where the organization could improve its risk documentation
and disclosure to better align with industry expectations.
Assess the impact of risk disclosure on financial performance
• Investigate how the organization's risk disclosure practices impact its financial
performance, such as insurance premiums, financing costs, and investor relations.
• Determine whether the organization is effectively leveraging risk disclosure to make
and save money.
Provide feedback and recommendations
• Based on your findings, provide feedback and recommendations to the organization on
how to improve its risk documentation and disclosure practices.
• Offer suggestions for enhancing the quality, depth, and extent of risk information
documentation and disclosure, both internally and externally.
Step 4. Audit whether risk management team is
adequate to support organisational objectives
The final criterion for effective risk management is the continuous improvement of the risk
management framework and the risk team itself. The rapid development of risk management
as a discipline necessitates that organizations regularly assess and enhance their risk
management practices.
One investment fund achieved continuous improvement through regular assessments of the
quality and timeliness of their risk analyses, back testing the methodologies, annual risk
management culture assessments, and periodic reviews of the risk management team's
competencies. For example, education in probability management and decision science helps
boost the risk team's competencies and ensures that they stay up-to-date with the latest best
practices in risk management.
The ISO 31000:2018 standard is currently being reviewed by more than 200 specialists from
30 different countries. Some of the suggestions for the new version of the standard include
the greater need for integration of risk management into business activities, including
decision-making, and the need to explicitly take into account human and cultural factors.
These changes could have a significant impact on many modern non-financial organizations,
raising questions about their risk management effectiveness.
To evaluate the organization's commitment to continuous improvement and the right fit for the
risk management team, consider the following steps:
Review risk management methodologies and frameworks
• Request and review documents related to the organization's risk management
methodologies and frameworks.
• Assess whether these methodologies are appropriate for the level of risk exposure the
organization faces and are in line with industry best practices.
Examine the risk management team's skills and resources
• Review the qualifications, certifications, and experience of the risk management team
members.
• Assess whether the team has the necessary skills and resources to effectively support
the organization's risk exposure, including experience in decision science, probability
theory and behavioural economics.
• Determine whether the organization invests in professional development and training
opportunities for its risk management team.
Evaluate the organization's commitment to continuous improvement
• Review documents related to the organization's continuous improvement processes,
such as regular backtesting of risk analysis quality, risk management culture
assessments, and periodic reviews of the risk management team's competencies.
 • Interview risk management personnel and senior management to understand their
commitment to continuous improvement and the processes they have in place to
support this goal.
Assess the organization's response to regulatory changes and industry trends
• Examine how the organization monitors and adapts to changes in risk management
standards, such as the ISO 31000:2018 standard, and evolving industry trends.
• Determine whether the organization proactively incorporates new risk management
best practices and regulatory changes into its existing framework.
Benchmark against industry standards and best practices​
• Compare the organization's continuous improvement efforts in risk management to
industry standards and best practices.
• Identify any gaps or areas where the organization could improve its commitment to
continuous improvement in risk management.
Provide feedback and recommendations
• Based on your findings, provide feedback and recommendations to the organization on
how to enhance its commitment to continuous improvement in risk management.
• Offer suggestions for improving risk management methodologies, the risk team's skills
and resources, and the organization's overall approach to continuous improvement in
risk management.
Lessons learned from recent failures
In risk management and auditing, challenges and failures can provide valuable insights and
opportunities for improvement. By analyzing past failures, organizations can identify areas for
development, strengthen decision making and risk management processes, and avoid similar
issues in the future. This section examines some notable challenges and failures in risk
management and auditing, highlighting the lessons that can be learned.

Inadequate risk identification and assessment

The SolarWinds cyber attack in 2020 represents a significant failure in risk identification and
assessment (CISA, 2020). The attack, which compromised the software supply chain of
SolarWinds' Orion platform, affected numerous organizations, including government agencies
and private companies. The incident highlights the importance of comprehensive risk
identification and assessment, including potential risks within the supply chain.
Lessons learned:
• Integrate quantitative risk analysis into procurement and vendor management,
including supply chains and third-party relationships.
• Perform risk assessments whenever important decisions are being taken.

Insufficient risk mitigation and response

The impact of the COVID-19 pandemic on businesses across various industries serves as a
stark reminder of the importance of effective risk mitigation and response. Many organizations
were unprepared for the scale and duration of the pandemic, leading to operational
disruptions, financial losses, and long-lasting consequences (McKinsey & Company, 2020).
Lessons learned:
• Support decision makers by testing their proposed risk mitigation strategies to ensure
they actually reduce risk exposure.
• Review business continuity and crisis management plans to ensure a swift and
effective response to unexpected events.

Inadequate risk monitoring and reporting

The Wirecard scandal in 2020 exposed the consequences of inadequate risk monitoring and
reporting (Financial Times, 2020). The German payment processing company was accused of
fraud, embezzlement, and irregular accounting practices, leading to the company's insolvency.
The failure to identify and report these risks earlier contributed significantly to the company's
downfall.
Lessons learned:
• Integrate risk information into normal performance monitoring and reporting
mechanisms to ensure timely communication of risks and issues.
• Foster a culture of transparency and accountability, encouraging open communication
about risks and promoting ethical practices.
Weak collaboration and communication
The Ever Given incident in the Suez Canal in 2021 demonstrated the importance of effective
collaboration and communication in managing risks (BBC News, 2021). The grounding of the
container ship caused significant disruptions to global trade and required coordinated efforts
from multiple stakeholders to resolve the situation.
Lessons learned:
• Encourage collaboration and communication among stakeholders to ensure a
comprehensive understanding of risks and their potential impacts on the decisions
being taken.
• Develop mechanisms for sharing information and coordinating actions in response to
complex risk events.
Trends in risk management and auditing
In recent years, the risk management and auditing landscape has undergone significant
transformation, driven by advancements in technology, shifting regulatory environments, and
the growing complexity of business operations. This chapter explores some key trends and
innovations that are shaping the future of risk management and auditing, providing references
and specific examples for further understanding.

Emphasis on quantitative risk analysis

As the limitations of qualitative risk analysis methods become more apparent, there has been
a notable shift towards quantitative risk analysis techniques (Hubbard, 2009). Quantitative risk
analysis provides a more objective and accurate assessment of risks by using numerical data,
statistical models, and probability theory. For example, the use of Monte Carlo simulations has
gained popularity as a way to model the uncertainty and variability associated with certain
risks.
Incorporating decision science and probability theory into risk analysis allows organizations to
better understand the potential impact of risks on their objectives and make more informed
decisions. Techniques such as decision trees, cost-benefit analysis, and Bayesian networks
are being used to facilitate decision-making under uncertainty (Clemen & Reilly, 2013).

Integration of behavioral economics and neuroscience

Cognitive biases, such as confirmation bias and anchoring, can significantly impact risk
perception and decision-making (Kahneman, 2011). To address these biases, risk
management and auditing professionals are increasingly incorporating insights from
behavioral economics and neuroscience into their practices.
By understanding the role of emotions and intuition in decision-making, organizations can
develop strategies to mitigate the effects of cognitive biases and improve the objectivity of
their risk assessments. For instance, adopting a pre-mortem analysis technique, where
potential future failures are imagined and analyzed, can help challenge overconfidence and
groupthink (Klein, 2007).

Agile risk management and auditing

Agile methodologies, which emphasize iterative, flexible, and adaptive processes, are being
applied to risk management and auditing practices (KPMG, 2018). By adopting an agile
approach, organizations can better respond to the rapidly changing risk landscape, foster
collaboration among stakeholders, and embrace continuous improvement.
Agile Risk Management Frameworks encourage collaboration between risk management and
business teams and promotes iterative risk assessment and response. Similarly, agile auditing
practices focus on enhancing audit efficiency, effectiveness, and collaboration between audit
teams and business stakeholders.

Risk management and auditing in the digital age

The increasing digitalization of business operations is revolutionizing risk management and
auditing practices. Digital tools, such as risk management software, data analytics, and
visualization tools, are being used to improve risk identification, assessment, and monitoring,
as well as streamline risk reporting and communication.
The COVID-19 pandemic has accelerated the adoption of remote work and virtual
collaboration in various industries, including risk management and auditing. Remote auditing
and digital collaboration tools enable audit teams to conduct their work more efficiently and
effectively while ensuring data security and privacy.
Action plan

Assess the integration of risk management into decision-making processes:

Evaluate how well your organization incorporates risk assessments into
planning, budgeting, investment decisions, and operational processes.

Assess risk management culture: Review the initiatives designed to raise

risk management awareness and competencies across all staff levels,
fostering an environment that values informed decision-making and
proactive risk management.

Balance risk disclosure and confidentiality: Review guidelines for

documenting and disclosing risk-related information internally and
externally, ensuring that sensitive information is protected while promoting
transparency and accountability.

Continuously evaluate risk management effectiveness: Regularly back test

the quality and timeliness of risk analyses, the strength of your
organization's risk management culture, and the competencies of your risk
management team. Check for model error.

Monitor developments in risk management standards: Stay informed about

updates to risk management standards, such as ISO 31000:2018, and
implement any necessary changes to your organization's risk management
practices accordingly.

​Read other useful guides produced by RISK-ACADEMY

​If at any stage you have a question, book a free cal with Alex Sidorenko ​
Additional resources

Deep dive into advanced risk

management using this online
course
This course gives guidance, motivation, critical
information, and practical case studies to move beyond
traditional risk governance, helping ensure risk
management is not a stand-alone process but a change
driver for business.
​
​https://courses.dcroi.org/courses/alex-sidorenko
​

Automate your quantitative risk

analysis using Archer Insight and
support business decision making
​
​
Archer Insight is a suite of enterprise-wide risk
quantification capabilities for business leaders designed
to deliver a complete view of enterprise risks, improve
resilience, and ensure achievement of strategic goals.
​
This innovative solution provides business leaders with
more precision in an aggregated view of risks that allows
them to ensure compliance and better protect your
business from disruption.
​
Using Archer Insight, organizations can conduct risk
quantification analysis, monitor, and report on their risk
management programs and then provide business
leaders and decision-makers with quantitative,
transparent, and actionable information needed to make
strategic business decisions.
​
​https://www.archerirm.com/insight-risk-academy​
Useful videos on the topic
Recommended reading
Risk appetite refers to an individual or
organization’s willingness to take on risks in
pursuit of potential returns. It is an important
consideration for businesses, as it can determine
the types of investments and strategic decisions
they make. A high risk appetite may lead to a
focus on high-growth, speculative investments,
while a low risk appetite may result in a
preference for more conservative, steady returns.
It is important for businesses to carefully assess
and manage their risk appetite in order to make
informed decisions and achieve their financial
goals.

Download the full guide to read about

documenting risk appetite, reviewing risk appetite,
case studies and examples and addition video
resources:  Guide to risk appetite 2023​

Attention all risk management professionals! We

are proud to announce the publication of our
comprehensive guide to compliance risk
management. This guide covers the latest
industry best practices and provides practical
advice for managing compliance risks in your
organization. Whether you are new to the field or
an experienced professional, this guide is
designed to help you effectively identify, assess,
and mitigate compliance risks.

Get your copy today and stay ahead of the game

in the ever-evolving world of compliance risk
management. https://riskacademy.blog/risk-
academys-guide-on-compliance-risk-in-non-
financial-companies-free-download/​
This guide is designed to assist non-financial
organisations in developing and using risk
registers to support important business decisions.
The premise of the guide is that risk registers
should be used less frequently than is considered
normal in the industry and the format of the risk
register should be very different to what is
believed to be best practice.
https://riskacademy.blog/risk-academys-guide-to-
risk-registers/​

In this guide, we will delve deep into the

multifaceted world of risk culture, providing you
with valuable insights and practical steps to foster
a robust risk culture within your organization.

We will share case studies from a diverse range

of industries, allowing you to learn from the
successes and challenges faced by other
organizations in their quest to develop a strong
risk culture. Simple, practical steps, trialed and
tested by the RISK-ACADEMY team.

https://riskacademy.blog/risk-academys-guide-to-
risk-culture/​
We are proud to announce the release of a
comprehensive guide for alternative risk
management in Public-Private Partnership (PPP)
projects. Developed in collaboration with Alex
Belkov, a globally recognized specialist in risk
analysis for large infrastructure projects, this
guide provides a step-by-step approach to
incorporating risk analysis into the planning
process of a PPP project.

https://riskacademy.blog/risk-academys-guide-on-
risk-management-in-government-projects/​
Contact the author

ALEX SIDORENKO, CRMP.RR, CT31000,

CTA31000
‌
Alex Sidorenko is an expert with over 16 years of risk management
experience in private equity, sovereign funds, investment
authorities and venture capital firms across Australia, CIS, GCC.
​
Successfully implemented changes to quantitative risk analysis, risk-
based decision making and neuroscience as a CRO at EuroChem
(global fertilizer $10B) and RUSNANO (private equity fund $3B).

Book a free no
Saved more than $13 million per year in premiums on cargo,
obligations call liability and PD/BI insurance through industry leading quantitative risk
with Alex analysis without changing deductibles and while doubling the limits.

Successfully defending corporate risk profile at the Ministry of

finance and securing more than $1B in extra funding.

Author of the most popular free risk management book in the

world, more than 200K downloads in 3 languages.

Risk manager of the year, FERMA, 2021, Honourable mention

2021, RIMS, Risk manager of the year, RUSRISK, 2014, Best ERM
Implementation, RUSRISK, 2014, Best risk management training,
RUSRISK, 2013, 2014, 2015, finalist in risk management awards in
2018 and 2019.
‌
Since 2012 Alex runs RISK-ACADEMY, a highly successful
company, focused on providing risk management integration
services, risk modeling, training and auditing to private equity firms
(direct investment and funds) as well as sovereign wealth funds.
Alex’s specialization is risk management integration, risk-based
investment decision making, value creation and asset
management.

​
Legal disclaimer and copyright notice
The information contained in this guide is for general informational purposes only and is not intended as
legal or professional advice. The guide is provided by RISK-ACADEMY and while we endeavor to keep
the information up-to-date and correct, we make no representations or warranties of any kind, express or
implied, about the completeness, accuracy, reliability, suitability or availability with respect to the guide or
the information, products, services, or related graphics contained in the guide for any purpose. Any
reliance you place on such information is therefore strictly at your own risk.

In no event will we be liable for any loss or damage including without limitation, indirect or consequential
loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in
connection with, the use of this guide.

Through this guide, you may be able to access other websites and resources provided by third parties.
RISK-ACADEMY has no control over the content of these sites or resources and assumes no
responsibility for them or for any loss or damage that may arise from your use of them.

RISK-ACADEMY reserves the right to make changes to this guide at any time without prior notice.

The information, content and format contained in this guide is protected by copyright. Reproduction of
any part of this guide, in any form or by any means, without the express written permission of RISK-
ACADEMY is strictly prohibited. The guide is for personal use only and may not be used for commercial
purposes or be distributed for profit.

By accessing and using this guide, you acknowledge and agree to the above Legal Disclaimer and
Copyright Notice.