Boards of directors and senior management looking for help on how to assess the adequacy of their enterprise-wide risk management practices now have a new guidance to turn to from the Institute of Internal Auditors.

“Our research with chief audit executives around the globe is telling us that internal auditors are being looked to more and more to offer independent, objective opinions about whether an organization's risk management activities are effective,” says IIA Vice President of Standards and Guidance Beryl Davis.

The new IIA guide, "Assessing the Adequacy of Risk Management Using ISO 31000," a framework established by the Geneva-based International Organization for Standardization, offers internal auditors three self-contained approaches to forming such a conclusion, each of which chief audit executives could tailor to meet the specific needs of their organization.

Taking a process elements approach can help internal auditors determine whether each of the seven foundational elements of the risk management process identified in ISO 31000 is in place, the guide says. These elements are communication; setting the context; risk identification; risk analysis; risk evaluation; risk treatment; and monitoring and review.

The key principles approach is rooted in the concept that to be fully effective, the risk management process must satisfy a minimum set of principles or characteristics, the guide notes. Under ISO 31000, an effective risk management activity:

Creates and protects organization value;

Is an integral part of organizational processes;

Is a key element of decision-making;

Explicitly addresses uncertainty;

Is systematic, structured, and timely;

Is based on the best available information; and

Is tailored to the organization, its size, culture objectives, and risk profile.

ISO 31000's maturity model approach stems from a foundational assumption that the quality of an organization's risk management activity will improve over time. Adopting ISO 31000's maturity model approach, the guide says, can help CAEs assess where their organization's risk management process lies on this continuum and, by extension, enable the board to determine whether it meets the current needs of the organization and is maturing as expected.

Another practice guide newly published by the IIA, "Measuring Internal Audit Effectiveness and Efficiency," is grounded in the professional requirement that the effectiveness, efficiency, and level of customer service of the internal audit activity must be assessed and monitored vigorously. The 19-page guide describes how to establish performance measurement and monitoring processes and report the results effectively. The document contains extensive appendices, with material such as sample internal audit performance metrics, dashboard reports, and stakeholder feedback surveys.

 

Both guides are available to IIA members for free PDF download at: http://www.theiia.org/guidance/standards-and-guidance/.