The purpose of a risk audit is to test the systems in place to manage risk and report deficiencies to ensure remedial actions are taken. Identified deficiencies will usually indicate systemic weakness and require remediation of the system, not just the symptoms.
Initiated Risk Review - Business Processes
Business and risk are both dynamic in nature and may change suddenly, or over an extended period of time. Risk management processes are most effective when embedded within business processes to ensure the management of risk is fluid and capable of evolving in sync with the organisation as it grows, develops and adapts to its business environment.
Periodic review of risks and risk strategies are particularly important when organisational changes are planned or external changes are detected in the operating environment. Mechanisms for risk review built into business and strategic planning and change management processes will provide assurance that risks management processes will be initiated within these contexts.
Initiated Risk Review - Post Event
Realisation of a risk in the form of an incident, accident or success provides an opportunity to review risks and risk treatments. Such review provides a vital insight on how risk management processes can be improved or success built upon. Focus on the causes of failure or success will provide important input into enhancing the risk management system moving forward.
Performance measurement
Risk management performance measures are most effective when developed as part of existing organisational planning processes. Incorporated into business plans reflect the relative importance of risk management efforts, aligning with risk management priorities.
Actual progress against risk treatment plans provide an important performance measure and are most effective when incorporated into the key performance indicators (KPI's) of the organisation and its associated measurement and reporting system.
