Audit of Risk Management


Annex 1 - Audit Criteria

Corporate Risk Profile

  • EC has developed, approved, and made available its CRP.
  • Organization’s risk are identified and adjusted through ongoing internal and external environmental scans and analysis.
  • Current status of risk management approach and process within the organization is assessed and recognized in planning to manage organization-wide risks.
  • The organization’s risk profile is identified – key corporate risk areas, stakeholders’ risk tolerance, ability and capacity to mitigate risk, and learning needs.

Establishing an Integrated Risk Management Function

  • Management direction on risk management is communicated, understood, and applied – vision, policies, and operating principles.
  • Integrated risk management is implemented through existing decision-making processes and reporting structures – governance, clear roles and responsibilities, and performance reporting.
  • Capacity is built through the development of learning plans and tools so that risks are understood, managed, and communicated.

Practicing Integrated Risk Management

  • A common risk management process is consistently applied at all levels so that risks are understood, managed, and communicated.
  • Results of risk management practices at all levels are integrated into informed decision-making and priority setting – strategic, operational, management, and performance reporting.
  • Tools and methods are applied as aids to decision making
  • Consultation and communication with stakeholders is ongoing – internal and external.


Date modified: