Audit of Risk Management
Annex 1 - Audit Criteria
Corporate Risk Profile
- EC has developed, approved, and made available its CRP.
- Organization’s risk are identified and adjusted through ongoing internal and external environmental scans and analysis.
- Current status of risk management approach and process within the organization is assessed and recognized in planning to manage organization-wide risks.
- The organization’s risk profile is identified – key corporate risk areas, stakeholders’ risk tolerance, ability and capacity to mitigate risk, and learning needs.
Establishing an Integrated Risk Management Function
- Management direction on risk management is communicated, understood, and applied – vision, policies, and operating principles.
- Integrated risk management is implemented through existing decision-making processes and reporting structures – governance, clear roles and responsibilities, and performance reporting.
- Capacity is built through the development of learning plans and tools so that risks are understood, managed, and communicated.
Practicing Integrated Risk Management
- A common risk management process is consistently applied at all levels so that risks are understood, managed, and communicated.
- Results of risk management practices at all levels are integrated into informed decision-making and priority setting – strategic, operational, management, and performance reporting.
- Tools and methods are applied as aids to decision making
- Consultation and communication with stakeholders is ongoing – internal and external.
- Date modified: