Risk and Enterprise Risk Management – Review and Audit

Risk based auditing includes the review of risk management systems and this is new territory for many auditors.

This course introduces delegates to the vital concepts of risk and enterprise risk management thinking using a unique and practical format that has evolved from working with advanced and leading edge risk management systems.

Suitability and duration

Suitability: Intermediate - Advanced

Duration: 2 days

Who should attend

Those that need to extend their knowledge and activities into Risk and Enterprise Risk Management. A life-like case study will span the most important elements of the main section of this training course allowing delegates to learn by example.

Benefits

Skills

After completion of this course, you will be able to:

• Describe the relationship between Risk and Enterprise Risk Management and the Auditor
• Use the correct terminology when discussing and reviewing Risk and Enterprise Risk Management systems
• Understand how your organisation should design, build and deploy an effective Risk Management system
• Evaluate the effectiveness, soundness and capability of a Risk or Enterprise Risk Management system implementation
• Undertake an effective audit or review of a Risk or Enterprise Risk Management system

Support materials

This course is accompanied by a detailed manual that contains briefings, examples and reference materials, including an extensive work-programme to review risk and enterprise risk management systems.

Programme

Risk and enterprise risk management and the internal auditor

• Risk and Enterprise Risk Management (RM and ERM)
• Internal Auditors and Risk Managers – the relationship
• The IIA position statement on RM and ERM

Risk management at large

• COSO frameworks and the COSO ERM
• Core definitions and terminology that span RM and ERM systems
• A swift résumé of risk assessment methods
• Risk appetite, reasonable assurance and the limitations of RM and ERM systems

Building out a risk management system – how it's done

• The RM/ERM architect – the role
• Establishing the organisation’s context and objectives
• Mapping objectives and linking them to core processes
• Evaluating risks that endanger the objectives
• Factoring in risk appetite and priorities
• Envisioning possible control strategies
• Choosing the optimum strategies
• Deciding on metrics for monitoring and reporting results
• Setting tolerances and thresholds
• Multi-level expansion of strategies into component elements
• Integration of risk mitigating activities within the structure
• Maintenance of completed structures

Auditing and reviewing RM and ERM systems

• Demonstrating capability – reviewing the approach and architectural method – top down analysis vs. ad-hoc structures
• Demonstrating operational effectiveness – use of metrics, monitoring, thresholds and tolerances
• Demonstrating integration and connectivity – the “occurs once only” rule and the notion of reverse engineering
• Demonstrating accountability – establishment of process ownership and risk ownership
• Demonstrating currency – continuous improvement in risk management systems – the OECD model
• Demonstrating integrity – validity of structure – no open-endedness
• Demonstrating inclusiveness – meeting the statement of applicability and scope
• The suggested audit approach and detailed audit programme for reviewing RM and ERM systems