What is Risk Management?
Internal Audit has learnt through much experience that an audit approach must be flexible. The methodology used should take into consideration the needs of the individual client and the University environment and culture. Within this context Internal Audit expanded its risk management approach to auditing.
Risk management allows a consultative approach that can focus on the higher risk areas thus giving maximum value.
What is Risk?
Risk arises out of uncertainty, from either internal or external sources. As a result of pursuing or not pursuing a particular course of action, there is the possibility of economic/financial loss or gain, physical damage, injury or delay.
"Risk" is defined as the chance of something happening that will have an adverse impact upon the achievement of objectives. There will always be some risk involved in anything we chose to do. The choice is between the actions we dare to take, given the level of risk we will accept and the level we will attempt to treat.
Risk has two key elements:
- the likelihood of something happening; and
- the consequences if it happens.
The level of risk is the relationship between the likelihood of something happening and the consequences if it does. Action taken to address the level of risk must address the likelihood of the event occurring, or the consequences if it does occur, or both.
Main Elements of Risk Management
1. Establish the Context
2. Risk Identification
What are the risks associated with:
- key services?
- Impact of legislation?
- critical success factors?
3. Risk Analysis/Assessment
- Is the combination of likelihood and consequences (will range from minor to major).
- What are the existing controls? Are they adequate?
- Likelihood and consequences with existing controls in place. (Level of risk is mitigated by internal controls and systems).
- Use experience, judgement and intuition for the qualitative review.
4. Risk Treatment
Where identified high risks are not mitigated by good internal controls and systems these areas will be the major focus of the audit review and subsequent recommendations.
5. Monitoring and Review
All audit recommendations are monitored and are subject to follow up audits. Progress reports must be submitted to audit as recommendations are implemented.