Thu, Nov 16, 2017
BySharise Cruz

Risk assessment helps identify and document critical business processes and the internal controls within each process. Combined with facilitated management meetings, this approach can help gain companywide consensus by including key process owners in risk and controls analysis.

Here, we’ll present instructions, a sample risk universe from which management can select the 15 most critical business processes (this can be customized for each business and industry), and a sample risk map explaining the concept of plotting risks according to importance to business/financial performance and likelihood of process/control weakness.

Risk Assessment Instructions


This step in a risk assessment is to help identify and document your critical business processes and the internal controls within each process. It will help rank and prioritize processes. Combined with facilitated management meetings, this approach will help you gain companywide consensus by including key process owners throughout corporate processes.


This step aims to identify and prioritize those processes most critical to a business. To do this, identify what you feel are the 15 most critical processes to the business and rank them against a pre-defined criteria (see below). Several other management team members will do this as well. Your lists will be combined with your peers to create a companywide list and ranking for discussion purposes. The internal audit group will facilitate a group meeting to review and discuss the results and gain consensus on a final process list and ranking within the next two weeks. Over the coming months, the internal audit group will document the processes and controls for each critical process and opportunities for control enhancements.

Process Universe

Create a list of the primary business processes of the company. This will be your process universe and serve as a basis for selecting your 15 critical processes. Below is a starting point for your list.

Risk Maps

To rank the critical processes, rank each by 1) importance to business/financial performance and 2) likelihood of process/control weakness, and document your results in a risk map. A sample risk map and ranking are below.

Action Items (Estimated Completion Time = 30 Minutes)

  1. Identify the 15 most critical processes to the business.
  2. Plot each process in the risk map as per the instructions above.
  3. Deliver or email your completed results to Internal Audit/Risk Control Group/Finance.

Process Universe

The following is a sample list of the primary business processes that should be identified for prioritizing risk throughout the organization. (This list can be customized for different business lines and industries.)

Sales and Marketing

  • Contract Sales

    • Sales Ops Review
    • Finance Review
    • Legal Review
    • Engineering Review
    • Operations Review
  • Ad-Hoc Sales
  • Product Marketing
  • Product Development
  • Sales Commissions
  • Inventory Management

Human Resources

  • Hiring

    • Non-Standard Employee Agreements
  • Employee Benefits Management
  • Termination
  • Staffing Analysis (i.e., Manpower Levels
  • Compensation Review
  • Workers Compensation Management/ Claims Processing
  • Employee Annual Review
  • Training and Development
  • Employee Communication
    • Feedback
    • Survey
  • Employee Loans


  • Procurement
    • Manufacturing Quality
    • Vendor Management (competitive bidding and preferred suppliers)
  • Testing and Control
  • Health Assessments
  • Regulatory Compliance (OSHA)

Information Systems

  • IT Strategy/Planning
  • Systems Implementation and Integration
    • Project Management
    • Software Selection
    • Software Development
  • IT Systems Maintenance
    • Financial (JDE, ADP, CID, RMS)
    • HR (JDE HR)
    • CRM
    • Business (Paskey, IMS, Web, Paspro)
  • Network Administration
    • Security/Privacy
  • Business Continuity Planning
    • Disaster Recovery Planning
  • Information/Records Management
  • Help Desk

Finance and Accounting

  • Accounts Payable
  • Accounts Receivable/Billing
  • Capital Exp Approval
  • Non-Capital Purchasing
  • Fixed Assets
  • Budgeting and Forecasting
  • Closing the Books/Accounting
    • Account Reconciliation
    • Account Analysis
    • Accruals
  • Internal Reporting
  • External Reporting
  • Tax
  • Travel and Expense Reporting
  • Treasury
    • Debt/Financial Structure
    • Cash Management
    • FX/Derivatives/Hedging
    • Banking Relationships
    • Insurance
  • Credit and Collections
  • Payroll

Management and Board

  • Board/Committee Meetings
  • Executive/Management Team Meetings
  • Corporate Governance
    • Authority/Approval Matrix
    • Disclosure Controls Documentation Process

Customer Management

  • Technical Support

    • Problem Resolution and Tracking
  • Customer Service


  • Contract Approval
  • Litigation Management
  • Intellectual Property
  • Whistleblower

Corporate Development

  • Third-Party Alliances/Partnerships
  • Mergers and Acquisitions

Infrastructure and Other

  • Facilities Management
  • Physical Security
  • Physical Records Management
  • Corporate Communications
    • Investor Relations
    • Public Relations
  • Receiving
  • Distribution/Logistics
  • Telecommunications
  • Network Management

Sample List and Risk Map

The following tool on KnowledgeLeader contains a sample of 15 critical processes. Each process is mapped by importance to business/financial performance and likelihood of a process/control weakness.

KnowledgeLeader has dozens of resources on risk assessment by business process, including the following: