In this tool, we’ve compiled guidelines that auditors can use to better understand and improve the organization’s risk management processes. This guide underscores the importance of an integrated risk management (ERM) approach that encompasses all strategic, operational, compliance and reporting risks. It also outlines key components such as developing a risk management policy, integrating risk management into existing processes, clearly defining roles and responsibilities, and maintaining focused executive and board reporting. It also emphasizes building and driving a risk-aware culture, assigning clear accountability, and using consistent risk language and evaluation scales. The document details various risk management techniques such as avoiding, accepting, reducing and transferring risks, along with specific actions like divesting, prohibiting, self-insuring and outsourcing.  

It also discusses the significance of monitoring and evaluating risk management outcomes through key metrics that align with strategic objectives, assessing the effectiveness of risk responses, and the overall creation of value within the organization's risk appetite. Risk prioritization is highlighted as a critical step, involving detailed scales that assess the likelihood, velocity and persistence of risks, ensuring that the most significant risks are identified and managed with priority. The guide also covers the design principles of ERM, which include a focus on all types of risks, a dual perspective on current and emerging risks, and the integration of risk management into critical management practices to enhance decision-making and value creation.

Risk management techniques covered in this guide include:

• Avoid: Eliminate risk by preventing exposure to future possible events from occurring.​
• Accept: Maintain the risk at its current level.​
• Reduce: Implement policies and procedures to lower the risk to an acceptable level.​
• Transfer: Shift the risk to a financially capable, independent counterparty.​