risk-based internal audit


  • [16] Process Older textbooks distinguish between the term risk analysis and risk evaluation; a risk analysis includes the following 4 steps:[1] • establish the context, which
    restricts the range of hazards to be considered.

  • It contains; Risks Potential response Root cause of risks Risk categories and ranking A risk register (PRINCE2) is a document used as a risk management tool and to fulfill
    regulatory compliance acting as a repository[1] for all risks identified and includes additional information[1] about each risk, e.g., nature of the risk, reference and owner, mitigation measures.

  • Consequences: Impact of Risk Event (I) In Risk based internal auditing two types of risks are considered.

  • When risk analysis and risk evaluation are made at the same time, it is called risk assessment.

  • When risk assessment is used for public health or environmental decisions, the loss can be quantified in a common metric such as a country’s currency or some numerical measure
    of a location’s quality of life.

  • Risk-based internal audit (RBIA) is an internal methodology which is primarily focused on the inherent risk involved in the activities or system and provide assurance that
    risk is being managed by the management within the defined risk appetite level.

  • To see the risk management process expressed mathematically, one can define total risk as the sum over individual risks, , which can be computed as the product of potential
    losses, , and their probabilities, : Even though for some risks , we might have , if the probability is small compared to , its estimation might be based only on a smaller number of prior events, and hence, more uncertain.

  • Population risks are of more use for cost/benefit analysis; individual risks are of more use for evaluating whether risks to individuals are “acceptable”.

  • Risk assessment is an inherent part of a broader risk management strategy to help reduce any potential risk-related consequences.

  • [4] The process of risk assessment may be somewhat informal at the individual social level, assessing economic and household risks,[17][18] or a sophisticated process at the
    strategic corporate level.

  • A common error in risk assessment and management is to underestimate the wildness of risk, assuming risk to be mild when in fact it is wild, which must be avoided if risk
    assessment and management are to be valid and reliable, according to Mandelbrot.

  • [citation needed] A typical risk register contains: • A risk category to group similar risks • The risk breakdown structure identification number • A brief description or
    name of the risk to make the risk easy to discuss • The impact (or consequence) if event actually occurs rated on an integer scale • The probability or likelihood of its occurrence rated on an integer scale • The Risk Score[1] (or Risk Rating)
    is the multiplication of Probability and Impact and is often used to rank the risks.

  • [6] Risk assessment Allows an entity to understand the possibility and impact of risk event.

  • Contingency – the budget allocated to the contingent response Trigger – an event that itself results in the risk event occurring (for example the risk event might be “flooding”
    and “heavy rainfall” the trigger) Criticism Although risk registers are commonly used tools not only in projects and programs but also in companies, research has found that they can lead to dysfunctions, for instance Toyota’s risk register
    listed reputation risks caused by Prius’ malfunctions but the company failed to take action.

  • Dynamic risk assessment During an emergency response, the situation and hazards are often inherently less predictable than for planned activities (non-linear).

  • [1][2] • More precisely, risk assessment identifies and analyses potential (future) events that may negatively impact individuals, assets, and/or the environment (i.e.

  • Methods for assessment of risk may differ between industries and whether it pertains to general financial decisions or environmental, ecological, or public health risk assessment.

  • [19]: 10  At the strategic corporate level, management involved with the project produce project level risk assessments with the assistance of the available expertise as part
    of the planning process and set up systems to ensure that required actions to manage the assessed risk are in place.

  • ISO 31000:2009 does not use the term risk register, however it does state that risks need to be documented.

  • Some charge that assessments may drop out important non-quantifiable or inaccessible information, such as variations among the classes of people exposed to hazards, or social

  • It provides the threshold of acceptable risk and determining the risk appetite is continuous process, it can’t be set once and leave.

  • A risk evaluation means that judgements are made on the tolerability of the identified risks, leading to risk acceptance.

  • [1] Sometimes risks can be deemed acceptable, meaning the risk “is understood and tolerated … usually because the cost or difficulty of implementing an effective countermeasure
    for the associated vulnerability exceeds the expectation of loss.

  • [19] Dynamic risk assessment is the final stage of an integrated safety management system that can provide an appropriate response during changing circumstances.

  • It also makes judgments “on the tolerability of the risk on the basis of a risk analysis” while considering influencing factors (i.e.

  • “[10] Mild versus wild risk[edit] Benoit Mandelbrot distinguished between “mild” and “wild” risk and argued that risk assessment and risk management must be fundamentally
    different for the two types of risk.

  • In that case, the “risk” is expressed as If the risk estimate takes into account information on the number of individuals exposed, it is termed a “population risk” and is
    in units of expected increased cases per time period.

  • At the dynamic level, the personnel directly involved may be required to deal with unforeseen problems in real time.

  • Inherent risk[edit] Risk that existed in the absence of any action or control or modification of an event.

  • In these cases, ongoing risk assessment by the involved personnel can advise appropriate action to reduce risk.

  • At the individual level, identifying objectives and risks, weighing their importance, and creating plans, may be all that is necessary.

  • [3] Systems risk assessment[edit] Risk assessment can also be made on a much larger systems theory scale, for example assessing the risks of an ecosystem or an interactively
    complex mechanical, electronic, nuclear, and biological system or a hurricane (a complex meteorological and geographical system).

  • [1][2] Categories Individual risk assessment[edit] Risk assessments can be done in individual cases, including in patient and physician interactions.

  • [19] HM Fire Services Inspectorate has defined dynamic risk assessment (DRA) as: The continuous assessment of risk in the rapidly changing circumstances of an operational
    incident, in order to implement the control measures necessary to ensure an acceptable level of safety.

  • Use two prospectives; • Likelihood: Probability of risk event (P) • Consequences: Impact of risk event (I) • Risk assessment determines possible mishaps, their likelihood
    and consequences, and the tolerances for such events.

  • RBIA allows internal audit to provide assurance to the board that risk management processes are managing risks effectively, in relation to the risk appetite.

  • However, in both cases, ability to anticipate future events and create effective strategies for mitigating them when deemed unacceptable is vital.

  • [3] In the narrow sense chemical risk assessment is the assessment of a health risk in response to environmental exposures.

  • On the other hand, since , must be larger than , so decisions based on this uncertainty would be more consequential, and hence, warrant a different approach.


Works Cited

[‘Risk based internal auditing
2. ^ An approach to implementing Risk Based Internal Auditing
3. Project Management Institute 2021, §4.6.2 Logs and Registers.
4. ^ “ISO Guide 73:2009”. ISO.
5. ^ “Risk management standards”. www.iso.org. Retrieved
6. ^ Jump up to:a b Drummond, Helga. “MIS and illusions of control: an analysis of the risks of risk management. Journal of Information Technology (2011) 26, 259–267. doi:10.1057/jit.2011.9
7. ^ Lyytinen, Kalle. “MIS: the urge to control
and the control of illusions – towards a dialectic”. Journal of Information Technology (2011) 26, 268-270 (December 2011). doi:10.1057/jit.2011.12
8. ^ Jump up to:a b Budzier, Alexander. “The risk of risk registers – managing risk is managing discourse
not tools”. Journal of Information Technology (2011) 26, 274-276 (December 2011), doi:10.1057/jit.2011.13
9. Rausand M (2013). “Chapter 1: Introduction”. Risk Assessment: Theory, Methods, and Applications. John Wiley & Sons. pp. 1–28. ISBN 9780470637647.
10. ^
Jump up to:a b c Manuele FA (2016). “Chapter 1: Risk Assessments: Their Significance and the Role of the Safety Professional”. In Popov G, Lyon BK, Hollcraft B (eds.). Risk Assessment: A Practical Guide to Assessing Operational Risks. John Wiley &
Sons. pp. 1–22. ISBN 9781118911044.
11. ^ Jump up to:a b c d e f g Levi R (1 June 2018). “Getting Real About Both Benefits and Risks”. Science & Practice, English Special 2018. Swedish Agency of Health Technology Assessment and Assessment of Social
Services. ISSN 1104-1250. Retrieved 2018-06-14.
12. ^ Jump up to:a b c Varshavsky JR, Rayasam SD, Sass JB, Axelrad DA, Cranor CF, Hattis D, et al. (January 2023). “Current practice and recommendations for advancing how human variability and susceptibility
are considered in chemical risk assessment”. Environmental Health. 21 (Suppl 1): 133. doi:10.1186/s12940-022-00940-1. PMC 9835253. PMID 36635753.
13. ^ Hoffmann TC, Del Mar C (February 2015). “Patients’ expectations of the benefits and harms of
treatments, screening, and tests: a systematic review” (PDF). JAMA Internal Medicine. 175 (2): 274–86. doi:10.1001/jamainternmed.2014.6016. PMID 25531451.
14. ^ Stacey D, Légaré F, Lewis K, Barry MJ, Bennett CL, Eden KB, et al. (April 2017). “Decision
aids for people facing health treatment or screening decisions”. The Cochrane Database of Systematic Reviews. 2017 (4): CD001431. doi:10.1002/14651858.CD001431.pub5. PMC 6478132. PMID 28402085.
15. ^ Rausand M (2013). “Chapter 6: Accident Models”.
Risk Assessment: Theory, Methods, and Applications. John Wiley & Sons. pp. 137–76. ISBN 9780470637647.
16. ^ Jump up to:a b Vamanu BI, Gheorghe AV, Kaina PF (2016). Critical Infrastructures: Risk and Vulnerability Assessment in Transportation of
Dangerous Goods: Transportation by Road and Rail. Springer. p. 11. ISBN 9783319309316.
17. ^ Lacey P (2011). “An Application of Fault Tree Analysis to the Identification and Management of Risks in Government Funded Human Service Delivery”. Proceedings
of the 2nd International Conference on Public Policy and Social Sciences. SSRN 2171117.
18. ^ Shirey R (August 2007). “Internet Security Glossary, Version 2”. Network Working Group. The IETF Trust: 9. Retrieved 19 July 2018.
19. ^ Mandelbrot B,
Hudson RL (2008). The (mis)Behaviour of Markets: A Fractal View of Risk, Ruin and Reward. London: Profile Books. ISBN 9781846682629.
20. ^ Kasperson RE, Renn O, Slovic P, Brown HS, Emel J, Goble R, Kasperson JX, Ratick S (1988). “The social amplification
of risk: A conceptual framework” (PDF). Risk Analysis. 8 (2): 177–187. doi:10.1111/j.1539-6924.1988.tb01168.x.
21. ^ Commoner B. “Comparing apples to oranges: Risk of cost/benefit analysis”. In Iannone AP (ed.). Contemporary moral controversies
in technology. pp. 64–65.
22. ^ O’Brien M (2002). Making better environmental decisions: an alternative to risk assessment. Cambridge, Massachusetts: MIT Press. ISBN 0-262-65053-3. Retrieved 27 September 2010.
23. ^ Shrader-Frechette K, Westra
L (October 1997). Technology and Values. Lanham, Md.: Rowman & Littlefield Publishers. ISBN 978-1-4616-4399-9.
24. ^ Taleb NN (September 2008). The fourth quadrant: a map of the limits of statistics (PDF). An Edge original essay (Report).
25. ^
Holzmann R, Jørgensen S (2001). “Social Risk Management: A New Conceptual Framework for Social Protection, and Beyond”. International Tax and Public Finance. 8 (4): 529–56. doi:10.1023/A:1011247814590. S2CID 14180040.
26. ^ Nakaš N (21 November
2017). “Three Lessons About Risk Management from Everyday Life”. Knowledge Hub. Center of Excellence in Finance. Retrieved 19 July 2018.
27. ^ Jump up to:a b c d Lock G (June 2017). Phillips M (ed.). “Public Safety Diving-Dynamic Risk Assessment”
(PDF). PS Diver Magazine (116): 9. Retrieved 20 June 2017.
28. ^ “Risk Assessment and Regulation Information from the NLM”. National Library of Medicine. Retrieved 9 June 2013.
29. ^ “Databases on toxicology, hazardous chemicals, environmental
health, and toxic releases”. TOXNET. NLM. May 2012. Retrieved 9 June 2013.
30. ^ “Household Products Database”. U.S. Dept. of Health & Human Services. January 2013. Retrieved 9 June 2013.
31. ^ “Risk Assessment Portal”. EPA. 13 May 2013. Retrieved
9 June 2013.
32. ^ EPA Alumni Association: Senior EPA officials discuss early implementation of the Safe Drinking Water Act of 1974, Video, Transcript (see pages 11,14).
33. ^ “Risk Assessment”. www.epa.gov. US Environmental Protection Agency.
2013-09-26. Retrieved 2016-04-07.
34. ^ Szabo DT, Loccisano AE (March 30, 2012). “POPs and Human Health Risk Assessment”. Dioxins and Persistent Organic Pollutants (3rd ed.). pp. 579–618. doi:10.1002/9781118184141.ch19. ISBN 9781118184141.
35. ^
Nielsen GH, Heiger-Bernays WJ, Levy JI, White RF, Axelrad DA, Lam J, et al. (January 2023). “Application of probabilistic methods to address variability and uncertainty in estimating risks for non-cancer health effects”. Environmental Health. 21 (Suppl
1): 129. doi:10.1186/s12940-022-00918-z. PMC 9835218. PMID 36635712.
36. ^ R. Shirey (August 2007). Internet Security Glossary, Version 2. Network Working Group. doi:10.17487/RFC4949. RFC 4949. Informational.
37. ^ Hunter PR, Fewtrell L (2001).
“Acceptable Risk” (PDF). World Health Organization.
38. ^ Merrill RA (1997). “Food safety regulation: reforming the Delaney Clause”. Annual Review of Public Health. 18: 313–40. doi:10.1146/annurev.publhealth.18.1.313. PMID 9143722. This source includes
a useful historical survey of prior food safety regulation.
39. ^ Current intelligence bulletin 69: NIOSH practices in occupational risk assessment (Report). 2020-02-01. doi:10.26616/nioshpub2020106.
40. ^ “OSHA’s 5 Workplace Hazards”. Grainger
Industrial Supply.
41. ^ Waters M, McKernan L, Maier A, Jayjock M, Schaeffer V, Brosseau L (2015-11-25). “Exposure Estimation and Interpretation of Occupational Risk: Enhanced Information for the Occupational Risk Manager”. Journal of Occupational
and Environmental Hygiene. 12 (Suppl 1): S99-111. doi:10.1080/15459624.2015.1084421. PMC 4685553. PMID 26302336.
42. ^ UNDRR (2019). Global Assessment Report on Disaster Risk Reduction. Geneva: UNDRR. p. 472. ISBN 978-92-1-004180-5. Retrieved 22
June 2020.
43. ^ Tiepolo M (2019). “Flood Assessment for Risk-Informed Planning along the Sirba River, Niger”. Sustainability. 11 (4003). doi:10.3390/w11051018.
44. ^ Massazza G (2019). “Flood Hazard Scenarios of the Sirba River (Niger): Evaluation
of the Hazard Thresholds and Flooding Areas”. Water. 11 (5): 1018. doi:10.3390/w11051018.
45. ^ Tiepolo M (2018). “Multihazard Risk Assessment for Planning with Climate in the Dosso Region, Niger”. Climate. 6 (67): 67. Bibcode:2018Clim….6…67T.
46. ^ International Organization for Standardization (8 November 2017). “ISO Guide 73: 2009. Risk management – Vocabulary”. ISO. Retrieved 22 June 2020.
47. ^ Jump up to:a b Tarchiani V (2020). “Community and Impact Based
Early Warning System for Flood Risk Preparedness: The Experience of the Sirba River in Niger”. Sustainability. 12 (2196). doi:10.3390/su12062196.
48. ^ Managing Project Risks – Retrieved May 20th, 2010
49. ^ Spring J, Kern S, Summers A (2015-05-01).
“Global adversarial capability modeling”. 2015 APWG Symposium on Electronic Crime Research (eCrime). pp. 1–21. doi:10.1109/ECRIME.2015.7120797. ISBN 978-1-4799-8909-6. S2CID 24580989.
50. ^ “Risk assessment”. NIST Computer Security Resource Center
Glossary. National Institute of Standards and Technology (NIST).
51. ^ Canadian Centre for Cyber Security (2018-08-15). “Canadian Centre for Cyber Security”. Canadian Centre for Cyber Security. Retrieved 2021-08-09.
52. ^ Baingo D (2021). “Threat
Risk Assessment (TRA) for Physical Security”. In Masys AJ (ed.). Sensemaking for Security. Advanced Sciences and Technologies for Security Applications. Cham: Springer International Publishing. pp. 243–270. doi:10.1007/978-3-030-71998-2_14. ISBN 978-3-030-71998-2.
S2CID 236706551.
53. ^ “An Overview of Threat and Risk Assessment | SANS Institute”. www.sans.org. Retrieved 2021-08-09.
54. ^ Treasury Board of Canada Secretariat (2006-03-06). “Rescinded [2019-06-28] – Security Organization and Administration
Standard”. www.tbs-sct.gc.ca. Retrieved 2021-08-09.
55. ^ “ISM CODE – Amendments from 1st July 2010 Risk Assessment”. Archived from the original on 27 April 2014.
56. ^ “Diving Regulations 2009”. Occupational Health and Safety Act 85 of 1993 –
Regulations and Notices – Government Notice R41. Pretoria: Government Printer. Archived from the original on 4 November 2016. Retrieved 3 November 2016 – via Southern African Legal Information Institute.
57. ^ Staff (August 2016). “15 – General
safety requirements”. Guidance for diving supervisors IMCA D 022 (Revision 1 ed.). London, UK: International Marine Contractors Association. pp. 15–5.
58. ^ Staff (1977). “The Diving at Work Regulations 1997”. Statutory Instruments 1997 No. 2776
Health and Safety. Kew, Richmond, Surrey: Her Majesty’s Stationery Office (HMSO). Retrieved 6 November 2016.
59. ^ Gurr K (August 2008). “13: Operational Safety”. In Mount T, Dituri J (eds.). Exploration and Mixed Gas Diving Encyclopedia (1st ed.).
Miami Shores, Florida: International Association of Nitrox Divers. pp. 165–180. ISBN 978-0-915539-10-9.
60. ^ “2018 Accreditation Rubric” (PDF). Seattle, Washington: Northwest Association of Independent Schools.
61. ^ “Adventure Activities Regulations”.
62. ^ “Health and Safety at Work (Adventure Activities) Regulations 2016 (LI 2016/19)”. New Zealand Legislation.
63. ^ “Adventure Activities Licensing”. The Health and Safety Executive (HSE). gov.uk.
64. ^ “Adventure
activities”. Work Safe. New Zealand.
65. ^ Dallat C, Salmon PM, Goode N (2015). “All about the Teacher, the Rain and the Backpack: The Lack of a Systems Approach to Risk Assessment in School Outdoor Education Programs”. Procedia Manufacturing. 3:
1157–1164. doi:10.1016/j.promfg.2015.07.193.
66. ^ Baierlein J (2019). Risk Management for Outdoor Programs: a Guide to Safety in Outdoor Education, Recreation and Adventure. Seattle, WA: Viristar LLC.
67. ^ Jump up to:a b Goussen B, Price OR,
Rendal C, Ashauer R (October 2016). “Integrated presentation of ecological risk from multiple stressors”. Scientific Reports. 6: 36004. Bibcode:2016NatSR…636004G. doi:10.1038/srep36004. PMC 5080554. PMID 27782171.
68. ^ Jager T, Heugens EH, Kooijman
SA (April 2006). “Making sense of ecotoxicological test results: towards application of process-based models”. Ecotoxicology. 15 (3): 305–14. CiteSeerX doi:10.1007/s10646-006-0060-x. PMID 16739032. S2CID 18825042.
69. ^ Goussen
B, Rendal C, Sheffield D, Butler E, Price OR, Ashauer R (December 2020). “Bioenergetics modelling to analyse and predict the joint effects of multiple stressors: Meta-analysis and model corroboration”. The Science of the Total Environment. 749: 141509.
arXiv:2102.13107. Bibcode:2020ScTEn.749n1509G. doi:10.1016/j.scitotenv.2020.141509. PMID 32827825.
70. ^ Landis WG (2005). Regional scale ecological risk assessment : using the relative risk model. Boca Raton, FL: CRC Press. ISBN 1-56670-655-6.
OCLC 74274833.
71. ^ Lackey R (1997). “If ecological risk assessment is the answer, what is the question”. Human and Ecological Risk Assessment. 3 (6): 921–928. doi:10.1080/10807039709383735.
72. ^ Nicholson E, Regan TJ, Auld TD, Burns EL, Chisholm
LA, English V, et al. (2015). “Towards consistency, rigour and compatibility of risk assessments for ecosystems and ecological communities”. Austral Ecology. 40 (4): 347–363. doi:10.1111/aec.12148. hdl:1885/66771. ISSN 1442-9985. S2CID 82412136.
73. ^
Keith DA, Rodríguez JP, Brooks TM, Burgman MA, Barrow EG, Bland L, et al. (2015). “The IUCN Red List of Ecosystems: Motivations, Challenges, and Applications”. Conservation Letters. 8 (3): 214–226. doi:10.1111/conl.12167. ISSN 1755-263X.
74. ^ Brooks
TM, Butchart SH, Cox NA, Heath M, Hilton-Taylor C, Hoffmann M, et al. (2015). “Harnessing biodiversity and conservation knowledge products to track the Aichi Targets and Sustainable Development Goals”. Biodiversity. 16 (2–3): 157–174. doi:10.1080/14888386.2015.1075903.
ISSN 1488-8386.
75. ^ Jump up to:a b c d “What is Risk Assessment”. Bureau of Justice Assistance. U.S. Department of Justice.
76. ^ Jump up to:a b Monahan J, Skeem JL (2016). “Risk Assessment in Criminal Sentencing”. Annual Review of Clinical
Psychology. 12: 489–513. doi:10.1146/annurev-clinpsy-021815-092945. PMID 26666966.
77. ^ Heilbrun K (2009). “Risk Assessment in Evidence-Based Sentencing: Context and Promising Sues”. Chapman Journal of Criminal Justice. 1: 127–142.
78. ^ “Advancing
Pretrial Policy & Research: What is the PSA?”. Advancing Pretrial Policy and Research (APPR).
79. ^ “How the PSA Works”. Advancing Pretrial Policy and Research (APPR).

Photo credit: https://www.flickr.com/photos/mitho/7502389724/’]