Auditing the Risk Management process
KH Spencer Pickett
This is the first volume in the new ‘Practical Auditor’ series co-branded with the Institute of Internal Auditors. Although it is written primarily as a tool for internal auditors, I found this book with its comprehensive referencing gave some interesting insights into the internal audit code for me as a non-auditor.
The author encourages the reader to work towards best practice by exploring regulatory requirements and examples of good practice. The book is organised thematically and considers models which may apply to the organisation at different stages in developing risk management in terms of risk maturity, Enterprise-wide Risk Management, risk appetite and control risk self assessment using a structured approach. The author then considers how the audit approach should be developed and warns against the development of risk management processes which become ends in themselves rather than management tools and can create ‘the illusion of perfection’.
The final chapter considers holistic enterprise risk management
The nature of the book means that after initial reading it would be a useful ongoing reference volume. Whilst the content might be quite heavy for the complete beginner, it would be helpful to Risk management staff at all levels both in contributing to building a solid and coherent risk management framework and in giving a feel for the internal auditor’s expectations of the risk management process in the context of the internal audit code.
It is very readable, cross references to a wide range of other documents and directs the reader to source materials where appropriate. It covers the topic area comprehensively and as you work through the book the author gradually builds up a tool for consideration in seeking to determine the risk appetite of an organisation.
As a risk manager in an organisation whose risk management and governance arrangements are regularly audited, I am keen to explore any publication offering insights into best practice and found this particular volume very worthwhile in that respect.
The book builds a progressive model of a risk management framework set firmly within the legislative/statutory context – it considers the auditor role separating this very clearly from that of the risk manager whilst exploring how these roles evolve with the risk maturity of the organisation
The final 40 pages (appendix A) provides a useful ERM diagnostic tool which could be used for self audit in assessing progress towards the situation where risk management is seen as a core management activity for the organisation.
Overall I would recommend Auditing the Risk Management Process as a useful addition to the bookshelf of any risk manager and it will certainly be added to both my personal and office libraries. By coincidence, during the period when I was preparing this review, my own Head of Internal Audit has quite separately purchased an office copy.
Sheila Boyce FIRM, Head of Risk Management, Metropolitan Housing Partnership,