Auditing Risk Management – top tips and training insights

Rapid shifts in global risks make it more important than ever to understand and have confidence in your organisation’s risk management processes. Following his workshop at the Internal Audit Conference in 2024, Stephen Maycock explains why he will be leading a course on Auditing Risk Management  in 2025 – and what attendees will gain from it. 

The risk landscape continues to evolve, with shifts in geopolitics, escalating wars – for example, those in Ukraine and the Middle East – environmental concerns and rapidly changing technology. That is why it is essential to audit your organisation’s risk management processes regularly. 

Furthermore, the increasing use of assurance mapping to establish reliable assurance sources and gaps, makes it still more important for internal audit functions to have an up-to-date and deep understanding of their organisation’s risk management processes. Without full understanding, they cannot provide assurance to the board or identify opportunities for improvement.   

Stephen Maycock presented a workshop at the Internal Audit Conference in October 2024 on this topic and will follow this up by leading a two-day training course in 2025. This will be aimed at people who have not audited the area before, or who want to refresh their knowledge and skills. 

A crucial role 

“Risk management has always been near the top of the agenda to my mind,” he says. “If organisations don’t manage their risks well, they are likely to experience greater levels of risk crystallisation and more significant impacts.”  

It has a crucial role to play in the global context of critical risks – from the rise in the number of devastating cyber-attacks, such as those that affected Transport for London, the NHS and Microsoft , to the scandals about abuse at Harrods and modern slavery at McDonald’s and in the supply chains of leading supermarkets. 

“Risk management refers to a lot more than simply managing risks,” Maycock says. “It involves the whole framework of organisation-wide processes that are operated by first-line management to manage their risks. A good risk management framework will greatly improve the chance that risks will be managed well. Assurance from internal audit on this framework is therefore essential”. 

He adds that the new Global Internal Audit Standards are clear that chief audit executives need a good understanding of the organisation’s risk management processes. The new Internal Audit Code of Practice also continues to include the requirement for internal audit to assess the adequacy and effectiveness of risk management. 

“To achieve this, internal auditors will need strong knowledge of, and skills in, the methodologies for evaluating the adequacy and the effectiveness of the risk management processes,” he explains. 

In addition, most boards must make an annual public statement about the effectiveness of their risk management processes. They will therefore value the assurance provided by internal audit on the effectiveness of these processes. 

 “Without this, how can board members sleep well at night?” Maycock asks. 

Practical approaches 

When it comes to practicalities, there are many different approaches to auditing risk management. The maturity of the risk management framework will be a key factor in determining the best approach. The course will aim to guide participants through the choices and when each might be appropriate. 

During his conference session, Maycock emphasised the importance of focusing on the future. “Organisations should be constantly improving their risk management processes,” he explains. “Internal auditors have a key role to play as a catalyst for this continual improvement.” 

Top tips  

Maycock concluded his conference session with the following key tips for internal auditors: 

• improve your knowledge of risk management and how to audit it;  
• vary the audit approach based on the risk management maturity;  
• consider providing advisory work when this approach would be more valuable;  
• and focus on being a catalyst for continual improvement.  

This advice will be explored in more detail in the two-day training course, which is aimed at all internal audit professionals involved in reviewing risk management. It will cover aspects from planning an audit to conducting it and concluding on the effectiveness of risk management in the organisation. On completion, attendees should be able to draw on a range of techniques and present the results of a risk management review in a meaningful way to help drive improvements. 

Attendees will also receive 14 continuing professional education (CPE) points. 

Visit our training course calendar to find this course and explore other training opportunities.