ABSTRACT
Risk management is the identification, analysis, and control of risks that can jeopardize the achievement of objectives. Risk management should also involve harnessing opportunities since the inability to capitalize on positive events can also jeopardize, or at least limit, the organization's future success potential. Internal auditors should review management's plan to verify that risk management processes and activities are adequate, risks are identified and managed effectively, and that there are status reports produced regarding key risks. The ERM Framework states that governance and culture set the organization's tone, reinforcing the importance of oversight. Risk management is a process to proactively work with relevant stakeholders, internal, and external to the organization, to minimize negative outcomes and maximize or capitalize on opportunities. Since the risk management function within the organization is part of the Second Line of Defense, internal auditors may audit this function, collaborate with it, and support its efforts to promote effective risk management within the entity.
