ABSTRACT
Risk concerns the effect of uncertainty on objectives. Audits must consider the significance of risks arising from the context of the host organization's business environment, and from needs and expectations of interested parties. Audit teams must identify a representative sample of potentially significant inherent risks ('big rocks') for their audit work plan. This is done by estimating the significance of identified risks from their relative probabilities and consequences. A risk matrix is a common way of presenting the relative significance of each risk exposure. The number ultimately sampled as part of the audit will depend of course on the audit intensity available to the lead auditor and their team. Quantitative methods are usually better suited to use by Health and Safety Executive (HSE) and risk managers within organizations charged with recording the significant risks and impacts, and prioritizing these for subsequent improvement.
