Call us +44 (0) 1534 626830
Home News The 20 Critical Questions Series - What Directors Should Ask about Risk Management
News
Print Article

The 20 Critical Questions Series - What Directors Should Ask about Risk Management

11/04/2025

Is the Board of Directors of your organization asking the right questions about Risk Management?Thanks to the Institute of Internal Auditors - Australia, you can download this document which includes many very pertinent questions on the topic of risk management:

The document has been updated in 2025 to reflect the ‘Global Internal Audit Standards’ published in 2024.

The 20 critical questions follow below

THE 20 CRITICAL QUESTIONS SERIES - WHAT DIRECTORS SHOULD ASK ABOUT RISK MANAGEMENT

RISK MANAGEMENT FOUNDATIONS

  1. Does the organisation have
    1. Risk management framework aligned to an appropriate standard such as
      1. ISO 31000:2018 ‘Risk management – Guidelines’
      2. https://www.iso.org/standard/65694.html#:~:text=ISO%2031000%20is%20an%20international,communicating%20risks%20across%20an%20organization. OR
      3. ‘COSO Enterprise Risk Management (ERM) Integrated Framework 2017’
      4. https://www.coso.org/erm-framework
    1. Defined risk appetite ideally encapsulated in a risk appetite statement? AND
    2. Are these endorsed by the audit or risk committee and approved by the governing authority?
  2. Is there
    1. A charter or terms of reference for the risk management activity
    2. A risk management policy that assigns primary responsibility for risk management to operational managers. AND
    3. Are these endorsed by the audit committee or risk committee and approved by the governing authority?
  3. Is there a risk management activity effectively positioned within the organisation in Line 2 that is independent of business operations?
  4. Are there approved critical success factors or performance measures (KPIs) for the risk management activity?
  5. Is there a specified person in the organisation such as a chief risk officer responsible for providing risk management expertise and co-ordinating risk activities?
    1. Does this person have appropriate risk management qualifications?
    2. Does the risk management activity comprise skilled and suitably qualified specialists rather than generalists?
    3. Is there a network of risk co-ordinators in business units across the organisation that provide a conduit between the risk management function and each business unit (this will generally be a small part of a person’s role)?
  6. Is the organisation conforming with its chosen risk management standard?
    1. Is the organisation consistently applying the approved risk management process across the organisation?
    2. Does this include risk assessments performed by external consultants and contracted project managers?
    3. Does this extend to subsidiaries, controlled and associated organisations?
  7. Is there an awareness program to assure people inside and outside the organisation know their risk management obligations including in relation to risk appetite? Is this reflected:-
    1. Internally – job descriptions / performance measures / etc
    2. Externally – tenders / contracts etc?
  8. Is risk management integrated with organisation activities including:-
    1. Strategic planning
    2. Operational business planning
    3. Project planning
    4. Ongoing operations
    5. Performance measurement
    6. Performance reporting?
  9. Does the risk management and risk reporting process ensure risk appetite is a key focus of decision-making at all levels of the organisation?
  10. Does the approach to risk management include various approaches to management of risk
    1. Avoid – do not do it
    2. Control – change likelihood / change consequence if possible
    3. Share – insurance / partnership
    4. Retain – accept?
  11. Is there an annual risk management review plan approved by the audit committee or risk committee that aims to assure
    1. Risk management obligations regarding risk appetite are met (b) there is continuous focus on enhancing risk management capability and effectiveness?

RISK ASSESSMENT

  1. Has a strategic high-level risk assessment been conducted for the organisation?
    1. Has this been encapsulated in a manageable number of strategic risks that are regularly monitored by
      1. Management
      2. Audit or risk committee
      3. Governing authority in the execution of corporate strategy?
  2. Have business unit risk assessments been conducted where appropriate?
    1. Have these been encapsulated in manageable business unit records that are used by management to manage and monitor operations?
  3. Are risk assessments conducted for major programs / projects / business initiatives to identify uncertainties and their implications whether they be good or bad?
    1. Are these encapsulated in manageable project documents used by management / audit committee or risk committee / governing authority to oversee delivery of programs, projects, and business initiatives?
  4. Are proposed responses to risk recorded / allocated to appropriate management for implementation / regularly followed up?

RISK REGISTERS

  1. Is management of identified risks contained in risk registers assigned to specific managers?
    1. Are there documented timelines for completion?
    2. Are there regular reports to management / audit committee or risk committee / governing authority on progress of risk remediation activities?
    3. Are hard questions asked, and management held to account when risk remediation is not completed in a timely way?
  3. Are records of risks regularly reviewed and updated to reflect changes to risk severity? Does this include records for
    1. Strategic
    2. Business operations
    3. Programs / projects / business initiatives?

REVIEW

  1. Is there a process to ensure the risk management policy and framework is periodically reviewed and maintained up to date?
    1. Does this include regular review of the approved risk appetite?
    2. Are results reported to executive management / the audit committee or risk committee?
  3. Are risk management results regularly reported to executive management / audit committee or risk committee / governing authority?
    1. Does this include executive management sign-off each year that the organisation is adequately managing risks?
    2. Is there a risk management annual report that contains performance measure results and an attestation statement from the chief risk officer?
  4. Is there periodic independent review of risk management for example by internal audit that is reported to management / the audit committee or risk committee?

THE BIG QUESTION

  1. How does management / audit committee or risk committee / governing authority clearly know the organisation has identified and is effectively managing its risks in a timely way

SOURCE

General

The Team

Meet the team of industry experts behind Comsure

Find out more

Latest News

Keep up to date with the very latest news from Comsure

Find out more

Gallery

View our latest imagery from our news and work

Find out more

Contact

Think we can help you and your business? Chat to us today

Get In Touch

News Disclaimer

As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[www.gov.UK/government/publications/copyright-acts-and-related-laws]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here www.gov.uk/guidance/exceptions-to-copyright]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email info@comsuregroup.com.  
×

As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[www.gov.UK/government/publications/copyright-acts-and-related-laws]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here www.gov.uk/guidance/exceptions-to-copyright]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email info@comsuregroup.com.  

news disclaimer -

As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[www.gov.UK/government/publications/copyright-acts-and-related-laws]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here www.gov.uk/guidance/exceptions-to-copyright]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email info@comsuregroup.com.