This question speaks to the adequacy of risk management. For example:

- Is risk managed in silos or as an enterprise-wide program? For example, are there separate and independent functions to manage IT-related risk, currency risk, supply chain risk, investment risk, customer credit risk, etc.?
- Is risk reported in a consistent fashion based on its potential impact on organizational objectives? For example, is the risk of an IT-related issue measured in terms of ‘IT threats’ or the potential effect on revenue generation, collections, etc.?
- Do risk reports reflect current information, or is risk only managed every quarter – in other words, is the risk information current?
- Are all risks of significance to the decisions that have to be made monitored, measured, and managed?
- Are the right people involved in identifying, assessing, evaluating, and responding to risks? Are they the people responsible for performance in the area of the risk? Are they the best positioned to understand and respond?
- Does risk information flow to everybody who needs it?
- Is the risk management program effective and does it meet the needs of the organization (for example, has there been an internal audit of the risk management framework and process)?


Norman Marks, CPA, is vice president, governance, risk, and compliance for SAP's BusinessObjects division, and has been a chief audit executive of major global corporations for more than 15 years. He is the contributing editor to Internal Auditor’s “Governance Perspectives” column.
normanmarks.wordpress.com/