Primary navigation:

QFINANCE Quick Links
QFINANCE Reference
Add the QFINANCE search widget to your website

Home > Auditing Checklists > Establishing a Framework for Assessing Risk

Auditing Checklists

Establishing a Framework for Assessing Risk

Checklist Description

This checklist outlines why and how a business institutes a framework for assessing risks and responsibilities within an organization.

Back to top


Instituting a framework for identifying risks (or opportunities), assessing their probability and impact, and determining which controls should be in place can be critical to achieving the company’s business objectives. Identifying and proactively addressing risks and opportunities helps businesses to defend themselves. Debt rating agencies and regulators are also increasingly stipulating that companies institute risk-identifying frameworks.

Enterprise Risk Management (ERM) is a name given to the structures, methods, and procedures used by organizations to identify and combat risk. The setting up and monitoring of ERM is typically performed by management as part of its internal control activities, such as appraisals of analytical reports or management committee meetings with relevant experts to make sure that the risk-response strategy is working and that the objectives are being achieved.

Once the risks have been identified and assessed, management chooses a risk-response approach. This may include:

  • Avoidance: Leave risky activities.

  • Reduction: Lessen their probability or impact.

  • Share or insure: Diminish risk by transferring or sharing.

  • Accept: In response to a cost–benefit analysis, take no action.

The most widely used ERM frameworks are COSO (from an organization that prepares audit-related reports) and RIMS (The Risk and Insurance Management Society). Both use methods for identifying, analyzing, responding to, and scrutinizing risks or opportunities within the internal and external settings of the business.

Back to top


  • ERM allows an enterprise to identify and prioritize the risks that might be facing the organization.

  • An improved understanding of the risks—both systemic and non-systemic—facing businesses can help in contingency planning for when the unexpected happens.

  • Robust identification of risks can protect businesses from events that might otherwise threaten the viability of the entity.

Back to top


  • Protracted risk-framework evaluation could be counterproductive if the fruitless pursuit of perfection leaves the company exposed to the very risks it hoped to avoid.

  • Evaluating risks depends on judgments, estimates, and interpretation. Risks are often intangible issues that might be highly relevant but cannot be easily measured.

Back to top

Action Checklist

  • Overcome resistance to the introduction or upgrading of risk frameworks by ensuring that the board and managers are conscious of the fact that it is in everyone’s interest to be aware of business risks.

  • Encourage an open environment when establishing a risk framework. Some risks are obvious, but stakeholders or managers of individual business sectors may sometimes know more about hidden risks.

  • Engage key business stakeholders and managers in the evaluation of risks and when seeking the best resolutions for those risks.

Back to top

Dos and Don’ts


  • Regularly update risk-assessment frameworks, as these can help to keep management informed of the constantly changing business environment and its risks.

  • Spell out in clear terms the risks that the organization may be facing, their probability, and their potential impact.


  • Don’t take risks for granted; just because a risk has been the same in the past, there is no guarantee that it will be the same in the future. Only by fully understanding the risks and updating risk frameworks can you counteract the dangers.

  • Don’t get bogged down by risk frameworks. Risk is sometimes a natural and acceptable part of doing business.

Back to top

Further reading


  • Baxter, Keith. Risk Management: Fast Track to Success. Harlow, UK: FT Prentice Hall, 2010.
  • Leitch, Matthew. Intelligent Internal Control and Risk Management: Designing High-Performance Risk Control Systems. Aldershot, UK: Gower, 2008.


Back to top

Share this page

  • Facebook
  • Twitter
  • LinkedIn
  • Bookmark and Share