ISO 31000
          2009 Risk Management Audit Tool

ISO 31000 is an international risk management standard. It can be used by any
organization no matter what size it is or what it does. It is not specific to any sector or
industry and can be applied to any type of risk. It can be applied to the achievement
of any and all types of objectives at all levels and all areas within an organization.

Use our risk management audit tool to:

  • Minimize your organization's losses.
  • Strengthen your risk management controls.
  • Encourage personnel to identify and treat risks.
  • Improve the overall resilience of your organization.
  • Improve loss prevention and incident management.
  • Evaluate risk management practices and processes.
  • Increase the likelihood that objectives will be achieved.
  • Improve the trust and confidence of your stakeholders.
  • Enhance your ability to identify threats and opportunities.

Use our audit tool to pinpoint the gaps that exist between ISO's risk management
standard and your organization's activities. Once you've filled all the gaps, you can
be assured that you've done everything that can reasonably be done to improve
the overall effectiveness of your organization's risk management practices,
processes, policies, plans, procedures, and programs.


This page will introduce our audit tool. It will show you how it is organized
and it will explain how it works. Once you've examined our approach, we hope
you'll consider buying our complete ISO 31000 Risk Management Audit Tool (Title 32).

ISO 31000 RISK MANAGEMENT AUDIT TOOL

TABLE OF CONTENTS (TITLE 32)

 

OVERVIEW AND PROFILE

 

1

Overview of Risk Management Audit Tool

3

2

Profile of Your Risk Management Audit Project

8

 

AUDIT QUESTIONS AND AUDIT RESULTS 

 

3

Assess How Well Risk Management Principles are Being Applied

9

4

Assess How Well Risk Management Framework is Being Applied

SAMPLE

5

Assess How Well Risk Management Process is Being Applied

28

6

Summarize your Risk Management Audit Results

51

 

RISK MANAGEMENT IMPROVEMENT PLANS

 

7

Improve How Well Risk Management Principles are Being Applied

52

8

Improve How Well Risk Management Framework is Being Applied

53

9

Improve How Well Risk Management Process is Being Applied

54

 

APPENDICES

 

10

Plain English Terms and Definitions

55

11

License Agreement and Contact Information

64



AUDIT PROFILE

Before you start your audit, you will be asked to fill out a one page form entitled
Profile of Your Risk Management Audit Project (see Part 2, above). First record the
name of the organization being audited, its address, the areas being audited, the
address of the audit, and a brief description of the actual scope or focus of the
audit. Also use the form to record the names of your auditors and the audit start
date. Once youíve completed the audit, use the same form to record when the audit
was finished, who reviewed the audit and when, and any review comments (if any).


AUDIT QUESTIONS

ISO 31000 is made up of three sets of risk management guidelines. We've taken
each one of these guidelines and turned it into a question. As a result, our audit
tool contains three sets of questions. These questions will allow you to:

3. Assess how well your organization is applying ISO's risk management principles.

4. Assess how well your organization is applying ISO's risk management framework.

5. Assess how well your organization is applying ISO's risk management process.

Our audit questionnaire starts with section 3 because the ISO 31000 guidelines
start in section 3. We've preserved this numbering system in order to make it easy
to cross-reference the original ISO 31000 standard with our material. However, at
the detailed level we have added a numbering system that you wonít find in the
original standard. We have sequentially numbered all questions within each of
the 3 parts (3 to 5) that make up the core of the standard. We have done this
in order to make it easier for you to work with our questionnaires.

In addition, we have used paragraph indents to distinguish between general
questions and specific questions. This approach makes it easy to see how our
questionnaires are structured. In most cases, a general question is immediately
followed by several specific questions which usually help clarify what the general
question means. If youíre not sure about what a general question is asking, just
keep reading. In most cases, the more detailed questions will clarify what the
general questions are trying to ask. But, if youíre still not sure what a question
means, perhaps our Plain English Terms and Definitions section will help
(see Part 10).


METHODOLOGY

For each question, three answers are possible: YES, NO, or N/A. A YES answer
means youíre in compliance with the standard, a NO answer means youíre not in
compliance, while an N/A answer means that this question is not applicable in your
situation. NO answers reveal gaps that exist between the ISO 31000 standard and
your organization's risk management practices and processes.

Answer each question by recording one of these three answers in the cell to the
right of each question. To the right of your answers you will also find a column
that you can use to record any comments or observations you might have.

Once youíve completed our three sets of questionnaires, please study your
NO answers and use the associated questions to formulate remedial actions.
Use the forms at the end of this audit process to record your remedial actions
and to create your risk management improvement plans (see Parts 7 to 9).

Once you've done this for all gaps, you will have three plans which, taken together,
will make up a complete risk management improvement plan. And once all plans
have been implemented and all remedial actions have been taken, you will have
improved the overall effectiveness of your organization's risk management
practices, processes, policies, procedures, and programs.

In most cases, remedial actions can be formulated by simply turning an audit
question into an action statement. For example, a question might ask: ďDo you
use your records to support continuous learning?Ē
. If you answered NO, you would
create a remedial action statement by simply writing: ďUse records to support
continuous learningĒ
. Or, if you wish to use our questions to set objectives, simply
write the following: ďTo use records to support continuous learningĒ.  By turning
questions into objectives, our audit tool can also be used as a planning process.

You can also summarize your audit quantitatively if you wish (see Part 6). The
idea here is to measure how compliant your risk management activities actually
are. And if you carry out regular audits, you can also use our approach to measure
whether or not your risk management activities are actually improving over time.

The following example will show you what our
ISO 31000 Risk Management Audit Tool looks like.

SAMPLE AUDIT QUESTIONS

ISO 31000 2009 RISK MANAGEMENT AUDIT TOOL

4. ASSESS HOW WELL RISK MANAGEMENT FRAMEWORK IS BEING APPLIED

4.1 ESTABLISH A RISK MANAGEMENT FRAMEWORK

1

Have you made risk management part of your
organizationís general management system?

 

 

 

2


Have you established an effective risk
management framework
for your organization?

 

 

 

3



Does your risk management framework permeate
every aspect of your organization at every level?

 

 

 

4




Does your risk management framework meet
your organizationís needs and requirements?

 

 

 

5


Does your risk management framework support
your organizationís risk management process?

 

 

 

6



Do you use your risk management framework to
help ensure that information about risk is reported?

 

 

 

7



Do you use your risk management framework to
help ensure that information about risk is used for
decision making at all relevant levels?

 

 

 

8



Do you use your risk management framework to
help ensure that information about risk is used to
establish accountability?

 

 

 

4.2 MAKE A COMMITMENT TO RISK MANAGEMENT

9

Does your organization have a risk management policy?

 

 

 

10


Does your organizationís management clearly
endorse and support its risk management policy?

 

 

 

11


Is your organizationís culture aligned and
compatible with its risk management policy?


 

 

12

Does your organization establish risk
management performance indicators?

 

 

 

13


Are your risk management indicators aligned
and compatible with your organizationís other
performance indicators?

 

 

 

14

Does your organization formulate
risk management objectives?

 

 

 

15


Are your risk management objectives aligned and
compatible with your organizationís other objectives?

 

 

 

16


Are your risk management objectives aligned and
compatible with your organizationís strategies?

 

 

 

17

Does your organization assign risk
management responsibilities?

 

 

 

18


Are risk management responsibilities allocated at
appropriate levels throughout your organization?

 

 

 

19


Are your people held accountable for meeting
their risk management responsibilities?

 

 

 

20

Does your organization allocate
risk management resources?

 

 

 

21


Do your resources meet your organization's
risk management needs and requirements?

 

 

 

22

Does your organization communicate
risk management benefits?

 

 

 

23


Do all stakeholders understand how they
can benefit from the management of risk?

 

 

 

24

Does your organization support
its risk management framework?

 

 

 

25


Is your risk management framework appropriate?

 

 

 

26


Does your risk management framework comply
with all relevant legal and regulatory requirements?

 

 

 

4.3 DESIGN YOUR RISK MANAGEMENT FRAMEWORK

4.3.1 UNDERSTAND YOUR ORGANIZATION'S CONTEXT

27

Have you evaluated and do you understand your
organizationís external context and have you used this
knowledge to design a risk management framework?

 

 

 

28


Have you evaluated and do you understand
your organizationís external environment?

 

 

 

29



Do you understand your social environment?


 

 

30



Do you understand your cultural environment?

 

 

 

31



Do you understand your political environment?

 

 

 

32



Do you understand your legal environment?

 

 

 

33



Do you understand your regulatory environment?

 

 

 

34



Do you understand your financial environment?

 

 

 

35



Do you understand your technological environment?

 

 

 

36



Do you understand your economic environment?

 

 

 

37



Do you understand your natural environment?

 

 

 

38



Do you understand your competitive environment?

 

 

 

39

 

Have you evaluated and do you understand
your organizationís external stakeholders?

 

 

 

40

 

Do you understand external stakeholder relationships?

 

 

 

41

 

Do you understand external stakeholdersí perceptions?

 

 

 

42



Do you understand external stakeholdersí values?


 

 

43

 

Have you evaluated and do you understand
your organizationís external influences?

 

 

 

44

 

Do you understand how these external influences
could affect your organizationís objectives?

 

 

 

45

 



Do you understand the trends that have an
impact on your organizationís objectives?

 

 

 

46

 



Do you understand the key drivers that have
an impact on your organizationís objectives?

 

 

 

47

Have you evaluated and do you understand your
organizationís internal context and did you use this
knowledge to design a risk management framework?

 

 

 

48


Do you understand your internal stakeholders?

 

 

 

49



Do you understand internal stakeholder relationships?

 

 

 

50



Do you understand internal stakeholders perceptions?

 

 

 

51



Do you understand internal stakeholders values?

 

 

 

52


Do you understand your organizationís governance?

 

 

 

53



Do you understand your organizational structure?

 

 

 

54



Do you understand your organizationís policies?

 

 

 

55



Do you understand your organizationís roles,
responsibilities, and accountabilities?

 

 

 

56



Do you understand your organizationís
various decision making processes?

 

 

 

57

 



Do you understand your organizationís
formal decision making processes?

 

 

 

58

 



Do you understand your organizationís
informal decision making processes?

 

 

 

59

   

Do you understand your organizationís objectives?

 

 

 

60

 



Do you understand the strategies that
are used to achieve your objectives?

 

 

 

61

 

Do you understand your organizationís capabilities?

 

 

 

62

 

Do you understand your organizationís knowledge?

 

 

 

63

 

Do you understand your organizationís resources?

 

 

 

64

 



Do you understand your capital resources?

 

 

 

65

 



Do you understand your human resources?

 

 

 

66

 



Do you understand your technological resources?

 

 

 

67

 



Do you understand your systemic resources?

 

 

 

68





Do you understand your processes?

 

 

 

69





Do you understand your information systems?

 

 

 

70





 

Do you understand information flows?

 

 

 

71

 

Do you understand your organizationís culture?

 

 

 

72

 

Do you understand your organizationís standards?

 

 

 

73

 

Do you understand the guidelines you have adopted?

 

 

 

74

 

Do you understand the models you have adopted?

 

 

 

75

 

Do you understand your organizationís contracts?

 

 

 

76

 

Do you understand the form and extent
of your contractual relationships?

 

 

 

4.3.2 FORMULATE YOUR RISK MANAGEMENT POLICY

77

Have you established a risk management policy?

 

 

 

78


Have you made a commitment to risk management?

 

 

 

79



Have you made a commitment to support those who
are accountable and responsible for risk management?

 

 

 

80

 



Have you made a commitment to provide
the resources needed to support your risk
management activities?

 

 

 

81



Have you made a commitment to periodically review
your risk management policy and framework?

 

 

 

82

 



Have you made a commitment to review your risk
management policy and framework whenever a
significant event occurs or circumstances change?

 

 

 

83



Have you made a commitment to improve
your risk management policy and framework?

 

 

 

84


Do you define risk management objectives?

 

 

 

85


Do you explain how your risk management
policy should be implemented and applied?

 

 

 

86

   

Do you discuss your organizationís risk management
roles, responsibilities, and accountabilities?

 

 

 

87

 



Do you discuss how your risk management
policy should be shared and communicated?

 

 

 

88

   

Do you discuss the way in which opposing
or conflicting interests should be handled?

 

 

 

89

 



Do you discuss how your other policies and
objectives are linked to your organizationís
risk management policy?

 

 

 

90

   

Do you discuss how risk management
performance should be measured?

 

 

 

91

 



Do you discuss how risk management
performance should be reported?

 

 

 

92

Do you communicate your risk management policy?

 

 

 

93

 

Are your risk oriented communications appropriate?

 

 

 

4.3.3 MAKE PEOPLE ACCOUNTABLE FOR MANAGING RISK

94

Has your organization made people
accountable for risk management?

 

 

 

95


Have you made people accountable
for your risk management framework?

 

 

 

96



Did you identify who is accountable for developing
your organizationís risk management framework?

 

 

 

97



Did you identify who is accountable for implementing
your organizationís risk management framework?

 

 

 

98



Did you identify who is accountable for maintaining
your organizationís risk management framework?

 

 

 

99


Have you made people accountable
for your risk management process?

 

 

 

100



Have you made people accountable for implementing
your organizationís risk management process?

 

 

 

101



Have you made people accountable for maintaining
your organizationís risk management process?

 

 

 

102

 



Have you made people accountable for ensuring
that risk management controls are adequate?

 

 

 

103





Have you made people accountable for ensuring
that controls are both efficient and effective?

 

 

 

104

 



Have you made people accountable at all levels
for supporting the risk management process?

 

 

 

105





Did you identify people at all levels who should, in
addition to their other duties, be responsible for
supporting the risk management process?

 

 

 

106

 

Have you made particular people accountable
for managing and controlling specific risks?

 

 

 

107

   

Did you clearly identify your organizationís risk owners?

 

 

 

108

 



Do you give risk owners the authority they need
to manage specific risks and do you hold them
accountable for doing so?

 

 

 

109





Do you ensure that risk owners are competent
and capable of managing their particular risks?

 

 

 

110

Has your organization established risk management
performance measurement methods and techniques?

 

 

 

111

 

Have you established levels of recognition?

 

 

 

112

Did your organization develop systematic risk
management reporting and escalation processes?

 

 

 

113

Etcetera ...

 

 

 


Attention

Now that you know what our tool looks like, please consider
purchasing Title 32: ISO 31000 2009 Risk Management Audit Tool.

If you purchase our ISO 31000 Risk Management Audit Tool, you'll
find that it's integrated, detailed, exhaustive, and easy to understand.
You'll find that we've worked hard to create a high quality product
In fact, we
guarantee the quality of our risk management audit tool.
Title 32 is 65 pages long and comes in pdf and MS doc file formats.

Place an Order 

Check our Prices

See our License


OTHER ISO 31000 PAGES

Introduction to ISO 31000 Standard

Plain English Risk Management Definitions

Overview of ISO 31000 Risk Management Standard

ISO 31000 2009 Standard Translated into Plain English

ALSO SEE OUR OTHER AUDIT TOOLS AND PROGRAMS


Home Page

Our Libraries

A to Z Index

Customers

How to Order

Our Products

Our Prices

Guarantee

Praxiom Research Group Limited            help@praxiom.com           780-461-4514

Updated on January 1, 2017. First published on November 1, 2012.

Legal Restrictions on the Use of this Page
Thank you for visiting this webpage. You are welcome to view our material as often as
you wish, free of charge. And as long as you keep intact all copyright notices, you are also
welcome to print or make one copy of this page for your own personal, noncommercial,
home use. But, you are not legally authorized to print or produce additional copies or to
copy and paste any of our material onto another web site or to republish it in any way.

Copyright © 2012 - 2017 by Praxiom Research Group Limited. All Rights Reserved.

Praxiom
          Research