Regularity and completeness of risk management practices

Strategic and operational objectives are specified, to enable the identification and assessment of risks for achieving them

Analysis of five large budget organisations, based on documentation demonstrating risk assessment, risk mitigation action and its impact during the last calendar year or later, ideally a risk register. Based on documentation provided by the sample bodies (strategic and operational plan, risk register, other) and the information obtained in the interviews) the assessors will verify that the strategic and operational objectives are specified with sufficient clarity, to enable the identification and the assessment of the risks for the achievement of those objectives. The sample bodies include three ministries (ministries responsible for health, interior and infrastructure), and two large agencies (tax administration, road administration).. If any of the sample bodies does not exist in the country, alternative bodies will be selected to assess the sample-based criteria.

Risk management is effectively implemented in the organisation

Analysis of five large budget organisations, based on documentation demonstrating risk assessment, risk mitigation action and its impact during the last calendar year or later, ideally a risk register. Based on documentation provided by the sample bodies (strategic and operational plan, risk register, other) and the information obtained in the interviews) the assessors will verify that risk management is effectively implemented throughout the organisation (there is a risk management strategy, risk register, risk mitigation plan, etc). The sample bodies include three ministries (ministries responsible for health, interior and infrastructure), and two large agencies (tax administration, road administration).. If any of the sample bodies does not exist in the country, alternative bodies will be selected to assess the sample-based criteria.

Responsibility for conducting risk assessments and taking risk mitigation actions is assigned to the management, not to internal auditors

Analysis of five large budget organisations, based on documentation demonstrating risk assessment, risk mitigation action and its impact during the last calendar year or later, ideally a risk register. Based on documentation provided by the sample bodies (strategic and operational plan, risk register, other) and the information obtained in the interviews) the assessors will verify that the responsibility for conducting the risk assessment and taking risk mitigation actions is assigned to the management, not to internal auditors. The sample bodies include three ministries (ministries responsible for health, interior and infrastructure), and two large agencies (tax administration, road administration).. If any of the sample bodies does not exist in the country, alternative bodies will be selected to assess the sample-based criteria.

Risks are assessed at least annually in the organisations

Analysis of five large budget organisations, based on documentation demonstrating risk assessment, risk mitigation action and its impact during the last calendar year or later, ideally a risk register. Based on documentation provided by the sample bodies (strategic and operational plan, risk register, other) and the information obtained in the interviews) the assessors will verify that the risk assessment is carried out at least annually. The sample bodies include three ministries (ministries responsible for health, interior and infrastructure), and two large agencies (tax administration, road administration). If any of the sample bodies does not exist in the country, alternative bodies will be selected to assess the sample-based criteria.

Risk assessment is carried out against all the objectives of the organisation

Analysis of five large budget organisations, based on documentation demonstrating risk assessment, risk mitigation action and its impact during the last calendar year or later, ideally a risk register. Based on documentation provided by the sample bodies (strategic and operational plan, risk register, other) and the information obtained in the interviews) the assessors will verify that the risk assessment is carried out against all the objectives of the organisation. The sample bodies include three ministries (ministries responsible for health, interior and infrastructure), and two large agencies (tax administration, road administration). If any of the sample bodies does not exist in the country, alternative bodies will be selected to assess the sample-based criteria.

Risk mitigation measures and responsible persons are defined for at least significant risks

Analysis of five large budget organisations, based on documentation demonstrating risk assessment, risk mitigation action and its impact during the last calendar year or later, ideally a risk register. Based on documentation provided by the sample bodies (strategic and operational plan, risk register, other) and the information obtained in the interviews) the assessors will verify that for at least the significant risks, the corresponding risk mitigation measures and the responsible persons are defined. The sample bodies include three ministries (ministries responsible for health, interior and infrastructure), and two large agencies (tax administration, road administration). If any of the sample bodies does not exist in the country, alternative bodies will be selected to assess the sample-based criteria.

Residual risks are reported at least annually in the organisations

Analysis of five large budget organisations, based on documentation demonstrating risk assessment, risk mitigation action and its impact during the last calendar year or later, ideally a risk register. Based on documentation provided by the sample bodies (strategic and operational plan, risk register, other) and the information obtained in the interviews) the assessors will verify that residual risks after implementing the risk mitigation measures are reported at least annually in the organisation. The sample bodies include three ministries (ministries responsible for health, interior and infrastructure), and two large agencies (tax administration, road administration). If any of the sample bodies does not exist in the country, alternative bodies will be selected to assess the sample-based criteria.