Risk reports should address how risk relates to achieving objectives, rather than just looking at it as a single point whose axes are impact and likelihood.
Sourced through Scoop.it from: iaonline.theiia.org
Dave Tate comment (CPA (California, inactive) and Attorney. These discussions are worthwhile. Risk management (surprise management) definitely is here to stay, and is a worthwhile activity for all industries and businesses, including public companies, private companies, nonprofits, governmental entities, banks/financial institutions, etc. Some industries and businesses are required to perform risk assessment. But, really, there is no set or recognized approach or process. For the board, I would like to see at least a quarterly report and discussion, but obviously more often if legally required or if the board requests. I have posted other discussions about risk management on this blog, and also in Tate’s Excellent Audit Committee Guide (updated October 2015, 172 pages) which you can also find posted on my blog. Thanks.