Organizations conduct assessments to identify different types of organizational risk. For example, they may conduct enterprise risk assessments to identify the strategic, operational, financial, and compliance risks to which the organization is exposed. In most cases, the enterprise risk assessment process is focused on the identification of “bet the company” risks – those that could impact the organization’s ability to achieve its strategic objectives.
Most organizations also conduct internal audit risk assessments to aid in the development of the internal audit plan. A traditional internal audit risk assessment is likely to consider financial statement risks and other operational and compliance risks.
While both of these kinds of risk assessments are typically intended to identify significant compliance-related risks, neither is designed to specifically identify legal or regulatory compliance risks
Objective: Identify, prioritize, and assign accountability for managing strategic, operational, financial, and reputational risks
Scope: Any risk significantly impacting the organization’s ability to achieve its strategic objectives
Typical Owner: Chief Risk Officer/ Chief Financial Officer
Objective: Determine and prioritize risks to aid in developing the internal audit plan, helping to provide the board and the executive team with assurances related to risk management efforts and other compliance activities
Scope: Financial statement and internal control risks, as well as some operational and compliance risks that are likely to materially impact the performance of the enterprise or financial statements
Typical Owner: Chief Audit Executive
Objective: Identify, prioritize, and assign accountability for managing existing or potential threats related to legal or policy noncompliance—or ethical misconduct—that could lead to fines or penalties, reputational damage, or the inability to operate in key markets
Scope: Laws and regulations with which the organization is required to comply in all jurisdictions where it conducts business, as well as critical organizational policies—whether or not those policies are based on legal requirements
Typical Owner: Chief Compliance Officer