Don’t start from scratch. Reuse and recycle. Learn from others. Those three quick statements for learning apply to risk management. Identifying potential risks, good and bad, can be a cumbersome process. To hasten the process, discover what risk are common for your industry, whether that’s construction, information technology, product development or public power. Use those as assumed inherent risks and build from there.
A good source of organizational and information risk is the Information Systems Audit and Control Association. Their risk list is organized into four categories:
- Inherent Risk is the default risk linked to the area of audit. In other words Inherent risk is the risk naturally related to the business area of audit subject. This is where finding your industry’s risk list is helpful.
- Control Risk is the risk originated because of errors or irregularities in the audit subject may not be detected, prevented or corrected by existing internal control.
- Detection Risk is the risk because of the material errors/irregularities in the audit subject will not be detected by substantive test techniques used by IS Auditor.
- Residual Risk are those risks which exist in the system even after putting controls to mitigate inherent risks of the audit subject. In project management this is referred to as secondary risk and residual risk.