Internal Audit Departments and Building a Definition of Risk

Internal Audit Departments today are constantly told to be "risk based" and to assist their companies in the management of risk. While this sounds great in concept, the execution is a different manner as many companies today do not have a formal risk management program with which to align. When tasked with developing such programs Internal Audit should not fall into the trap of developing a population of risks before first arriving at a common definition of risk.

Understanding how your company views risk is a good place to start. Is risk viewed as good or bad? Remember, risk is not just a negative; the presence of risk presents the possibility of reward as well as loss. In looking at risk as both a positive and negative, Internal Audit Departments will better align their risk activities with the thoughts and strategies of management.

This definition, once developed, can then allow Internal Audit Departments to evaluate risks and risk management activities to determine if the potential for success warrants the risk being taken; to assess whether the risks being taken are aligned with corporate values, goals, objectives, policies and management capabilities; and to determine whether the culture of your organization is strong enough to allow for a legitimate discussion about risk events that haven’t yet happened.

---

This post was contributed by Brad Zolkoske. Brad is the Director of Internal Audit at International Coal Group. He is responsible for the design, development, coordination and communication of auditing services throughout the company. Brad’s number one goal at International Coal is to establish a professional internal audit function that actively supports the company’s growth and culture initiatives.

During the course of his 20 year internal audit career Brad has worked in internal audit management for several publicly traded manufacturing companies. He is an expert at getting exceptional performance out of small audit departments. Brad can be contacted through this blog or through his LinkedIn profile.