Skip Ribbon Commands
Skip to main content
The Institute of Internal Auditors North AmericaBreadcrumb SeparatorStandards and GuidanceBreadcrumb SeparatorRecommended GuidanceBreadcrumb SeparatorPractice GuidesBreadcrumb SeparatorAssessing the Adequacy of Risk Management

​Practice Guide: Assessing the Adequacy of Risk Management Using ISO 31000
Recommended Guidance 

Assessing the Adequacy of Risk ManagementThe use of enterprise-wide risk management frameworks has expanded as organizations recognize the advantages of coordinated approaches to risk management. The risk management framework must be designed to suit the organization: its internal and external environment. 

Assessing the Adequacy of Risk Management Using ISO 31000 details three approaches to assurance of the risk management process: a Process Elements approach; an approach based on Principles of Risk Management; and a Maturity Model approach. The assurance process that is used should be tailored to the organization’s needs. Internal auditors should have a means of measuring the effectiveness of risk management in an organization and forming a conclusion on the organization’s level of risk management maturity. One of the key criteria that internal auditors should consider is whether there is a suitable framework in place to advance a corporate and systematic approach to risk management. 

This Practice Guide uses ISO 31000 as a basis for the risk management framework. Other frameworks may be used to perform the risk assessment. This guidance does not imply implicit or explicit endorsement of this or any other framework.

Downloads and Links

English    Czech    French    Turkish​    Members Only

Practice Guides are restricted to IIA members only.  

Non-members may purchase this Practice Guide from the IIA Bookstore.

An updated edition of the International Professional Practices Framework (IPPF) guide, more commonly known as the Red Book, is now available. Visit the IIA Bookstore for more information.