Risk audits are used to evaluate the effectiveness of the risk identification, risk responses, and risk man- agement process as a whole. Information reviewed in a risk audit can include:
- Risk event audits
- Risk events
- Risk response audits
- Risk event
- Actions for improvement
- Risk management processes
- Tools and techniques used
- Good practices
- Areas for improvement
The risk audit is a tool used in process 11.7 Control Risks in the PMBOK® Guide – Sixth Edition. It is conducted periodically as needed.
Consider the following tips to help tailor the risk audit to meet your needs:
- To make the audit more robust you can include an assessment of the effectiveness of the risk management approach.
- Large organizations often have policies and procedures associated with project risk. If this is the case in your organization, include an assessment of compliance with the policies and procedures.
- Many organizations don’t track opportunity management. You can expand the scope of the audit to include opportunity management if appropriate.
- For larger projects you may want to include information on overall risk in addition to risk events.
The risk audit should be aligned and consistent with the following documents:
- Risk management plan
- Risk register
- Risk report
|Risk event audit||Event||List the event from the risk register.|
|Cause||Identify the root cause of the event from the risk register.|
|Response||Describe the response implemented.|
|Comment||Discuss if there was any way to have foreseen the event and respond to it more effectively.|
|Risk response audit||Event||List the event from the risk register.|
|Response||List the risk response from the risk register.|
|Successful||Indicate if the response was successful.|
|Actions to improve||Identify any opportunities for improvement in risk response.|
|Risk management process audit||Plan risk management||Followed: Indicate if the various processes were followed as indicated in the risk management plan.|
|Identify risks||Tools and techniques used: Identify tools and techniques used in the various risk management processes and whether they were successful.|
|Perform qualitative risk analysis|
|Perform quantitative risk analysis|
|Plan risk responses|
|Describe any practices that should be shared for use on other projects.||Describe any practices that should be shared for use on other projects. Include any recommendations to update and improve risk forms, templates, policies, procedures, or processes to ensure these practices are repeatable.|
|Description of areas for improvement||Describe any practices that need improvement, the improvement plan, and any follow- up dates or information for corrective action.|