M & C

Risk Audit

Risk audits are used to evaluate the effectiveness of the risk identification, risk responses, and risk man- agement process as a whole. Information reviewed in a risk audit can include:

  • Risk event audits
    • Risk events
    • Causes
    • Responses
  • Risk response audits
    • Risk event
    • Responses
    • Success
    • Actions for improvement
  • Risk management processes
    • Process
    • Compliance
    • Tools and techniques used
  • Good practices
  • Areas for improvement

The risk audit is a tool used in process 11.7 Control Risks in the PMBOK® Guide – Sixth Edition. It is conducted periodically as needed.

Tailoring Tips

Consider the following tips to help tailor the risk audit to meet your needs:

  • To make the audit more robust you can include an assessment of the effectiveness of the risk management approach.
  • Large organizations often have policies and procedures associated with project risk. If this is the case in your organization, include an assessment of compliance with the policies and procedures.
  • Many organizations don’t track opportunity management. You can expand the scope of the audit to include opportunity management if appropriate.
  • For larger projects you may want to include information on overall risk in addition to risk events.



The risk audit should be aligned and consistent with the following documents:

  • Risk management plan
  • Risk register
  • Risk report
Document element Description
Risk event audit Event List the event from the risk register.
  Cause Identify the root cause of the event from the risk register.
  Response Describe the response implemented.
  Comment Discuss if there was any way to have foreseen the event and respond to it more effectively.
Risk response audit Event List the event from the risk register.
  Response List the risk response from the risk register.
  Successful Indicate if the response was successful.
  Actions to improve Identify any opportunities for improvement in risk response.
Risk management process audit Plan risk management Followed: Indicate if the various processes were followed as indicated in the risk management plan.
  Identify risks Tools and techniques used: Identify tools and techniques used in the various risk management processes and whether they were successful.
  Perform qualitative risk analysis  
  Perform quantitative risk analysis  
  Plan risk responses  
  Control risks  
Describe any practices that should be shared for use on other projects. Describe any practices that should be shared for use on other projects. Include any recommendations to update and improve risk forms, templates, policies, procedures, or processes to ensure these practices are repeatable.
Description of areas for improvement Describe any practices that need improvement, the improvement plan, and any follow- up dates or information for corrective action.