2.1 The role of risk assurance
A key question that needs to be asked of any system, not least a risk management system, is, ‘How do you know it works?’
A variety of different approaches can be taken. For example, you could ask:
- Is the risk level reducing?
- Are the internal controls being audited and attested to?
- Is risk training being completed?
Some people go further by measuring maturity while others measure the nature and impact of incidents that have occurred.
There is no right or wrong answer as long as you know your risk management system works and you can prove it. One way that organisations offer this proof is via a three lines of defence approach.