Risk Assessment and Monitoring
Expert-defined terms from the Compliance and Regulatory Auditing course at London School of Planning and Management. Free to read, free to share, paired with a professional course.
Acceptable Risk #
Acceptable Risk
Definition #
The level of risk that an organization is willing to endure in pursuit of its objectives, after controls have been applied. It reflects a balance between potential loss and the benefits of an activity.
Example #
A bank may deem a 0.5 % chance of a $1 million loss on a loan portfolio as acceptable because the expected profit outweighs the possible downside.
Practical Application #
Auditors compare actual risk exposure with the defined acceptable risk to determine whether additional controls or mitigation actions are needed.
Challenges #
Determining an appropriate threshold can be subjective, varies across business units, and may change with market conditions, leading to inconsistent assessments.
Audit Trail #
Audit Trail
Definition #
A chronological record that documents the sequence of activities, decisions, and changes made to a system or process, providing evidence of compliance and accountability.
Example #
In a pharmaceutical manufacturing system, every change to a batch record is logged with user ID, timestamp, and reason, creating a complete audit trail.
Practical Application #
Auditors review the audit trail to verify that procedures were followed, identify unauthorized modifications, and support regulatory submissions.
Challenges #
Large volumes of log data can overwhelm review processes; ensuring integrity and protection against tampering requires robust controls.
Baseline Risk Assessment #
Baseline Risk Assessment
Definition #
The first comprehensive evaluation of risks associated with a process, system, or project, establishing a reference point for future monitoring and comparison.
Example #
Before launching a new online payment platform, a firm conducts a baseline risk assessment to identify cyber‑threats, operational errors, and compliance gaps.
Practical Application #
The baseline serves as a benchmark; subsequent audits measure deviations, effectiveness of controls, and emerging threats against this initial view.
Challenges #
Incomplete data, evolving regulatory landscapes, and assumptions made during the baseline can lead to inaccurate benchmarks.
Control Effectiveness #
Control Effectiveness
Definition #
The degree to which a control reliably prevents, detects, or corrects a risk to an acceptable level, as demonstrated through testing and monitoring.
Example #
A segregation‑of‑duties control is tested by reviewing transaction logs to confirm that no single employee can both initiate and approve payments.
Practical Application #
Auditors assess control effectiveness to decide whether risk exposure remains within acceptable limits or if remediation is required.
Challenges #
Controls may degrade over time, be bypassed by sophisticated fraud schemes, or suffer from inadequate documentation, complicating effectiveness evaluation.
Critical Risk Indicator (CRI) #
Critical Risk Indicator (CRI)
Definition #
A quantitative or qualitative measure that signals a significant change in the risk profile of a critical area, prompting immediate attention.
Example #
A sudden increase in failed login attempts beyond a set threshold is a CRI for potential cyber‑intrusion.
Practical Application #
Monitoring CRIs enables early detection of risk escalation, allowing auditors and risk managers to initiate investigations before violations occur.
Challenges #
Selecting appropriate CRIs, setting realistic thresholds, and avoiding false positives require deep domain knowledge and continuous refinement.
Data Integrity #
Data Integrity
Definition #
The accuracy, completeness, and consistency of data throughout its lifecycle, ensuring that it remains unaltered except by authorized processes.
Example #
Financial statements must retain data integrity from transaction entry through consolidation to external reporting.
Practical Application #
Auditors verify data integrity by performing reconciliation checks, checksum validations, and reviewing change‑control procedures.
Challenges #
Complex data flows, legacy systems, and manual data entry increase the risk of corruption or undetected alterations.
Enterprise Risk Management (ERM) #
Enterprise Risk Management (ERM)
Definition #
A structured and coordinated approach to identifying, assessing, treating, and monitoring risks across an entire organization, aligning risk decisions with strategic objectives.
Example #
A multinational corporation implements ERM to aggregate operational, financial, and compliance risks into a unified risk register.
Practical Application #
ERM provides a common language for auditors to evaluate risk across departments, facilitating consistent control testing and reporting.
Challenges #
Silos, inconsistent risk definitions, and limited executive oversight can hinder effective ERM implementation.
False Positive #
False Positive
Definition #
An indication that a risk condition exists when, in reality, it does not; the monitoring system incorrectly flags a non‑issue as a problem.
Example #
An intrusion detection system generates an alert for a benign network scan, creating a false positive.
Practical Application #
Auditors assess the rate of false positives to calibrate monitoring tools, ensuring resources are not wasted on non‑issues.
Challenges #
High false‑positive rates erode confidence in alerts, leading to missed genuine threats and increased audit workload.
Governance, Risk, and Compliance (GRC) #
Governance, Risk, and Compliance (GRC)
Definition #
A cohesive set of practices and technologies that align governance, risk management, and compliance activities to improve decision‑making and reduce redundancies.
Example #
An insurance firm uses a GRC platform to link policy updates, risk assessments, and audit findings in a single dashboard.
Practical Application #
GRC enables auditors to trace regulatory requirements through risk assessments to control implementation, ensuring end‑to‑end visibility.
Challenges #
Integration complexity, data silos, and resistance to change can impede GRC adoption.
Hazard Identification #
Hazard Identification
Definition #
The systematic process of recognizing potential sources of harm that could affect an organization’s operations, assets, or reputation.
Example #
A manufacturing plant conducts hazard identification to discover chemical spill risks associated with storage tanks.
Practical Application #
Auditors verify that hazard identification methods (e.g., checklists, brainstorming) are documented and regularly updated.
Challenges #
Over‑looking low‑probability events, reliance on outdated information, and limited cross‑functional participation can lead to incomplete identification.
Impact Assessment #
Impact Assessment
Definition #
Evaluation of the potential severity of a risk event on business objectives, often expressed in financial terms, operational disruption, or reputational damage.
Example #
A data breach impact assessment estimates lost revenue, regulatory fines, and customer churn.
Practical Application #
Auditors use impact assessments to prioritize audit focus, concentrating on high‑impact risks that warrant deeper testing.
Challenges #
Quantifying non‑financial impacts, such as brand damage, and accounting for cascading effects across business units are inherently uncertain.
Key Control #
Key Control
Definition #
A control that directly addresses a high‑risk area and is essential for maintaining compliance and mitigating significant threats.
Example #
Dual authorization for wire transfers above a certain amount is a key control in treasury operations.
Practical Application #
Auditors place extra scrutiny on key controls, performing extensive testing and reviewing documentation to ensure they operate effectively.
Challenges #
Over‑reliance on a single key control can create a single point of failure; redundancy and backup mechanisms must be evaluated.
Likelihood #
Likelihood
Definition #
The chance that a specific risk event will occur within a defined timeframe, typically expressed as a numeric scale or percentage.
Example #
A 20 % likelihood of supplier disruption due to geopolitical tension.
Practical Application #
Likelihood estimates feed into risk scoring models, influencing audit planning and resource allocation.
Challenges #
Estimating likelihood is often subjective, depends on limited historical data, and can be biased by recent events (recency bias).
Monitoring Plan #
Monitoring Plan
Definition #
A documented strategy that outlines how risk indicators, controls, and compliance obligations will be regularly reviewed and measured.
Example #
A quarterly monitoring plan for anti‑money‑laundering controls includes transaction sampling, SAR filing review, and training completion rates.
Practical Application #
Auditors assess whether the monitoring plan aligns with regulatory expectations and whether execution matches documented frequency.
Challenges #
Inadequate resources, outdated monitoring criteria, and failure to adjust the plan after significant changes can render monitoring ineffective.
Negative Control #
Negative Control
Definition #
A control that is designed to prevent an undesirable outcome but fails to operate as intended, resulting in a risk exposure.
Example #
An automated system that should block duplicate invoices but allows them due to a coding error.
Practical Application #
Auditors identify negative controls by tracing exceptions, investigating root causes, and recommending remediation.
Challenges #
Detecting negative controls often requires deep technical knowledge and may be obscured by complex system integrations.
Operational Risk #
Operational Risk
Definition #
The risk of loss resulting from inadequate or failed internal processes, people, systems, or external events that affect day‑to‑day operations.
Example #
A failure in the order‑fulfillment system that leads to delayed shipments and customer complaints.
Practical Application #
Auditors evaluate operational risk by reviewing process documentation, testing key procedures, and assessing control coverage.
Challenges #
Operational risk is dynamic, can be hard to quantify, and may be hidden in routine activities that are assumed to be “normal.”
Probability Distribution #
Probability Distribution
Definition #
A mathematical function that describes the likelihood of different outcomes for a given risk event, often used to model uncertainty.
Example #
Using a normal distribution to model daily market price fluctuations for a trading desk.
Practical Application #
Auditors rely on probability distributions to assess the robustness of risk models and to verify that assumptions are realistic.
Challenges #
Selecting an inappropriate distribution or mis‑estimating parameters can lead to misleading risk estimates and audit findings.
Qualitative Risk Assessment #
Qualitative Risk Assessment
Definition #
An assessment method that uses descriptive scales (e.g., high, medium, low) to evaluate risk likelihood and impact, without relying on precise numerical data.
Example #
Rating a new vendor’s compliance risk as “medium” based on questionnaire responses.
Practical Application #
Auditors often start with qualitative assessments to quickly identify areas needing deeper quantitative analysis.
Challenges #
Subjectivity can introduce bias, and lack of granularity may mask significant variations between similar‑rated risks.
Regulatory Change Management #
Regulatory Change Management
Definition #
The process of identifying, evaluating, and implementing adjustments required to meet new or amended regulations.
Example #
Updating AML procedures after a jurisdiction revises its sanctions list.
Practical Application #
Auditors verify that change‑management procedures include impact analysis, stakeholder communication, and documentation of control updates.
Challenges #
Rapid regulatory turnover, cross‑jurisdictional differences, and limited awareness can cause gaps in compliance.
Residual Risk #
Residual Risk
Definition #
The level of risk that remains after all identified controls have been applied, representing the true exposure the organization faces.
Example #
After implementing encryption, the residual risk of data theft may still be “low” due to insider threat possibilities.
Practical Application #
Auditors assess residual risk to determine whether it aligns with the organization’s risk appetite and whether additional mitigation is required.
Challenges #
Accurately measuring residual risk demands comprehensive knowledge of control effectiveness and may be obscured by hidden interdependencies.
Scenario Analysis #
Scenario Analysis
Definition #
A technique that evaluates the impact of hypothetical events or combinations of events on an organization’s objectives, often used to test robustness.
Example #
Simulating a 30 % decline in market values combined with a cyber‑attack on trading systems.
Practical Application #
Auditors review scenario analysis results to verify that extreme but plausible events are considered in risk assessments.
Challenges #
Selecting realistic scenarios, ensuring data quality, and avoiding overly optimistic assumptions can be difficult.
Threat Intelligence #
Threat Intelligence
Definition #
Information about current and emerging threats, including tactics, techniques, and procedures used by adversaries, which informs risk mitigation strategies.
Example #
Receiving alerts about a new ransomware variant targeting financial institutions.
Practical Application #
Auditors evaluate whether threat intelligence is integrated into monitoring processes and whether it drives timely control adjustments.
Challenges #
Volume of data, relevance filtering, and timely dissemination to decision‑makers are common obstacles.
Undertaking Risk Register #
Undertaking Risk Register
Definition #
The act of creating and maintaining a centralized list of identified risks, their characteristics, owners, and mitigation plans.
Example #
A risk register for a merger project documents integration, regulatory, and cultural risks with assigned owners.
Practical Application #
Auditors examine the risk register for completeness, accuracy, and evidence of ongoing monitoring and review.
Challenges #
Keeping the register up‑to‑date, avoiding duplication, and ensuring that risk owners actively manage their entries require discipline.
Validation Testing #
Validation Testing
Definition #
The process of confirming that a control operates as designed and produces the intended outcome, typically through sampling or walkthroughs.
Example #
Testing a system‑generated exception report to ensure it captures all unauthorized access attempts.
Practical Application #
Auditors perform validation testing to gather evidence of control effectiveness and to support audit conclusions.
Challenges #
Limited access to underlying data, time constraints, and complex system architectures can hinder thorough testing.
Weighted Risk Scoring #
Weighted Risk Scoring
Definition #
A method that assigns numerical values to risk likelihood and impact, often applying different weights to reflect organizational priorities, resulting in a composite risk score.
Example #
Assigning a weight of 0.6 to impact and 0.4 to likelihood to calculate a risk score for a compliance breach.
Practical Application #
Auditors use weighted scores to rank risks, focusing audit resources on those with the highest composite values.
Challenges #
Determining appropriate weights, preventing score manipulation, and ensuring the model remains aligned with strategic objectives.
e‑Discovery #
e‑Discovery
Definition #
The process of identifying, collecting, and producing electronically stored information (ESI) for legal or regulatory review.
Example #
Extracting email archives to satisfy a regulator’s request for communications related to a pricing manipulation investigation.
Practical Application #
Auditors assess the e‑discovery procedures to ensure data integrity, chain‑of‑custody, and compliance with privacy laws.
Challenges #
Large data volumes, data fragmentation across cloud services, and privacy constraints complicate e‑discovery efforts.
f‑Asset Risk #
f‑Asset Risk
Definition #
The risk associated with fluctuations in the value of financial assets, including market volatility, credit defaults, and liquidity constraints.
Example #
Exposure to foreign‑exchange rate movements affecting a multinational’s cash holdings.
Practical Application #
Auditors evaluate the adequacy of hedging strategies, valuation methods, and reporting controls for f‑asset risk.
Challenges #
Rapid market changes, model risk, and the need for real‑time monitoring increase the complexity of oversight.
g‑Governance Framework #
g‑Governance Framework
Definition #
The structured set of policies, procedures, and responsibilities that guide an organization’s decision‑making, risk management, and compliance activities.
Example #
A three‑tier governance framework that defines roles for the board, senior management, and operational teams.
Practical Application #
Auditors verify that the governance framework is documented, communicated, and enforced across the enterprise.
Challenges #
Inconsistent application across subsidiaries, unclear role definitions, and inadequate monitoring can erode governance effectiveness.
h‑Hazard Mitigation Plan #
h‑Hazard Mitigation Plan
Definition #
A detailed set of actions designed to reduce the likelihood or impact of identified hazards to an acceptable level.
Example #
Installing fire suppression systems and conducting regular drills to mitigate fire hazards in a data center.
Practical Application #
Auditors review mitigation plans for feasibility, proper resource allocation, and evidence of implementation.
Challenges #
Resource constraints, changing operational environments, and insufficient follow‑up can weaken mitigation outcomes.
i‑Incident Response #
i‑Incident Response
Definition #
The organized approach for detecting, analyzing, containing, and recovering from security incidents, aiming to minimize damage and restore normal operations.
Example #
A coordinated response to a ransomware attack that includes isolating affected systems, notifying stakeholders, and restoring backups.
Practical Application #
Auditors assess incident‑response plans for clarity, roles, escalation procedures, and post‑incident review mechanisms.
Challenges #
Lack of clear ownership, delayed detection, and inadequate testing of response procedures can exacerbate incident impact.
j‑Joint Audits #
j‑Joint Audits
Definition #
Audits performed by two or more audit teams (e.g., internal audit and compliance) working together to evaluate overlapping risk areas.
Example #
An internal audit team and a regulatory compliance team jointly audit a loan origination process to assess both operational and legal risks.
Practical Application #
Joint audits promote efficiency, reduce duplication, and provide a holistic view of risk controls.
Challenges #
Coordination difficulties, differing methodologies, and ownership disputes may arise without clear governance.
k‑Key Risk Indicator Dashboard #
k‑Key Risk Indicator Dashboard
Definition #
A visual interface that aggregates and displays CRIs in real time, allowing stakeholders to quickly identify risk trends and thresholds breaches.
Example #
A dashboard showing daily transaction volumes, exception counts, and compliance training completion rates with color‑coded alerts.
Practical Application #
Auditors use dashboards to spot anomalies, verify that alerts correspond to actual control failures, and assess timeliness of responses.
Challenges #
Data integration issues, outdated metrics, and over‑reliance on visual cues without underlying analysis can diminish effectiveness.
l‑Legal Risk #
l‑Legal Risk
Definition #
The possibility of loss resulting from violations of laws, regulations, or contractual obligations, including sanctions, fines, and reputational harm.
Example #
Failure to comply with GDPR leading to a €2 million penalty.
Practical Application #
Auditors evaluate legal risk by reviewing policy adherence, monitoring regulatory updates, and testing contractual controls.
Challenges #
Rapidly evolving legislation, jurisdictional differences, and hidden contractual clauses increase assessment difficulty.
m‑Monitoring Frequency #
m‑Monitoring Frequency
Definition #
The predetermined interval at which risk indicators, controls, or compliance activities are examined to ensure ongoing effectiveness.
Example #
Monthly monitoring of high‑value wire transfers versus quarterly reviews of low‑risk vendor contracts.
Practical Application #
Auditors assess whether monitoring frequency aligns with risk severity and regulatory expectations.
Challenges #
Setting frequencies that are too lax may miss emerging issues; overly frequent monitoring can strain resources and cause audit fatigue.
n‑Non‑Compliance Event #
n‑Non‑Compliance Event
Definition #
An occurrence where an organization fails to meet a regulatory requirement, internal policy, or contractual obligation.
Example #
Submitting an inaccurate financial report to a securities regulator.
Practical Application #
Auditors investigate non‑compliance events to determine root causes, assess control failures, and recommend remediation.
Challenges #
Detecting covert violations, distinguishing between intentional fraud and inadvertent errors, and managing reporting timelines.
o‑Operational Resilience #
o‑Operational Resilience
Definition #
The ability of an organization to continue delivering critical services during and after disruptions, maintaining acceptable performance levels.
Example #
A cloud‑based backup solution that enables rapid restoration of customer data after a ransomware incident.
Practical Application #
Auditors test operational resilience by reviewing continuity plans, conducting tabletop exercises, and verifying recovery time objectives.
Challenges #
Complex supply‑chain dependencies, outdated recovery procedures, and insufficient testing can compromise resilience.
p‑Predictive Analytics #
p‑Predictive Analytics
Definition #
The use of statistical techniques and algorithms to anticipate future risk events based on historical data patterns.
Example #
Applying a machine‑learning model to predict the likelihood of fraudulent claims in an insurance portfolio.
Practical Application #
Auditors evaluate the validity of predictive models, data quality, and the incorporation of model outputs into risk monitoring.
Challenges #
Model bias, data silos, and lack of transparency in algorithmic decisions can undermine trust and effectiveness.
q‑Qualitative Control Assessment #
q‑Qualitative Control Assessment
Definition #
An appraisal of controls that relies on descriptive evidence, expert judgment, and non‑numeric criteria to determine adequacy.
Example #
Conducting interviews with process owners to assess the adequacy of segregation of duties policies.
Practical Application #
Auditors complement quantitative testing with qualitative assessments to capture nuances not reflected in metrics.
Challenges #
Subjectivity, potential for confirmation bias, and difficulty in aggregating qualitative findings into actionable insights.
r‑Risk Appetite Statement #
r‑Risk Appetite Statement
Definition #
A formal declaration that articulates the amount and type of risk an organization is willing to pursue or retain in pursuit of its objectives.
Example #
A bank’s risk appetite statement may specify “low tolerance for credit risk in high‑yield products.”
Practical Application #
Auditors verify that risk appetite aligns with actual risk exposures, control designs, and performance outcomes.
Challenges #
Vague language, misalignment with operational realities, and failure to update the statement after strategic shifts can cause governance gaps.
s‑Scenario‑Based Testing #
s‑Scenario‑Based Testing
Definition #
An audit technique that subjects controls and processes to simulated adverse conditions to evaluate their robustness.
Example #
Testing the loan approval workflow under a simulated surge of applications during a market downturn.
Practical Application #
Auditors use scenario‑based testing to uncover hidden weaknesses that may not appear under normal operating conditions.
Challenges #
Designing realistic scenarios, ensuring test isolation, and managing potential disruption to live systems require careful planning.
t‑Threshold Setting #
t‑Threshold Setting
Definition #
The process of defining numeric or qualitative limits for risk indicators that trigger monitoring actions or escalations.
Example #
Setting a threshold of 5 % deviation from budgeted expenses to generate a management alert.
Practical Application #
Auditors assess whether thresholds are based on sound analysis, are regularly reviewed, and avoid excessive false positives.
Challenges #
Arbitrary thresholds, lack of historical data, and changing business environments can render thresholds ineffective.
u‑Undertaking Risk Transfer #
u‑Undertaking Risk Transfer
Definition #
The practice of shifting risk exposure to another party, typically through contracts, insurance policies, or financial instruments.
Example #
Purchasing cyber‑insurance to cover costs associated with data‑breach remediation.
Practical Application #
Auditors verify that risk‑transfer arrangements are documented, financially sound, and aligned with the organization’s risk appetite.
Challenges #
Mis‑priced premiums, coverage exclusions, and reliance on transfer without underlying risk reduction can create false security.
v‑Vulnerability Management #
v‑Vulnerability Management
Definition #
The systematic process of identifying, evaluating, prioritizing, and mitigating weaknesses in systems, applications, or processes.
Example #
Conducting quarterly scans to discover unpatched software versions on corporate laptops.
Practical Application #
Auditors examine the vulnerability‑management lifecycle to ensure timely remediation and proper documentation of exceptions.
Challenges #
High volume of findings, limited remediation resources, and difficulty in tracking remediation across heterogeneous environments.
w‑Whistleblower Program #
w‑Whistleblower Program
Definition #
An internal system that enables employees and external parties to confidentially report suspected wrongdoing, fraud, or non‑compliance.
Example #
A secure online portal that allows staff to submit concerns about procurement irregularities anonymously.
Practical Application #
Auditors assess the program’s accessibility, confidentiality safeguards, and effectiveness in prompting investigations.
Challenges #
Fear of retaliation, insufficient awareness, and inadequate follow‑up can discourage reporting and reduce program value.
x‑eXternal Audit Coordination #
x‑eXternal Audit Coordination
Definition #
The collaborative effort between an organization’s internal audit function and external auditors to align scope, share findings, and avoid duplication.
Example #
Coordinating with a regulator’s audit team to share risk assessment results for a banking compliance review.
Practical Application #
Auditors develop joint work plans, exchange documentation, and reconcile differing observations to present a unified view to senior management.
Challenges #
Conflicting timelines, differing methodologies, and confidentiality constraints may impede effective coordination.
y‑Yield Risk Assessment #
y‑Yield Risk Assessment
Definition #
The evaluation of potential variations in expected returns from an investment or financial product, considering market volatility and credit factors.
Example #
Assessing the yield risk of a bond portfolio when interest rates are projected to rise.
Practical Application #
Auditors review the assumptions used in yield calculations, stress‑test scenarios, and disclosure adequacy in financial reporting.
Challenges #
Complex modeling, reliance on forward‑looking data, and regulatory scrutiny of assumptions increase assessment difficulty.
z‑Zero‑Based Risk Review #
z‑Zero‑Based Risk Review
Definition #
A systematic approach that requires each risk to be re‑evaluated from scratch, disregarding prior assessments, to ensure that no outdated assumptions persist.
Example #
Conducting a zero‑based risk review of all third‑party vendor relationships at the start of each fiscal year.
Practical Application #
Auditors facilitate zero‑based reviews to uncover emerging risks, validate the continued relevance of controls, and refresh risk registers.
Challenges #
Resource‑intensive, potential for overlooking low‑frequency risks, and resistance from stakeholders accustomed to incremental updates.