Risk audit is the examination and documentation of the effectiveness of risk responses in dealing with identified risk and their root causes, as well as the effectiveness of the risk management process.
Conducting a risk audit is an essential component of developing an event management plan. A risk audit involves identifying and assessing all risks so that a plan can be put in place to deal with any occurrence of any undesirable event which causes harm to people or detriment to the organization.
Some companies use “review” rather than “audit”.
Performing a project risk audit can ensure that your project stays on track and on budget. Project risk audits are often performed throughout the project to ensure that the project stays on track and remains healthy. The goal of the audit is to ensure that each process is doing what it’s supposed to be doing. These audits need to be objective since the project’s well-being may be at stake.
The project manager is responsible for ensuring that risk audits are performed at an appropriate frequency, as defined in the project’s risk management plan. Risk audits may be included during routine project review meetings, or the team may choose to hold separate risk audit meetings. The format for the audit and its objectives should be clearly defined before the audit is conducted.
A risk audit can involve:
- checking for possible hazards;
- observing other similar projects to see how participants are likely to interact with the event environment;
- reviewing Project management systems, policies and procedures and ensuring they are up to date;
- interviewing Project personnel to check whether they have received appropriate training.
The first step in project risk audits is to assign someone to take on the role of project auditor. Ideally, the project manager would be in charge of this. If that person cannot be objective, or if the stakeholders are really relying on this project, you have the option to hire an external auditor or audit company.
- Deciding the Risk Auditor
Interviewing Team Members Once you have decided who will be the risk auditor, it’s time to begin. First, make a list of the people who will be interviewed during the audit. Usually, that list will include the project manager, stakeholders, and project team. If others are involved in the process, however, you may have to interview them as well such as any outside resources you've employed.
The provision of training to event staff (and volunteers) is a critical element in risk management. It is a dangerous situation to presume that procedures have been read and that people will know what to do in an emergency. Ultimately the buck stops with the Project Manager and therefore it is a reasonable use of the Project Manager's time to have meetings with Project Staff, either individually or in groups, to determine their knowledge of procedure.
Critical Success Factors Next, come up with a scoring system to determine how well the processes are working. This can include a range of 1 to 10 or excellent to inadequate. Features to be checked include how well internal controls are working, how well the oversight process is working, how fast tasks are being completed, how budgetary constraints are being met, and utilization of human and material resources.
There are some standard factors that are critical for a successful project. These can include the following: project organization, project planning, meeting of established milestones, how well the project is controlled, how well being dealt with, resource management, dealing with scope, and testing. Part of the audit will be to check and see if these critical success factors are being met.
Gathering Evidence Now, it’s time to gather your evidence. Schedule interviews with team members, project managers, and stakeholders separately so that they don’t influence each other. Conduct the interviews as close together as possible so that individuals don’t have time to discuss questions and compare answers with other team members. This could contaminate the evidence. Try to complete this part of the evidence gathering within the first five days or 20 hours. While many project risk audits can take nearly 20 days to complete, you still want to try to get as little cross-contamination as possible.
Analyzing Evidence and Creating a Report Next, you need to thoroughly analyze the evidence and compare that evidence to timelines, goals, and objectives. Reviewing where the project should be to where it actually is will help you determine if the project is on track. Once you have analyzed the data, you must now prepare your findings and come up with recommendations to improve the processes. A report should be written thoroughly detailing your findings so that everyone can see the results and understand what needs to be done if the project is found to be off-track.
Follow-up Audits Once the initial project risk audit has taken place, you may want to conduct follow-up audits. These shouldn’t be as intense as the initial phase, but they should verify that recommendations made are being followed and implemented.