Not easily quantifiable risks and internal audit assurance

AIRMIC CEO, Julie Graham, famously said “burn your risk register” at the Chartered Institute’s flagship conference in 2023. She warned that a risk register can be dangerous to use as the basis of an audit plan if it’s only updated once or twice a year. Risks are dynamic not static.

Risk management assurance is fundamental to internal audit activities; how individual risks are managed and the risk framework itself.

Well executed, it should be the backbone of organisational success. But what does good look like in today’s continually changing environment?

In this article we take a look at those risks that are not easily quantifiable - often emerging and complex - and consider what good looks like from an assurance perspective.

What is an NEQ (Not easily quantifiable) risk?

NEQ risks are those risks which have very little reliable data associated with them which makes traditional modelling and assessment challenging. They are often, but not exclusively emerging risks. Probability statistics cannot be assigned. NEQs can be characterised as having a high degree of uncertainty, impactful over a long-term horizon or be low (hard to predict) frequency but high impact events. Examples include emerging risks, climate change, geopolitics, reputational damage and strategic concerns.

This lack of data means that NEQs can easily hide in plain sight. They are known but perhaps not documented, discussed or managed except via indirect actions that address other risks.

NEQs in the risk framework

An established risk framework, such as ISO31000 in the image below places, emphasis on risk assessment. Is it possible for NEQ risks to fit into this framework?

Any assurance of the risk framework should consider its ability to adapt to different aspects of risk, especially where there is high volatility or uncertainty.

NEQ risks can be assessed, included on a risk…