I understand that Internal Audit will help me manage the risks in the area. So what exactly is a "business risk"?A business risk is anything that could jeopardize achieving your goals, operating effectively and efficiently, protecting the University’s assets from loss, providing reliable financial data, and complying with applicable laws, policies, and procedures.
When attempting to identify business risks, ask yourself:
• What could go wrong?
• How could someone steal from us?
• What policies are we most affected by?
• How can someone bypass the internal controls?
What could go wrong in your area? Could a fire break out in your research lab? Could a key local system/application go down? Can a key employee call in sick? Can the media become aware of procurement card fraud? Could a safety or security incident occur with faculty/student/staff member overseas? Is cash missing from departmental funds? Can faculty hire family members inappropriately? Use your imagination!
Itis not enough to identify the business risks – each risk needs to also be assessed. In other words, you should estimate the chance that a risk will actually occur and the potential effect/impact.
All types of risk could be foreseeable when considering compliance with federal regulations. In the IT arena, security, privacy, and access risks should be considered. Disaster recovery planning should consider risks such as a flu outbreak or incidents like the tragedy at Virginia Tech. Functional areas that deal with student, faculty, and employment safety issues should consider stress, counseling, and workplace violence risks. And facilities and construction management processes should consider risks in managing and monitoring building construction.