An auditor’s top tips for managing risk

27 Jul 18

Effective risk management drives good decision making, but there should be a greater focus on the quality of discussions than the quality of documents, says audit manager Gurpreet Dulay.

Over a decade of auditing public sector organisations, I have reviewed hundreds of risk registers — but reading about the many challenges we face in Public Finance prompts me to ask whether risk is being managed in the organisations I work with. 

It is fascinating to note that while the core activities of any given hospital or council are similar, each risk register will be very different. There is vast diversity in how risks are perceived.

When you break it down, the art of risk management is finding an effective way of identifying, assessing and making decisions to manage concerns and opportunities.

However, as with any theoretical framework, risk registers can simplify how the reality is represented. This is why they are often seen as a necessary evil, resulting in a lack of engagement from the outset.

Does risk appear at the end of your agenda? Does it lead to a discussion that always concludes ‘We don’t have enough resources/money?’ Is the focus on risk scores, and not concrete actions to mitigate them? These are all common experiences — the challenge is how to improve your approach.

Over the past year I have run a number of risk workshops, and here are my top six tips:


1. Can your full council or board all name the top 10 risks you face and what is being done about them? A diversity of views should be encouraged but, equally, consistency needs to be valued. Having a board that has a coherent understanding of the key challenges is a powerful means of ensuring discussions are focused.

2. Action. The whole purpose of risk registers is to inform decision making to then drive the right decisions. If a risk does not have a specific and measurable action by which someone can be held to account, then this needs to be looked at again.

3. What will stop you achieving a particular objective? This is the critical question. When assessing corporate-level risks, you need to ask this question.

4. Well-structured risk registers do not automatically lead to well-managed risk. While the tool (the risk register, in this case) is important to drive discussion, it is the discussion itself that is key. Does everyone understand the risk and the mitigating controls you have identified, including their relative strengths? Driving this discussion will significantly improve scrutiny.

5. What’s the root cause?  When identifying a risk, many people are good at stating its consequences without being clear about what could cause it to impede decision making.

6. Time. Not having time to focus on risk is a common problem. I see this as an “invest to save” task. Focused debate about an effective risk register saves time and improves governance.


The future will shine a stronger light on risk. In the NHS, for example, the Care Quality Commission (CQC) added a fifth aspect to their inspection of all trusts in 2014 called “Well-Led”, which  analyses the leadership and organisational culture of providers.

This year, the Well-Led domain was extended from five to eight lines of enquiry and now specifically focuses on whether “clear and effective processes for managing risks” are in place.

This will force trusts to demonstrate to the regulator how they are effective at managing risk —requiring the investment of time among senior officials to reassess whether risk frameworks are well understood and if all relevant ward issues make it to board discussions.

My experience is that the local government sector is less risk mature than the NHS, and such lessons apply to both sectors.

I have found that most progress in risk discussion comes from workshops challenging the status quo.

I regularly advise colleagues not to make an industry out of risk management and that their key focus should be on the quality of discussion, not the quality of documents.

  • Gurpreet Dulay

    Public sector audit manager with BDO. He writes in a personal capacity.

Did you enjoy this article?