article banner

Risk management & internal control

Organisations must understand and balance their risks and opportunities.

Many organisations try to develop their risk frameworks find that they are not fully effective at driving cohesive risk identification, monitoring and reporting. This limits their ability to use risk thinking to drive business decisions.

The Committee of Sponsoring Organisations of the Treadway Commission (COSO), provides standards on Enterprise Risk Management (ERM), internal control and fraud deterrence. ERM has been around for a long time, but many organisations have struggled to understand it or genuinely embrace it.

Organisations also need to make sure that controls are in place to match the risks a company Is willing to take without allowing the costs of controls to outweigh the benefits.


Isabel Derison

Business Risk Services

Contact our specialist

They should evaluate their current risk frameworks, and develop and embed their risk thinking, taking the following into consideration:

  • The alignment between business strategy and a clearly defined risk appetite
  • The identification and response to key risks that may affect their ability to achieve their strategic objectives
  • The assessment of risks to enhance strategic decisions
  • The monitoring, management and reporting on risks and changes in the risk profile
  • The effectiveness of their risk culture
  • The nature and effectiveness of different levels of assurance
  • The adequacy of internal controls.

How Grant Thornton can help you

At Grant Thornton, we work with organisations of all sizes and sectors to help them develop and embed their risk. We support them in connecting risk thinking with their business or strategic objectives as well as their day-to-day management activity.

Our services include:

  • facilitating risk workshops to identify key risks, judge their impact and likelihood and assist in articulating risk appetite and risk tolerance
  • an independent review of your risks, internal control frameworks and risk functions, as well as providing input from shared good practices
  • advice on risk identification, monitoring and reporting
  • assurance mapping, to identify and evaluate different sources of assurance and the “three lines of defence”
  • documenting processes and internal control testing
  • Sarbanes-Oxley (SOX) testing
  • advice on corporate governance structures.