KnowledgeLeader Blog

    Risk Assessment Maps and Prioritizing Business Processes

    Posted by Protiviti KnowledgeLeader on Fri, Nov 17, 2017 @ 08:39 AM

    Risk assessment helps identify and document critical business processes and the internal controls within each process. Combined with facilitated management meetings, this approach can help gain company-wide consensus by including key process owners in risk and controls analysis.

    Here, we’ll present instructions, a sample risk universe from which management can select the 15 most critical business processes (this can be customized for each business and industry), and a sample risk map explaining the concept of plotting risks according to importance to business/financial performance and likelihood of process/control weakness.

    Risk Assessment Instructions


    This step in a risk assessment is to help identify and document your critical business processes and the internal controls within each process. It will help rank and prioritize processes. Combined with facilitated management meetings, this approach will help you gain company-wide consensus by including key process owners throughout corporate processes.


    The objective of this step is to identify and prioritize those processes most critical to a business. To do this, identify what you feel are the 15 most critical processes to the business and rank them against a pre-defined criteria (see below). Several other management team members will do this as well. Your lists will be combined with your peers to create a company-wide list and ranking for discussion purposes. Within the next two weeks, the internal audit group will facilitate a group meeting to review and discuss the results and gain consensus on a final process list and ranking. Over the coming months, the internal audit group will document the processes and controls for each critical process along with opportunities for control enhancements.

    Process Universe

    Create a list of the primary business processes of the company. This will be your process universe and will serve as a basis for you to select your 15 critical processes. Below is a starting point for your list.

    Risk Maps

    To rank the critical processes, rank each by 1) importance to business/financial performance and 2) likelihood of process/control weakness, and document your results in a risk map. A sample risk map and ranking are below.

    Action Items (Estimated Completion Time = 30 Minutes)

    1. Identify the 15 most critical processes to the business.
    2. Plot each process in the risk map as per the instructions above.
    3. Deliver or email your completed results to [Internal Audit/Risk Control Group/Finance]

    Process Universe

    The following is a sample list of the primary business processes that should be identified for prioritizing risk throughout the organization. (This list can be customized for different business lines and industries.)

    Sales & Marketing

    • Contract Sales
      • Sales Ops Review
      • Finance Review
      • Legal Review
      • Engineering Review
      • Operations Review
    • Ad-Hoc Sales
    • Product Marketing
    • Product Development
    • Sales Commissions
    • Inventory Management

    Human Resources

    • Hiring
      • Non-Standard Employee Agreements
    • Employee Benefits Management
    • Termination
    • Staffing Analysis (i.e., Manpower Levels)
    • Compensation Review
    • Workers Compensation Mgmt/ Claims Processing
    • Employee Annual Review
    • Training & Development
    • Employee Communication
      • Feedback
      • Survey
    • Employee Loans


    • Procurement
      • Manufacturing Quality
      • Vendor Management (i.e, competitive bidding, preferred suppliers)
    • Testing & Control
    • Health Assessments
    • Regulatory Compliance (i.e., OSHA)

    Information Systems

    • IT Strategy/Planning
    • Systems Implementation & Integration
      • Project Management
      • Software Selection
      • Software Development
    • IT Systems Maintenance
      • Financial (JDE, ADP, CID, RMS)
      • HR (JDE HR)
      • CRM
      • Business (Paskey, IMS, Web, Paspro)
    • Network Administration
      • Security/Privacy
    • Business Continuity Planning
      • Disaster Recovery Planning
    • Information/Records Management
    • Help Desk

    Finance & Accounting

    • Accounts Payable
    • Accounts Receivable/Billing
    • Capital Exp Approval
    • Non-Capital Purchasing
    • Fixed Assets
    • Budgeting & Forecasting
    • Closing the Books/Accounting
      • Account Reconciliation
      • Account Analysis
      • Accruals
    • Internal Reporting
    • External Reporting
    • Tax
    • Travel & Expense Reporting
    • Treasury
      • Debt/Financial Structure
      • Cash Management
      • FX/Derivatives/Hedging
      • Banking Relationships
      • Insurance
    • Credit & Collections
    • Payroll

    Management & Board

    • Board/Committee Meetings
    • Executive/Management Team Meetings
    • Corporate Governance
      • Authority/Approval Matrix
      • Disclosure Controls Documentation Process

    Customer Management

    • Technical Support
      • Problem Resolution & Tracking
    • Customer Service


    • Contract Approval
    • Litigation Management
    • Intellectual Property
    • Whistle Blower

    Corporate Development

    • Third-Party Alliances/Partnerships
    • Mergers & Acquisitions

    Infrastructure & Other

    • Facilities Management
    • Physical Security
    • Physical Records Management
    • Corporate Communications
      • Investor Relations
      • Public Relations
    • Receiving
    • Distribution/Logistics
    • Telecommunications
    • Network Management

    Sample List & Risk Map

    The following list contains a sample of 15 critical processes. Each process is mapped by importance to business/financial performance and likelihood of a process/control weakness.





    This content was taken from KnowledgeLeader’s Risk Assessment Map and Guide.

    KnowledgeLeader also has dozens of risk and control matrices by business process.  Each contains an extensive list of possible risks and controls to mitigate those risks.


    More resources on risk assessment:

    Risk Assessment Survey Template - Sample

    Risk Assessment Audit Work Program

    Risk Assessment Topic on KnowledgeLeader


    Topics: Enterprise Risk Management, Risk Assessment, Governance, Risk & Compliance

    Add a Comment:

    About KnowledgeLeader

    KnowledgeLeader, provided by Protiviti, is the premier resource for internal audit and risk management professionals.

    With over 1,400 customizable tools and 1,300 articles by industry experts, we offer the most comprehensive service on the market.

    For more information:

     Tour the Site

    Recent Posts

    Posts by Topic

    see all