KnowledgeLeader Blog

Risk Assessment Maps and Prioritizing Business Processes

Posted by Protiviti KnowledgeLeader on Fri, Nov 17, 2017 @ 08:39 AM

Risk assessment helps identify and document critical business processes and the internal controls within each process. Combined with facilitated management meetings, this approach can help gain company-wide consensus by including key process owners in risk and controls analysis.

Here, we’ll present instructions, a sample risk universe from which management can select the 15 most critical business processes (this can be customized for each business and industry), and a sample risk map explaining the concept of plotting risks according to importance to business/financial performance and likelihood of process/control weakness.

Risk Assessment Instructions


This step in a risk assessment is to help identify and document your critical business processes and the internal controls within each process. It will help rank and prioritize processes. Combined with facilitated management meetings, this approach will help you gain company-wide consensus by including key process owners throughout corporate processes.


The objective of this step is to identify and prioritize those processes most critical to a business. To do this, identify what you feel are the 15 most critical processes to the business and rank them against a pre-defined criteria (see below). Several other management team members will do this as well. Your lists will be combined with your peers to create a company-wide list and ranking for discussion purposes. Within the next two weeks, the internal audit group will facilitate a group meeting to review and discuss the results and gain consensus on a final process list and ranking. Over the coming months, the internal audit group will document the processes and controls for each critical process along with opportunities for control enhancements.

Process Universe

Create a list of the primary business processes of the company. This will be your process universe and will serve as a basis for you to select your 15 critical processes. Below is a starting point for your list.

Risk Maps

To rank the critical processes, rank each by 1) importance to business/financial performance and 2) likelihood of process/control weakness, and document your results in a risk map. A sample risk map and ranking are below.

Action Items (Estimated Completion Time = 30 Minutes)

  1. Identify the 15 most critical processes to the business.
  2. Plot each process in the risk map as per the instructions above.
  3. Deliver or email your completed results to [Internal Audit/Risk Control Group/Finance]

Process Universe

The following is a sample list of the primary business processes that should be identified for prioritizing risk throughout the organization. (This list can be customized for different business lines and industries.)

Sales & Marketing

  • Contract Sales
    • Sales Ops Review
    • Finance Review
    • Legal Review
    • Engineering Review
    • Operations Review
  • Ad-Hoc Sales
  • Product Marketing
  • Product Development
  • Sales Commissions
  • Inventory Management

Human Resources

  • Hiring
    • Non-Standard Employee Agreements
  • Employee Benefits Management
  • Termination
  • Staffing Analysis (i.e., Manpower Levels)
  • Compensation Review
  • Workers Compensation Mgmt/ Claims Processing
  • Employee Annual Review
  • Training & Development
  • Employee Communication
    • Feedback
    • Survey
  • Employee Loans


  • Procurement
    • Manufacturing Quality
    • Vendor Management (i.e, competitive bidding, preferred suppliers)
  • Testing & Control
  • Health Assessments
  • Regulatory Compliance (i.e., OSHA)

Information Systems

  • IT Strategy/Planning
  • Systems Implementation & Integration
    • Project Management
    • Software Selection
    • Software Development
  • IT Systems Maintenance
    • Financial (JDE, ADP, CID, RMS)
    • HR (JDE HR)
    • CRM
    • Business (Paskey, IMS, Web, Paspro)
  • Network Administration
    • Security/Privacy
  • Business Continuity Planning
    • Disaster Recovery Planning
  • Information/Records Management
  • Help Desk

Finance & Accounting

  • Accounts Payable
  • Accounts Receivable/Billing
  • Capital Exp Approval
  • Non-Capital Purchasing
  • Fixed Assets
  • Budgeting & Forecasting
  • Closing the Books/Accounting
    • Account Reconciliation
    • Account Analysis
    • Accruals
  • Internal Reporting
  • External Reporting
  • Tax
  • Travel & Expense Reporting
  • Treasury
    • Debt/Financial Structure
    • Cash Management
    • FX/Derivatives/Hedging
    • Banking Relationships
    • Insurance
  • Credit & Collections
  • Payroll

Management & Board

  • Board/Committee Meetings
  • Executive/Management Team Meetings
  • Corporate Governance
    • Authority/Approval Matrix
    • Disclosure Controls Documentation Process

Customer Management

  • Technical Support
    • Problem Resolution & Tracking
  • Customer Service


  • Contract Approval
  • Litigation Management
  • Intellectual Property
  • Whistle Blower

Corporate Development

  • Third-Party Alliances/Partnerships
  • Mergers & Acquisitions

Infrastructure & Other

  • Facilities Management
  • Physical Security
  • Physical Records Management
  • Corporate Communications
    • Investor Relations
    • Public Relations
  • Receiving
  • Distribution/Logistics
  • Telecommunications
  • Network Management

Sample List & Risk Map

The following list contains a sample of 15 critical processes. Each process is mapped by importance to business/financial performance and likelihood of a process/control weakness.





This content was taken from KnowledgeLeader’s Risk Assessment Map and Guide.

KnowledgeLeader also has dozens of risk and control matrices by business process.  Each contains an extensive list of possible risks and controls to mitigate those risks.


More resources on risk assessment:

Risk Assessment Survey Template - Sample

Risk Assessment Audit Work Program

Risk Assessment Topic on KnowledgeLeader


Topics: Enterprise Risk Management, Risk Assessment, Governance, Risk & Compliance

Add a Comment:

Subscribe to Our Blog

About KnowledgeLeader

KnowledgeLeader, provided by Protiviti, is the premier resource for internal audit and risk management professionals.

With over 1,400 customizable tools and 1,300 articles by industry experts, we offer the most comprehensive service on the market.

For more information:

 Tour the Site

Recent Posts

Posts by Topic

see all