According to , page 9, one of the current trends in auditing, risk management and compliance is “shifting from auditing people to auditing processes”. This means that internal auditors focus more on how well an organization’s processes are designed and implemented to achieve its objectives and manage its risks.

Risk management ensures that value is created by identifying opportunities for investment, mergers, or acquisition. Risk management helps to assess the potential benefits, costs, and risks of different options and make informed decisions.

Risk management is a process with inputs, activities, and outcomes1. The inputs are the organization’s context and risk criteria. The activities are risk identification, analysis, evaluation, and treatment. The outcomes are improved decision making, performance, and resilience.

According to ISO 31000:2018, a risk management framework consists of four critical elements: design (B), implement (D), evaluate (E) and improve (F)5. These elements guide an organization in integrating risk management into all functions and processes.

According to 3, a captive insurance company is “a wholly owned subsidiary insurer that provides risk mitigation services for its parent company or related entities”. It can act as a reinsurer by accepting risks from other insurers or captives 1. It can also access reinsurance markets to transfer some of its own risks 1. It can sometimes offer greater cover than is available in the insurance market by tailoring its policies to suit its parent’s needs 3. It does not have to be located in the same country as its parent company; in fact, many captives are domiciled offshore for tax or regulatory reasons 4.

Risk management takes human and cultural factors into account1. Human factors include perception, judgment, behavior, and communication that influence risk management. Cultural factors include values, beliefs, norms, and expectations that shape the organization’s risk culture.

A fire occurring in a new manufacturing process line is an example of a pure risk, which is a situation that can only end in a loss12. For example, the fire could damage property, injure workers or disrupt operations.