Risks review and risks audit are different activities and have different purposes. Yet people often confuse these processes. Moreover, risks review is performed far more often, while risks audit is at least as much important. In fact, during project these processes should be performed simateneously and iteratively.
The main purpose of risks reviewing is to identify new risks, reassess risks likelihood, impact and urgency, and to check if risk triggers have appeared. In other words, we should answer the following questions
- Are there new risks due to changes to the project schedule, budget, requirements etc. ?
- Is our assessment of risk probabilities, impacts and urgency still actual? Do we need to revise?
- Have the risk triggers occurred yet?
- Do we have to change risks response plan as a result of changes to the project schedule, budget, requirements etc. ?
Risks audit, on the other hand, is the process of revising risk management activities. Its main objective is to ensure that we are effectively performing risk management.