What’s the Difference Between a Risk Audit and a Risk Review?
By J. LeRoy Ward, PMP, PgMP, PfMP, CSM, GWCPM, SCPM | Executive Vice President – Enterprise Solutions, IIL
Don’t answer that. I already know. Not a darn thing, or at least there shouldn’t be.
In my experience, both have been used, are currently being used, and will probably always be used to mean the same thing by the many companies I’ve worked with in my forty plus years in project management. Some companies use “review” rather than “audit” because the latter scares folks.
Who really wants to be audited? No one of sound mind that I know, and I should know.
I worked for the Federal Government for almost seventeen years on some very controversial programs in Indian Country which were constantly being subjected to audits. These programs were audited by the Government Accountability Office or GAO (formerly named the Government Accounting Office), the Inspector General of the Department of the Interior, Congressional audit staff (then-current investigators from the FBI on-loan to Congress), and a host of other “interested parties.”
Their job was to ferret out “waste, fraud, and abuse” and they did their best to find all three. In all programs on which I was working, they just found “waste,” meaning we didn’t do things as perfectly as they thought they should have been done. While you could argue (in writing), it didn’t do much good. They always had the final opportunity to write their rebuttals. After all, they published the reports.
Audits in the corporate world may not be as scary, but no one likes them there either. Why put people on the defensive when all they’re trying to do is a good job under difficult circumstances? That’s why I noticed early on in corporate life, that the word review was much more popular than audit, and not just here in the United States where I live and work.
Review wasn’t just a euphemism employed by companies to hide a more unpleasant activity. PMOs and others used it to create a culture of collaboration and to show they were just trying to be helpful to the project managers they oversaw or had some accountability for.
This is why I have mixed feelings about the Monitor Risks: Tools and Techniques (formerly Control Risk) section in the Project Risk Management knowledge area in the Exposure Draft of the PMBOK® Guide—6th Edition (I know I’m getting a bit geeky on you here). I was very glad to see that the authors included a new T&T called Risk Review but less glad to see that they retained the term Risk Audit from the 5th and current edition of the PMBOK® Guide.
Let me explain. Essentially, they took the definition of Risk Audits from the 5th edition, took out the part about reviewing individual risk responses and placed it under Risk Reviews, and left the part about whether the project team was following the risk process under Risk Audits.
Personally, I would have left the current definition and just changed the title from Risk Audits to Risk Reviews.
What’s your view?
Related Courses from IIL:
- Advanced Project Risk Management
- Risk Management for IT Professionals
- Prep Course for PMI’s Risk Management Professional (PMI-RMP)® Certification Exam
J. LeRoy Ward is a highly respected consultant and adviser to Global Fortune 500 Corporations and government agencies in the areas of project, program and portfolio management. With more than 38 years of government and private sector experience, LeRoy specializes in working with senior executives to understand their role in project and program sponsorship, governance, portfolio management and the strategic execution of projects and programs.