People undertake risk management activities to identify, assess, manage, and control
all kinds of events or situations. These can range from single projects or narrowly
defined types of risk, e.g. market risk, to the threats and opportunities facing the
organization as a whole. The principles presented in this paper can be used to guide the
involvement of internal auditing in all forms of risk management but we are particularly
interested in enterprise-wide risk management because this is likely to improve an
organization’s governance processes