Loop: Audit > Risk Assessment > Risk Management > Repeat
Cycle Overview
This cycle represents how audits, risk assessments, and risk management feed into one another.
It is not a straight line but a continuous loop.
ASCII Loop Diagram
┌───────────────┐
│ AUDIT │
│ "Test & Verify"│
│ Current Controls │
└───────┬───────┘
│ Findings & Evidence
▼
┌──────────────────────┐
│ RISK ASSESSMENT │
│ "Identify & Analyze" │
│ Risks, Impact, Likelihood │
└───────┬─────────────┘
│ Prioritized Risks
▼
┌──────────────────────┐
│ RISK MANAGEMENT │
│ "Decide & Act" │
│ Mitigate | Transfer | │
│ Avoid | Accept │
└────────┬────────────┘
│ Implemented Controls
▼
┌───────────────┐
│ AUDIT │
│ "Test Again" │
└───────────────┘
Stage Definitions
Audit
- Validates the effectiveness of current controls.
- Relies on evidence provided by process owners.
- Considered a current-state risk assessment tool.
- May include recommendations for improvement, but not mandatory.
Risk Assessment
- Identify and analyze risks.
- Focuses on threats, vulnerabilities, likelihood, and impact.
- Produces a prioritized risk register.
- Purely diagnostic: does not decide on responses.
Risk Management
- Decide and act on risks.
- Determines responses: Mitigate, Transfer, Avoid, Accept.
- Implements new or updated controls.
- Strategic and action-oriented.
Summary Flow
- Audit checks effectiveness of existing controls.
- Findings feed into Risk Assessment for deeper analysis.
- Risk Management decides how to respond and implements changes.
- New or modified controls are subject to the next Audit, closing the loop.