Richard Chambers has shared his valuable insights in another post. In Europe’s Internal Auditors Are Already Identifying the Risks for 2021 he makes a number of excellent observations, especially his opening paragraph.
Can you assess the overall system of internal controls without considering risk management? I don’t think so, and neither does COSO. That is why there is a risk component in their internal control framework.
This is a ‘risk management’ challenge. What are the parents’ objectives and how would you go about assessing whether the likelihood of achieving them is acceptable and, if not, what actions to take?