Frequently Asked Questions

What is a risk assessment and how should it be conducted?

A risk assessment can be a valuable tool to help your unit identify, evaluate and prioritize its risks in order to improve decision-making and resource allocation. Harvard’s Institutional Risk Management (IRM) program recommends the process linked below for conducting risk assessments. We are here to consult with and assist in the development and facilitation of risk assessments for all Harvard groups. To learn more or request assistance, please contact Nick Hambridge at or (617...

Read more about What is a risk assessment and how should it be conducted?

What are the objectives of an IT audit?

Audit objectives are developed during the planning stage of an engagement and directly align with the business objectives of the area or process under review. Most engagements focus on ensuring controls are in place to effectively mitigate the risks that could prevent the area or process from accomplishing its business objectives. Auditors also ensure that engagement objectives are consistent with the organization’s objectives in regards to:

Read more about What are the objectives of an IT audit?

What does the audit process look like?

Although every audit is unique, the audit process usually consists of four stages: Planning, Field work, Reporting and (for some audits) Follow-up. Engagement of the client, or the area being audited, is critical at every stage of the audit process. An audit often results in a certain amount of time being diverted from your department’s usual routine. It’s helpful for a client to treat an audit like any other special project and allocate time for you and your staff to participate in the audit process. This minimizes the time necessary for the audit and avoids disrupting ongoing...

Read more about What does the audit process look like?

How are audits selected?

University audits are selected through our Institutional Risk Management process which includes discussion with schools, departments and University management to identify and prioritize operational, financial and compliance risks to the University. A review of industry reports, discussion among peer groups and an understanding of emerging risks or trends informs audit planning and the identification of specific audit projects for the year are chosen based on these assessed risk factors. Additionally, groups or individuals can request audit assistance on a case by case basis. The final...

Read more about How are audits selected?

What is Harvard's Risk Financing Scheme?

Risk financing requires planning and arranging for the sources of funds before loss events occur and then directing the funds offered by these sources, post loss, to assure the desired business recovery objectives as met.

While still in early stages of development, our risk financing scheme has emerged over time from constantly trying to interpret University priorities against these questions:

  1. Is the University taking the right amount of risk?
  2. Is the University taking the right types of risk to achieve its priorities?
  3. Is the University being properly...
Read more about What is Harvard's Risk Financing Scheme?

What is Risk Financing?

At its core, risk financing exists to address one vexing problem: how to align a company’s willingness to take risks with its ability to do so, an exercise best done within the context of one’s organizational objectives. Risk management, of which financing is an integral part, is the set of measurable and sustainable actions for reducing the effect of uncertainty on those objectives. The establishment of measurable metrics is a key step in an organization’s growth toward a fully mature enterprise-wide risk management program.

Every enterprise of any appreciable size, with...

Read more about What is Risk Financing?