1. Understand the business.
2. A detailed understanding of the goals of organisation. Such goals will start from overall organisational goals and are to be drilled down to goals for each function within a business cycle.
3. Conduct detailed Q&A sessions with the various stakeholders in the top management to identify the tone at the top on aspects surrounding risk appetite, governance, ethics etc. and draw up a charter which clearly establishes the overall organisation's policy towards risk management.
4. Once the overall risk management is defined then a detailed scoping is carried out to identify the material financial captions in the entity's financial statements. Materiality is fixed based on management's acceptable financial deviations. Based on the scoping exercise a detailed understanding of the existing key business processes and controls in place to mitigate financial risks is carried out.
5. Process narratives/ flows are developed to chronologically map the sequence of key activities, processes and procedures for each key business cycle.
6. A risk and control mapping is carried out and documented in the each business cycles' risk and control matrix.
7. Gaps, if any, identified through walk-throughs are discussed and controls are designed in consensus with the management to mitigate risks.
8. Ensure the designed controls is adequate to cover the risks in line with the risk management policy of the organisation.
9. In concurrence with the top management affix roles and responsibility of each stake holder in the respective business cycle/area and ensure the controls are clearly communicated to such stakeholders.
