An IT auditor is involved in a project meeting and notices that no project risks have been identified and when the IT auditor highlights the issue the project manager states that no risks currently exist and if any risk are identified, a risk manager will be assigned to the project. What is the proper response in this scenario?

Inform the project manager that the IS auditor will conduct an assessment of the risk at the completion of the requirements definition phase of the project.

Accept the project manager's position as the project manager is ultimately responsible for the outcome of the project.

Stress the importance of spending time at this point in the project to consider and document risk, and to develop contingency plans.

Offer to coordinate and contribute with the risk manager when one is appointed.

Explanation

The majority of project risk can typically be identified before a project begins, allowing mitigation/avoidance plans to be put in place to deal with this risk. A project should have a clear link back to corporate strategy and tactical plans to support this strategy. The process of setting corporate strategy, setting objectives and developing tactical plans should include the consideration of risk. Appointing a risk manager is a good practice but waiting until the project has been impacted by risk is misguided. Risk management needs to be forward looking, allowing risk to evolve into issues that adversely impact the project represents a failure of risk management. With or without a risk manager, persons within and outside of the project team need to be consulted and encouraged to comment when they believe new risk has emerged or risk priorities have changed. The IS auditor has an obligation to the project sponsor and the organization to advise on appropriate project management practices. Waiting for the possible appointment of a risk manager represents an unnecessary and dangerous delay to implementing risk management.