INTOSAI Development Initiative

Supporting effective, accountable and inclusive Supreme Audit Institutions



What is the initiative about?

Since the onset of the Coronavirus pandemic many SAIs had to realize that they were not adequately prepared for disruptions and crises. The lack of functioning crisis management procedures made disruptions to SAI work more pronounced, potentially undermining their relevance in ensuring accountability. Despite previous experience, many SAIs also faces outdated and ineffective risk management procedures. Often, their risk management procedures do not adequately capture current risks that are aggravated by the pandemic, like lack of human and financial resources, or risks of digitization.

These challenges to SAIs have led IDI to develop and roll-out a new initiative, focussing on establishing and improving risk and crisis management processes that help SAIs face future disruptions and strengthen their position in the accountability system of their respective countries.

What do we have in the initiative?



The initiative consists of 3 component covering Risk, Crisis, and Business Continuity for SAIs. We are following ISO Standards for these 3 components.

Risk Management is a continuous approach to safeguard the organization by managing risks for SAIs. We are following industry standards to setup principles, processes, and framework from ISO 31000 to establish Risk Management practices at SAIs.


Crisis management is the application of strategies designed to help an organization deal with a sudden and significant negative event following ISO 22361 standards.


Business Continuity enables the ability to reassure Auditees, Parliament, Government and Publics and all other stakeholders, that the SAI has sound systems and processes in place to operate following ISO 22301 standards.


Zooming in to the Risk Management


Risk management is a condition to SAI performance and as such supports a robust strategy and effective operational plan. Like any other private or public organisation, Supreme Audit Institutions (SAI) are not immune from disruption and are exposed to risks.

The SAI strategy and the operational plan are based on assumptions, so it is important that they are designed considering the risks they entail. Doing so, the SAI will be better prepared. This will build the SAI resilience and further improve its performance.

The goal is to reduce the likelihood and impact of negative events, lost opportunities, and surprises and increase the probability that the objectives of the SAI will be met to maximize its performance.


With the modular approach, IDI envision to help SAIs to understand importance of organization wide implementation and practise of Risk Management framework. The approach covers critical components like Risk Management Policy, Risk Identification, Risk Assessment, Risk Treatment, Risk Reporting and of course to ensure the performance of risk management process at optimum level for the SAI. From participants point of view, it is critical to ensure necessary commitment to practically implement (i.e., Risk Management Policy, Risk Assessment, and Reporting) the learnings in SAI, so that SAI get the benefit out of the initiative.


Risk Management Rollout Plan in ASOSAI


  • How: F2F Workshop and online event
  • When: F2F Workshop during 25 to 29 March 2024
  • Where: We will finalize the venue based on participating SAI
  • Who: 5 SAIs (2 Participant from each SAIs) (IDI will bear the cost of participation)
  • Participants: 1 participant should have the primary role of risk management in the SAI and other participant who may be a potential shadow of that primary role for risk management.
  • Exception: We may look into the possibility to add other SAIs who want to invest for their participation (if there are interested SAIs).

Expectation from the participant SAIs: Once the learning phase is over, we expect the participant SAI will develop a risk management process and will ensure risk assessment and reporting periodically, eventually risk reporting should be an integral part of SAI’s annual report. We will closely work together (if needed), follow up and monitor participant SAIs for the practical implementation of this risk management process at the SAI.

Selection Criteria to identify 5 SAIs


  • SAIs which has some identified role to work with the organizational risks.
  • SAIs which are at the initial stage of implementing the Risk Management process or demonstrate a strong commitment to start Risk Management Process for the organization.
  • Interested SAIs need to share a small writeup with IDI (email to: This email address is being protected from spambots. You need JavaScript enabled to view it. by 14 Dec 2023) explaining their relevance to participate in the initiative, along with leadership commitment for further implementation of the risk management process at the SAI. The writeup should also include details on their status, objectives, and strategies related to risk management.
  • IDI will select SAIs based on the received input and may add some selection criteria for the case when more than 5 SAIs are interested to participate in the initiative.