A Risk Universe is a comprehensive list of potential events that could impact an organisation’s ability to achieve its goals and objectives. It provides a structured way to identify, assess and prioritise risks - serving as the foundation for frameworks like the risk register, risk appetite statement and audit planning.
Risk Universes are typically maintained by Risk or Enterprise Risk Management (ERM) teams and are essential for driving consistency in how risks are recorded, communicated and mitigated across the business.
Why It Matters to Audit, Risk, and Governance Professionals
Professionals in internal audit, risk, compliance, and governance use the Risk Universe to:
- Drive a consistent risk taxonomy across teams
- Ensure nothing important falls through the cracks
- Prioritise efforts and resources
- Feed into audit planning and assurance mapping
- Connect risks to controls, risk and control owners, and to mitigation efforts
Without a well-maintained Risk Universe, organisations will face fragmented or duplicated risk efforts and blind spots in their assurance landscape.
What’s the difference between a Risk Universe and an Audit Universe?
They’re definitely related — but they serve different purposes.
- The Risk Universe is the organisation’s full risk landscape. It is a conceptual map of everything that could go wrong: strategic missteps, market volatility, cyber threats, compliance failures, operational breakdowns, reputational damage - and the list goes on. It’s not about who owns these risks or whether they’re being managed today. It’s simply about identifying the possibilities, from the catastrophic to the fairly minor.
- The Audit Universe is Internal Audit’s working map. It includes the areas, processes, and themes that Internal Audit might review to obtain assurance that risks are being managed effectively. The Audit Universe draws on the Risk Universe — but filters it through an audit lens.
Risk Universe vs Risk Register
Another common confusion is between the Risk Universe and the Risk Register.
- Risk Universe = the big conceptual map of everything that could go wrong
- Risk Register = a practical tool that lists the specific risks that have been prioritised, assessed and assigned owners and controls.
Example Risk Universe Categories
Here’s are some typical Risk Universe categories - while most organisations will tailor these to their specific needs, common categories will include:
- Strategic Risks (e.g. poor decision-making, failed M&A)
- Operational Risks (e.g. supply chain failure, system outages)
- Financial Risks (e.g. credit risk, liquidity)
- Compliance & Legal Risks (e.g. regulatory breaches, legal issues)
- Cyber & Technology Risks (e.g. IT outages, ransomware, data loss)
- Conduct & Culture Risks (e.g. fraud, misconduct)
- Reputational Risks (e.g. negative media exposure)
⸻
How to Build a Risk Universe
- Start with common categories – Use common themes like strategy, operations, cyber, etc.
- Brainstorm risk types – What could go wrong in each category?
- Check existing sources – Look at what’s already in risk registers if available, audit reports and other reviews, and look at general industry guidance.
- Standardise terminology – Use consistent names for similar risks. Merge or split out as needed.
- Iterate with stakeholders – Get input from risk owners and assurance providers.
- Keep it current – Don’t build a risk universe and then forget about it. Review and refresh regularly.
Tools and Templates
We’re working on a simple downloadable template to help you build your own Risk Universe.
Coming soon: Risk Universe Starter Template
If you’re interested in preparing or updating your Risk universe, you may also be interested in Risk Radar, a prototype tool for mapping and exploring risks visually.