Skip to main content
2016 OAS Guidelines

3.III.7.3. Residual risk management

The ABER provides risk indicators as a basis for opportunities to improve the audited risk management and control processes. This provides economic operators with the opportunity to optimize their operations based on recommendations regarding risks that currently have no impact on customs compliance, safety, and security, but that could jeopardize the economic operator's long-term operating strategies and performance. A good risk analysis provides a framework for security in performance audits.

Auditors should keep in mind that the audit plan is a dynamic document that can be modified based on information received during the audit. A potential risk considered low in the assessment phase may be reassessed and considered high once the process is observed in practice and the procedures are judged not only on paper but also in reference to their actual implementation.

Auditors must always evaluate additional information related to areas deemed to be in the "green zone" and must be prepared to review the relevant procedures if the estimated risk is called into question as a result of verified facts.

It is recommended that the table "Threats, risks and possible solutions" be used, which is attached as Annex 2 to these Guidelines.

The ABER consists of four main phases, beginning with risk identification and prioritization and continuing with the determination of residual risk, the reduction of residual risk to an acceptable level, and the communication of the audit results to the economic operator. The execution of these phases includes the following tasks:

  • Establish the various activities of the economic operator, in order to identify and prioritize risks, including the review of its security plan, if any, threat assessment, and identification of the measures adopted and internal controls.
  • Confirm the economic operator's management procedures and strategies and assess controls to determine residual risk after the audit. Where appropriate, test such controls.
  • Treat residual risks to reduce them to an acceptable level (follow-up actions should be agreed upon with the economic operator, in order to reduce the impact or probability of each specific risk and keep all risks within the green zone).
  • Inform the economic operator of the audit results. It is important that auditors clearly indicate to the applicant the identified risks and make recommendations on how to overcome them.
  • Monitor and, if necessary, re-evaluate the criteria and requirements.