Many organisations today have a dedicated person or a team of‘risk advisors’ responsible for supporting the organisation’s risk taking initiatives and helping the Board and senior executives manage a wide range ofopportunities andrisks.The role is often referred to Chief Risk Officer (CRO), Risk Manager,Risk Advisor, Risk Management Co-ordinator or similar.Consequently, one of the major problems facing risk advisors is the perception of who is actually responsible for risk management. In this context, I am providing below an explanation into the responsibilities of the key stakeholders in an organization who play possibly the most important role in enforcing Risk Management. These stakeholders are the Board, senior executives/ management and staff in the risk management framework.
The Board
Risk management governance would always start from the top and for this the Board is the starting point. In general, the Board is ultimately responsible for adopting and committing to an organization's Risk Management Framework/Policy. Responsibilities specific to the risk management framework include:
- Defining risk appetite and risk tolerances;
- Approving key risk management documents such as the Risk Management Policy and Risk Appetite Statement;
- Providing feedback to management on important risk management matters/issues raised by management; and
- Fully considering risk management issues contained in Board reports.
Board responsibilities may vary depending on the regulatory framework in a country and/or specificindustry.
Chief Executive Officer (CEO)
The Chief Executive Officer with the assistance from the Chief Risk Officer, senior managers and/or risk owners is responsible for leading the development of a sound risk management culture across the organisation. Specifically the Chief Executive Officer is responsible for:
- Creating a control environment that promotes prudent risk management practices, calculated risk taking and effective internal controls;
- Escalating all known potential risks, emerging risks or major incidents to the Audit Committeeand Board in a timely manner;
- Ensuring that the Risk Management Policy and Risk Management Strategy are being effectively implemented; and
- Ensuring sufficient funds are prioritised and available to support effective and efficient management of risks across the organisation.
Chief Risk Officer (CRO)
As with any CEO direct report, the CRO should be accountable to the CEO, executive management and the board for enabling the institution to balance risk and reward and preserve enterprise value and reputation. For example, he or she should:
- Establish and communicate the organization’s risk management vision
- Design and implement an appropriate risk management infrastructure
- Establish, communicate and facilitate the use of appropriate risk management methodologies, tools and techniques
- Facilitate enterprise risk assessments and monitor the capabilities around managing the priority risks across the institution
- Implement appropriate/meaningful action-oriented risk reporting to the overall board, specific board committees and senior management
Senior Managers
Senior Managers are essentially the ‘risk owners’ and are required to manage risks on a day-to-day basis. Senior managers are the first line defence in combating risk and are responsible for implementing effective internal controls.Senior Managers are required to create an environment where the management of risk is accepted as the personal responsibility of all staff, service providers and contractors. They are accountable for:
- Maintaining sound risk management processes and structures within their area of responsibility to conform with the organisationsRisk Management Policy and supporting arrangements;
- Identifying, recording and periodically evaluating risks;
- Identifying, recording and assessing effectiveness of existing controls;
- Determining whether to accept or further treat residual risks that are assessed as medium or higher;
- Implementing, communicating and maintaining effective internal controls;
- Developing and monitoring risk treatment plans to treat higher level risks in a timely manner;
- Maintaining up to date risk registers through periodic reviews and updates; and
- Ensuring all major incidents or issues are reported and resolved in a timely manner.
Managers are also responsible for supporting good management practices that compliment risk management including:
- Complying with and monitoring staff compliance with all policies, procedures, guidelines and designated authorities;
- Maintaining and communicating up-to-date information and documentation for key operational processes; and
- Incorporating risk treatment plans into business processes as required.
Staff
Every staff member is responsible for effective management of risk including the identification of potential risks. Risk management processes should be integrated with other planning processes and management activities.
All staff, service providers and contractors should act at all times in a manner which does not place at risk the health and safety of themselves or any other person in the workplace. Staff areresponsible and accountable for taking practical steps to minimise exposure to risks in so far as is reasonably practicable within their area of activity and responsibility.
All staff, volunteers, service providers and contractors must be aware of operational and business risks that apply to their role. Specific responsibilities include:
- Providing input into various risk management activities;
- Assisting in identifying risks and controls;
- Conducting risk assessments as required by variouspolicies and procedures;
- Seeking appropriate clarification on issues, problems and concerns identified;
- Reporting all emerging risks, known risks, control breakdowns, fraud, issues, breaches, near incidents and incidents to their manager and/or appropriate officer; and
- Following policies and procedures at all times to ensure compliance and maintain the organisations reputation.
Now that we know who does what, the responsibilitiesshould be clearly documented in a number of ways.
Roles and responsibilities should be:
- Summerised in the Risk Management Policy and appropriate Charters e.g Board Charter;
- Clearly detailedin the Risk Management Strategy; and
- Key elements included in the positions descriptions of the CEO, managers and staff.
Bottom line, risk management is a shared responsibility and is everyone's responsibility.
