Many organisations today have a dedicated person or a team of ‘risk advisors’ responsible for supporting the organisation’s risk taking initiatives and helping the Board and senior executives manage a wide range of opportunities and risks. The role is often referred to Chief Risk Officer (CRO), Risk Manager, Risk Advisor, Risk Management Co-ordinator or similar. Consequently, one of the major problems facing these risk advisors is the perception of who is actually responsible for risk management. On the surface, most front-line managers assume that the Risk Manager or Chief Risk Officer is responsible for managing all the risks. But in reality, nothing is further from the truth. Tony Harb, risk management specialist from InConsult looks at the responsibilities of the Board, senior executives/ management and staff in the risk management framework.
Lets start at the top. In general, the Board is ultimately responsible for adopting and committing to the organisations Risk Management Policy. Responsibilities specific to the risk management framework include:
- Defining risk appetite and risk tolerances;
- Approving key risk management documents such as the Risk Management Policy and Risk Appetite Statement;
- Providing feedback to management on important risk management matters/issues raised by management; and
- Fully considering risk management issues contained in Board reports.
Board responsibilities may vary depending on the regulatory framework in your country and/or your industry.
Chief Executive Officer
The Chief Executive Officer with the assistance from the Chief Risk Officer, senior managers and/or risk owners is responsible for leading the development of a sound risk management culture across the organisation. Specifically the Chief Executive Officer is responsible for:
- Creating a control environment that promotes prudent risk management practices, calculated risk taking and effective internal controls;
- Escalating all known potential risks, emerging risks or major incidents to the Audit Committee and Board in a timely manner;
- Ensuring that the Risk Management Policy and Risk Management Strategy are being effectively implemented; and
- Ensuring sufficient funds are prioritised and available to support effective and efficient management of risks across the organisation.
Senior Managers are essentially the ‘risk owners’ and are required to manage risks on a day-to-day basis. Senior managers are n the first line defence in combating risk and are responsible for implementing effective internal controls. Senior Managers are required to create an environment where the management of risk is accepted as the personal responsibility of all staff, service providers and contractors. Managers are accountable for:
- Maintaining sound risk management processes and structures within their area of responsibility to conform with the organisations Risk Management Policy and supporting arrangements;
- Identifying, recording and periodically evaluating risks;
- Identifying, recording and assessing effectiveness of existing controls;
- Determining whether to accept or further treat residual risks that are assessed as medium or higher;
- Implementing, communicating and maintaining effective internal controls;
- Developing and monitoring risk treatment plans to treat higher level risks in a timely manner;
- Maintaining up to date risk registers through periodic reviews and updates; and
- Ensuring all major incidents or issues are reported and resolved in a timely manner.
Managers are also responsible for supporting good management practices that compliment risk management including:
- Complying with and monitoring staff compliance with all policies, procedures, guidelines and designated authorities;
- Maintaining and communicating up-to-date information and documentation for key operational processes; and
- Incorporating risk treatment plans into business processes as required.
Every staff member is responsible for effective management of risk including the identification of potential risks. Risk management processes should be integrated with other planning processes and management activities.
All staff, service providers and contractors should act at all times in a manner which does not place at risk the health and safety of themselves or any other person in the workplace. Staff are responsible and accountable for taking practical steps to minimise exposure to risks in so far as is reasonably practicable within their area of activity and responsibility.
All staff, volunteers, service providers and contractors must be aware of operational and business risks that apply to their role. Specific responsibilities include:
- Providing input into various risk management activities;
- Assisting in identifying risks and controls;
- Conducting risk assessments as required by various policies and procedures;
- Seeking appropriate clarification on issues, problems and concerns identified;
- Reporting all emerging risks, known risks, control breakdowns, fraud, issues, breaches, near incidents and incidents to their manager and/or appropriate officer; and
- Following policies and procedures at all times to ensure compliance and maintain the organisations reputation.
Now that we know who does what, the responsibilities should be clearly documented in a number of ways. Roles and responsibilities should be:
- Summerised in the Risk Management Policy and appropriate Charters e.g Board Charter;
- Clearly detailed in the Risk Management Strategy; and
- Key elements included in the positions descriptions of the CEO, managers and staff.
Bottom line, risk management is a shared responsibility. The risk advisor role is critical for developing the risk management framework and coordinating risk management activities, but it cannot possibly manage every risk the organisation faces. Risk management is everyone responsibility.
Tony Harb is Director at InConsult. He has over 20 years’ experience in internal audit, governance and risk management. He can be contacted on 02 9241 1344 or via email at email@example.com.