A critical component of risk management integration is including responsibility and accountability (authority, resources and competence) for managing risks into all business activities. Top management should ensure that the responsibilities and authorities for relevant roles with respect to risk management are assigned and communicated at all levels of the organization.
It is quite common to describe risk management roles and responsibilities in risk management policy or a framework document. This approach seems simple to implement, yet not very effective, as business units often don’t feel the ownership of these documents, instead they consider them irrelevant in everyday business decision making and simply ignore them. Alternative and more effective way is to incorporate risk management roles and responsibilities into existing job descriptions, policies and procedures, various committee charters and working groups.
Risk management roles, responsibilities and competencies must be identified and documented for all levels of management. Some of the common roles and responsibilities include:
- Board of directors (if available)
- Provide oversight of the overall risk management effectiveness, including standards and values
- Make Board level decisions with proper consideration to risks and guidance
- Review and establish risk-adjusted appetites/limits for certain business activities, types of risks (usually required by law) or decisions
- Set risk-adjusted performance targets and KPIs for CEO and the management
- Responsible for establishing the overall risk management framework
- Make decisions with proper consideration to risks and guide whenever necessary
- Approves the strategy, business plans and budgets based on the risk management information
- Set risk-adjusted performance targets and KPIs for senior management
- Provide timely and accurate disclosure risk-adjusted performance, most significant risks and their treatments to the Board of Directors/ investors/owners
- Allocate responsibility for effective risk management to risk owners
- Assign responsibility for designing and implementing the risk management framework
- Allocate resources necessary to perform business activities with risks in mind
- Risk manager
- Design and implement the risk management framework
- Coordinate risk management activities and provide methodological support for the risk-based decision making
- Participate in the decision-making process (if required)
- Participate in the preparation of management reports, providing relevant information about risks and their treatments
- Coordinate the work of the Risk Management Committee (if applicable)
- Provide risk management training
- Implement activities designed to integrate risk management into the overall culture of the organization
- Other business unit heads:
- Identify, assess and treat risks associated with business activities or decision-making within their area of responsibility
- Allocate resources necessary to manage risks within their area of responsibility
- Optimize business processes or decision making based on the information about risks.
This is an extract from a comprehensive G31000 risk management maturity model.
Interested in buying the full G31000 risk management maturity model? Click here or contact me directly if you want me to perform a quick gap assessment at your organization or you need help to integrate risk management into a particular business process or decision.