A while back I recorded a short video on the topic of risk management organizational structure in a non-financial company. In the video I discussed various options for risk manager’s place in the overall organizational structure. Since there is really no single right answer, the few common options include: reporting directly to the CEO, reporting to the Board or Audit Committee, reporting to the CFO or the Head of Internal audit and so on. You probably already have a personal preference. Hopefully this article will help you to rethink it.
It really doesn’t matter…
The first conclusion I make in the video is that it actually doesn’t matter where risk manager sits as long as two important criteria are met:
- direct access to decision makers – risk managers must be close enough to the decision makers to be able to support the risk management integration into business processes and decision making and be able to reinforce risk management culture. This requires some level of seniority to be able to participate in the decision making and reach executives or Board members when required.
- access to information – risk managers need unfiltered access to various sources of information, including internal audit findings, IT data, production data, financial and accounting information, compliance data and so on. This requires good relationships with key information owners and established communication channels that will allow risk managers to use corporate data for risk analysis on a daily basis. The second criteria is the most important in my mind.
As long as these two criteria are met the risk manager will be able to fulfil his role almost anywhere within the organizational structure.
…but it helps to sit with Internal Audit
My personal experience was reporting to Head of Strategy, CFO, CEO, Chair of the Audit Committee and the Head of Internal Audit. And while, it’s unique to every organization and does depend to a large degree on the personal relationship with the supervisor/sponsor, I found that sitting together with Internal Audit makes perfect sense, because:
- Internal audit doesn’t own many risks, so there is less pressure on risk managers to withhold information or exclude data from risk analysis. The opposite could be reporting to a CFO. Finance department originates and owns a lot of risks. I have come across companies where risk managers who reported to the CFO were pressured to exclude financial risks from the analysis or were prevented from integrating risk analysis into financial business processes.
- Internal audit has direct communication channel with the Board and the Audit Committee. This helps to integrate risk management into strategic decision making.
- Access to financial and operational company data. Internal auditors usually have full access to company data and facilities, which is invaluable when performing timely and accurate risk analysis.
- Access to audit findings, non-compliances, control weaknesses and so on. Internal audit is a gold mine of data that can significantly improve quality of risk analysis. I was very fortunate to be able to communicate with Internal auditors on a daily basis. Their input helped me dramatically improve my risk analysis and hence improve the quality of the overall decision making in the company.
- Risk management can also improve Internal audit planning and auditing procedures. The relationship works both ways.
- Higher ethical expectations from Internal audit.
There are of course arguments against having risk management and internal audit in one department. I am sure you have thought of a few right now. Most of them are not real. I encourage you to write your arguments for and against in the comments below and I will try to respond to each one.
Lack of independence and conflict of interest are usually quoted as the main logic for separating risk management and internal audit. I find this quite naive: first to seriously think Internal audit is truly independent is a bit of stretch and second lack of independence with risk management in particular is literally the least of Internal auditor’s problems. I summarize my thoughts on the 3 lines of defense in the following video:
Please comment, share and like.
– – – – – – – – – – – – – – – – – – – – –
RISK-ACADEMY offers decision making and risk management training and consulting services. Our corporate risk management training programs are specifically designed to promote risk-based decision making and integrating risk management into business processes. Risk managers all over the world call us in to help sell idea of integrating risk analysis into decision making and using quantitative risk analysis techniques. Check out most popular course for decision makers https://riskacademy.blog/product/risk-based-decision-making-executives/ or our dedicated programs to help risk managers learn the foundations of quant risk analysis https://riskacademy.blog/product/risk-managers-training/. We can also help audit risk management effectiveness or develop a roadmap for risk management integration into decision making https://riskacademy.blog/product/g31000-risk-management-maturity-assessment/
Check out other risk management books
RISK-ACADEMY offers online courses
Informed Risk Taking
Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!
ISO31000 Integrating Risk Management
Alex Sidorenko, known for his risk management blog http://www.riskacademy.blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.
Advanced Risk Governance
This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.