Risk managers may begin the implementation of the selected risk governance model by documenting risk management roles and responsibilities. It is quite common to describe risk management roles and responsibilities in risk management policy or a framework document. This approach seems simple to implement, yet not very effective, as business units often don’t feel ownership of these documents, instead they consider them irrelevant in everyday business and simply ignore them. There is a better way.
It is considered more effective to incorporate risk management roles and responsibilities into existing job descriptions, policies and procedures, various committee charters and working groups. Risk management roles and responsibilities must be identified and documented for all levels of management. As mentioned by a number of the risk managers we have interviewed, it is a much more effective than listing roles and responsibilities in the risk management policy or framework document.
Work with your HR team to include ISO31000 knowledge and risk management competencies in job descriptions / position descriptions for new hires.
USE THE CHECKLIST PROVIDED BELOW TO TURN THIS SECTION INTO ACTIONS
☐ |
Review existing job descriptions, committee charters, policies and procedures |
☐ |
Update existing job descriptions, committee charters, policies and procedures to include risk management roles and responsibilities if not already done |
☐ |
In order to reduce unnecessary tension, do the update in coordination with HR at the time when these documents are being reviewed anyway |
☐ |
Include ISO31000 knowledge and risk management competencies in job descriptions for new hires |
USEFUL VIDEOS
Alex Sidorenko from RISK-ACADEMY talks about two ways of documenting risk management roles and responsibilities and the impact it has on risk culture. | https://www.youtube.com/watch?v=1Km332LJmPY |
Check out other risk management books
RISK-ACADEMY offers online courses

Informed Risk Taking
Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!

ISO31000 Integrating Risk Management
Alex Sidorenko, known for his risk management blog http://www.riskacademy.blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.

Advanced Risk Governance
This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.