Risk managers may begin the implementation of the selected risk governance model by documenting risk management roles and responsibilities. It is quite common to describe risk management roles and responsibilities in risk management policy or a framework document. This approach seems simple to implement, yet not very effective, as business units often don’t feel ownership of these documents, instead they consider them irrelevant in everyday business and simply ignore them. There is a better way.
It is considered more effective to incorporate risk management roles and responsibilities into existing job descriptions, policies and procedures, various committee charters and working groups. Risk management roles and responsibilities must be identified and documented for all levels of management. As mentioned by a number of the risk managers we have interviewed, it is a much more effective than listing roles and responsibilities in the risk management policy or framework document.
Work with your HR team to include ISO31000 knowledge and risk management competencies in job descriptions / position descriptions for new hires.
USE THE CHECKLIST PROVIDED BELOW TO TURN THIS SECTION INTO ACTIONS
☐ |
Review existing job descriptions, committee charters, policies and procedures |
☐ |
Update existing job descriptions, committee charters, policies and procedures to include risk management roles and responsibilities if not already done |
☐ |
In order to reduce unnecessary tension, do the update in coordination with HR at the time when these documents are being reviewed anyway |
☐ |
Include ISO31000 knowledge and risk management competencies in job descriptions for new hires |
USEFUL VIDEOS
Alex Sidorenko from RISK-ACADEMY talks about two ways of documenting risk management roles and responsibilities and the impact it has on risk culture. | https://www.youtube.com/watch?v=1Km332LJmPY |