The risk governance model depends on the management and shareholders’ expectations as well as on the risk manager’s competencies and on the resources available for risk management implementation.
The risk governance model can be built based on the classical concept of three lines of defence:
- The 1st line of defence – Business units: executives, business department management as well as employees. As part of their daily duties those listed above are responsible for timely identification, assessment, management, monitoring and reporting on risks. Senior management and the Board of Directors determine the strategy for risk management, approve risk appetite and monitor how major risks are managed.
- The 2nd line of defence – Functions of risk management and other support functions (such as safety and quality, finance, insurance, etc. are business consultants and are responsible for developing the methodology for managing risks, awareness and training, and methodological support. Sometimes the risk management team also performs a quality control function and aggregates information about the risks.
- The 3rd line of defence – Internal audit: Independent bodies, such as internal audit, provide independent monitoring that the risk management is carried out as in line with internal policies and procedures, and that the management of key corporate risks is performed.
While commonly accepted and simple in theory, the three lines of defence model is overly idealistic and doesn’t work well in non-financial services.
Risk managers may want to consider an alternative risk governance structure where:
- The risk management function is the centre of competence for all risk analysis and is responsible for an independent, timely and quantitative risk analysis for the decisions proposed by management. This model takes certain responsibilities from the traditional first line of defence, giving the risk managers greater responsibility and ownership over the risk analysis. This allows the risk manager to be directly involved in the process of decision making and to assume the responsibility for the outcomes on par with other executives.
- In certain cases, the risk manager may have the mandate to block excessively risky transactions or projects that do not meet the strategic goals of the company.
Based on the experience of the authors the second option is much more effective. Nassim Taleb calls it ‘having the skin in the game’. To him, this is the only way to manage risks. We agree.
USE THE CHECKLIST PROVIDED BELOW TO TURN THIS SECTION INTO ACTIONS
|Propose different risk governance models for your organisation: one where the risk manager is passive and one where the risk manager is actively involved in the decision making|
|Discuss risk governance models at the Risk Management Committee meeting|
|Get stakeholder buy-in for the option selected|
|Alex Sidorenko from RISK-ACADEMY talks about whether the concept of 3 lines of defence is useful or not and how to make it work.||https://www.youtube.com/watch?v=INK2HIklZMM|
|Is it a methodology expert, a facilitator, an educator or a policeman? Maybe everything above? If so, in what proportion?||https://www.youtube.com/watch?v=hpix1vRb5wY|