RISK MANAGEMENT ROLES AND RESPONSIBILITIES
Everybody working for an organization will need to be made aware of their risk management responsibilities, as will contractors and suppliers. There are many professional people in large organizations who have an understanding of risk and a substantial contribution to make to the successful management of the priority significant risks. Unfortunately, there is not always a common view of risk management or the issues that are important to the organization.
Ownership of core processes, key dependencies and risks is important, because it enables the risk management and audit committees to monitor actions and responsibilities. This ownership is important for all risks, although the audit committee will only monitor the priority significant risks.
There should be clear statements of responsibilities for the following aspects of the management of each priority significant risk:
- Setting required risk standards;
- Implementing risk standards;
- Monitoring risk performance.
A detailed set of responsibilities will ensure that the roles of risk owners, process owners, internal audit, risk management functions, members of staff, contractors and outsourced operations as well as all others are clearly defined and understood. The allocation of responsibilities to committees, as part of the risk architecture is also an important consideration. The membership, responsibilities and reporting structure will normally be described in the terms of reference of each committee.
RISK MANAGEMENT RESPONSIBILITIES
Main risk management roles and responsibilities for the CEO:
- Determine strategic approach to risk
- Establish the structure for risk management
- Understand the most significant risks
- Consider the risk implications of poor decisions
- Manage the organization in a crisis
Main Risk Management Roles and Responsibilities for the location manager:
- Build risk-aware culture within the location
- Agree risk management performance targets for the location
- Evaluate reports from employees on risk management matters
- Ensure implementation of risk improvement recommendations
- Identify and report changed circumstances/risks
Main Risk Management Roles and Responsibilities for individual employees
- Understand, accept and implement RM processes
- Report inefficient, unnecessary or unworkable controls
- Report loss events and near-miss incidents
- Cooperate with management on incident investigations
- Ensure that visitors and contractors comply with procedures
Main risk management roles and responsibilities for the risk manager
- Develop the risk management policy and keep it up-to-date
- Facilitate a risk-aware culture within the organization
- Establish internal risk policies and structures
- Coordinate the risk management activities
- Compile risk information and prepare reports for the board
Main Risk Management Roles and Responsibilities for specialist risk management functions
- Assist the company in establishing specialist risk policies
- Develop specialist contingency and recovery plans
- Keep up-to-date with developments in the specialist area
- Support investigations of incidents and near misses
- Prepare detailed reports on specialist risks
Main risk management roles and responsibilities for internal audit manager
- Develop a risk-based internal audit programme
- Audit the risk processes across the organization
- Provide assurance on the management of risk
- Support and help develop the risk management processes
- Report on the efficiency and effectiveness of internal controls
There is a need to ensure that management of risks receives a sufficiently high profile. It will normally be a board member who sponsors risk management awareness at the board and presents risk management reports to the board. Typically, the risk manager will report to that board member, and have responsibility for the risk architecture, strategy and protocols (RASP).
ROLE OF RISK MANAGER
Traditionally, the risk manager has been involved in assessing overall risk policy and procedures with endorsement from the board. Decisions on insurance risk management issues and the provision of statistical analysis of insurance losses have been part of these historical responsibilities.
The insurance risk manager needs to evaluate the current status of risk management and reflect on the current state of the insurance market. Increases in insurance rates and a more sophisticated approach to risk financing have affected the amount of insurance purchased by large organizations. In many cases, there has been less insurance purchased and this has led to a reduced premium spend and a lower budget for the insurance risk management department.
There is no single established reporting position in the structure of an organization for the risk manager. At present, risk managers may report to human resources, the finance director or the company secretary. Sometimes, the risk manager reports to the corporate treasurer and, occasionally, the chief executive officer (CEO). There is still a need for a risk management facilitator and coordinator in most large organizations. This will enable the organization to apply risk management tools and techniques to a wider range of issues.
Risks have historically been divided into insurable (pure) and non-insurable (speculative) risks. From a business success perspective, these are artificial divisions between types of risks. The risk manager should be responsible for the corporate learning that has to take place so that the organization can understand the benefits of risk management. As the person having responsibility for the risk architecture, strategy and protocols, (RASP), the risk manager will be responsible for developing the strategy, systems and procedures by which the required risk management outcomes for the organization are achieved.
Role of the insurance risk manager
- To establish the risk management strategy for protecting company property and people.
- To coordinate the company insurance programme through the captive insurance company.
- To work with the manager of the captive to maximize the contribution made by the captive insurance company.
- To maintain key insurer relationships, monitor service providers and ensure cost-effective placement of insurance contracts.
- To measure and monitor cost of risk performance of the group and individual group companies.
- To ensure safekeeping and adequate retention of all insurance contracts and agreements.
- To supervise the coordination of service provider activities and place the group and global insurances.
- To coordinate the property survey programme, risk management procedures and incentive schemes.
RISK MANAGEMENT ROLES AND RESPONSIBILITIES OF CHIEF RISK OFFICER
As champion of the Enterprise Risk Management process, the Chief Risk Officer plays a key part in bringing together disparate risk management processes to ensure that limited company resources are applied effectively. The COSO Enterprise Risk Management Framework defines the role of the Chief Risk Officer as working with other managers to establish effective risk management, monitoring progress, and assisting other managers in reporting relevant risk information up, down and across the organization.
Internal auditors should work with the Chief Risk Officer as part of their risk management duties. In this role, internal auditors are responsible for evaluating the accuracy of Enterprise Risk Management reporting and providing independent and value-added recommendations to management about its ERM approach. The IIA International Standards specify that the scope of internal auditing should include evaluating the reliability of reporting effectiveness, efficiency of operations and compliance with laws and regulations.
Most large organizations will already have an audit committee, chaired by a senior non-executive director. An option considered by many organizations is to extend the role of the audit committee to include all aspects of risk management or to establish a separate risk management group chaired by an executive director. There is a strong argument for the RMC to be an executive group, rather than part of any existing non-executive audit committee. This is necessary because risks need to be managed in a proactive manner as an executive responsibility.
The existing audit committee is likely to treat the management of risk as a non-executive (reactive) auditing of compliance. Separation of executive responsibility for the management of risk from non-executive responsibility for auditing and review of compliance will also be consistent with good corporate governance principles.
Some organizations have established the RMC as a sub-committee of the audit committee. If this is the case, actions need to be taken to ensure that risk is managed as an executive responsibility, rather than audited as a compliance/assurance issue. In fact, establishing the RMC as a sub-committee of the audit committee could impair the work of the RMC because of increased bureaucracy and an unhelpful emphasis on auditing and compliance, rather than proactive management of risks.
ROLES AND RESPONSIBILITIES OF RISK MANAGEMENT COMMITTEE
- To advise the board on risk management and to foster a culture that emphasizes and demonstrates the benefits of a risk-based approach to risk management
- To make appropriate recommendations to the board on all significant matters relating to the risk strategy and policies of the company
- To monitor the performance of the risk management systems and review reports prepared by relevant parties
- To keep under review the effectiveness of the risk management infrastructure of the company, including:
- assessment of risk management procedures in accordance with changes in the operating environment
- consideration of risk audit reports on the key business areas to assess the level of business risk exposure
- consideration of any major findings of any risk management reviews and the response of management
- assessment of the risks of new ventures and other strategic, project and operational initiatives
- To review the risk exposure of the company in relation to the risk appetite of the board and the risk capacity of the company
- To consider the development of risk management and make appropriate recommendations to the board
- To consider whether disclosure of information regarding risk management policies and key risk exposures is in accordance with financial reporting standards.