The responsibility for a consistent approach to the management of risk lies with officials at all levels. What good risk management looks like will vary dependent on an individual’s role, the nature of their work and the seniority of the position they hold.
Responsibility for managing risks should be clearly defined and should include at a minimum:
- Accountable authority: the individual (or governing body) ultimately responsible for having systems of risk management and oversight in place, including determining risk appetite and tolerance, and promoting a positive risk culture.
- Chief Risk Officer (if applicable): is responsible for the framework and governance for managing risk and provides an advisory role to support the Accountable Authority in understanding an entity’s capability to manage risk in-line with its risk profile.
- Senior Executives: are responsible for reviewing, monitoring and managing risks within their respective business units. More specifically, they are required to facilitate risk conversations, promote a positive risk culture and embed risk management into the day-to-day decision making process of their respective business unit.
- Audit Committees: are responsible for monitoring and reviewing the appropriateness of an entity’s system of risk oversight.
- Risk Committees (if applicable): are responsible for monitoring and reviewing an entity’s risk profile and advising on the management of key risks.
- The risk management function: is responsible for designing, building and implementing an entity’s risk management framework and developing the entity’s capability to manage risk.
- Risk owners: are accountable for managing, monitoring, reporting and escalating risks.
- Control owners: are responsible for implementing and maintaining effective controls, including assessing their effectiveness and monitoring and reporting on performance.
- Treatment owners: are responsible for implementing and monitoring treatments where the residual risk level post control implementation is unacceptable.
- All staff: are responsible for managing and escalating risk in their daily work.
The clear allocation of risk management responsibilities for officials is imperative to establishing an effective system of risk oversight within an entity. Defining roles and responsibilities for managing risk ensures there are clear accountabilities and expectations. It also creates clarity in relation to key processes and controls and allows officials to engage with risk in an informed and consistent manner.
Responsibilities of an accountable authority
- Determine the entity’s risk appetite and tolerance.
- Monitor changes in the operating environment and make any necessary changes to the organisational structure to manage risks resulting from these changes.
Executive Level responsibilities
- Shape the strategic thinking of an entity.
- Demonstrate positive risk behaviours that are founded on drive and integrity.
- Regularly undertake capability assessment of staff and assess against delivery requirements of branch/division.
- Develop staff capability and build a strategy to address identified capability gaps.
Responsibilities of the risk management function
- Design the entity’s approach to managing risk.
- Engage with Senior executives to support this approach.
- Support the first line of the business to embed risk management into the day-to-day.
- Promulgate the entity’s framework and risk management policies.
Risk owners, control owners and treatment owners
- Risk Owners: Are accountable for managing, monitoring, reporting and escalating risks. They have an important role in actively monitoring and challenging the implementation and effectiveness of controls and treatments.
- Control Owners: Are responsible for implementing and maintaining effective controls including assessing their effectiveness and monitoring and reporting on performance.
- Treatment Owners: Are responsible for implementing, monitoring and assessing the effectiveness of treatments where the residual risk level post control implementation may be unacceptable.
There are a number of key channels through which an entity can define and communicate the appropriate allocation of responsibility for managing risk including:
- An organisational chart
- A risk responsibilities matrix
- A risk management policy & framework
- Employee Position Descriptions
- Guidance materials, templates and toolkits.
The responsibility for managing risk should be allocated proportionately and in accordance with the nature, complexity and severity of the risks being managed.
- Ensure that officials understand any business risks that they own, how these risks relate to and may impact on the entity’s enterprise risks, and their roles in managing risk.
- Develop clear and consistent risk register templates which, when completed, make the risk management responsibilities of each official clear and easily updated as required.
- Make risk management a key competency and responsibility of all officials.
- Incorporate risk management responsibilities into job descriptions, duty statements, corporate risk training activities and materials, governance documentation and performance agreements.