Responsibilities for ERM

ISO 31000:2018 12 Minutes
https://preteshbiswas.com/wp-content/uploads/2024/12/ERM-Responsibilities_-Defining-Roles-and-Risk-Ownership.wav

Everyone in an organization, including contractors and suppliers, must understand their role in managing risks. Many professionals in large organizations are knowledgeable about risks and can contribute significantly to managing critical risks. However, there isn’t always a shared understanding of risk management or what’s most important to the organization. It’s crucial to assign ownership of key processes, dependencies, and risks. This allows risk management and audit committees to track actions and responsibilities effectively. Although ownership is important for all risks, the audit committee typically focuses on the most significant ones. Clear communication of responsibilities and reporting structures is essential to avoid confusion. For each major risk, responsibilities should be clearly defined in three areas:

  • Setting risk standards
  • Implementing those standards
  • Monitoring performance

A detailed responsibility framework ensures everyone, including risk owners, process owners, staff, contractors, and outsourced providers, knows their specific role. Committee roles, responsibilities, and reporting structures should also be outlined in their terms of reference. The risk register should specify who owns each significant risk. It’s important that risk managers, risk committees, and auditors don’t undermine local ownership of risks. Managers must view risk ownership as part of managing their core business processes, not as a separate task handled by risk management or audit specialists.

Examples of the range of risk management responsibilities of line management, the main functional departments and individual employees involved in risk management.

Risk management responsibilities

  1. Main risk management responsibilities for the CEO:
    • Determine strategic approach to risk
    • Establish the structure for risk management Understand the most significant risks
    • Consider the risk implications of poor decisions
    • Manage the organization in a crisis
  2. Main RM responsibilities for the location manager:
    • Build risk-aware culture within the location
    • Agree risk management performance targets for the location
    • Evaluate reports from employees on risk management matters
    • Ensure implementation of risk improvement recommendations
    • Identify and report changed circumstances/risks
  3. Main RM responsibilities for individual employees:
    • Understand, accept and implement RM processes
    • Report inefficient, unnecessary or unworkable controls
    • Report loss events and near-miss incidents
    • Cooperate with management on incident investigations
    • Ensure that visitors and contractors comply with procedures
  4. Main risk management responsibilities for the risk manager:
    • Develop the risk management policy and keep it up-to-date
    • Facilitate a risk-aware culture within the organization
    • Establish internal risk policies and structures
    • Coordinate the risk management activities
    • Compile risk information and prepare reports for the board
  5. Main RM responsibilities for specialist risk management functions:
    • Assist the company in establishing specialist risk policies
    • Develop specialist contingency and recovery plans
    • Keep up-to-date with developments in the specialist area
    • Support investigations of incidents and near misses
    • Prepare detailed reports on specialist risks
  6. Main risk management responsibilities for internal audit manager:
    • Develop a risk-based internal audit programme
    • Audit the risk processes across the organization
    • Provide assurance on the management of risk
    • Support and help develop the risk management processes
    • Report on the efficiency and effectiveness of internal controls

Responsibilities for managing risk are distributed across various levels within an organization. At the top level, the board and executives are accountable for overseeing risk management, ensuring that it aligns with the organization’s overall objectives. Middle management, including department heads, is tasked with managing risks within their specific areas, translating the organization’s risk strategy into actionable measures. Staff members, on the other hand, carry out specific risk management responsibilities as part of their daily roles. Together, these three levels form the first line of defense in maintaining effective risk management and internal control. The risk manager plays a pivotal role in coordinating risk management efforts across the organization, ensuring that risk-related activities are consistent and effective. In addition, specialized functions, such as health and safety or business continuity, provide targeted support, helping to address specific risk areas. These specialized roles form the second line of defense, offering expertise and monitoring to reinforce risk management practices. Internal audit serves as the third line of defense, with the internal audit manager responsible for independently reviewing and evaluating the organization’s risk management and control systems. By providing an objective assessment, internal audit ensures that risk management practices meet the required standards. External parties, such as insurance brokers, auditors, and consultants, also contribute to risk management by offering insights and solutions that enhance the organization’s resilience. While collaboration among risk professionals is crucial, the ultimate aim is to embed effective risk management into the organization’s core operations, making it a fundamental part of everyday business activities. It’s important to ensure that risk management is given enough attention within an organization. Typically, a board member will take the lead in promoting awareness of risk management at the board level and will present related reports. The risk manager usually reports to this board member and is responsible for overseeing the organization’s risk framework, strategy, and processes. A key role in risk management is that of the “risk owner.” According to ISO Guide 73, a risk owner is someone who has the authority and responsibility to decide whether or not to address a specific risk. The guide also emphasizes that anyone responsible for achieving a particular objective is also accountable for managing the risks linked to that objective, including implementing controls to mitigate those risks.

The goal of operational risk management is not to eliminate all risks but to manage them to an acceptable level. This involves balancing the cost of reducing the risk with the benefits of minimizing exposure. Common strategies for managing operational risks include avoiding, transferring, accepting, or reducing them through controls. To clarify roles and responsibilities in managing, reporting, and escalating operational risks, the organization follows a “three lines of defense” model. This framework defines clear principles and accountability for operational risk management throughout the group. The model and policy standards apply across all areas of the business, tailored to the specific nature and size of each operation. These standards provide guidance on effectively managing operational risk by consistently identifying, assessing, monitoring, and reporting risks. Their main goals are to protect the organization from financial loss, safeguard its reputation, ensure the well-being of its customers and staff, and comply with legal and regulatory requirements.

Statutory responsibilities of management

In many countries, there’s been a growing effort to clarify the responsibilities of company directors. Over time, common law has shaped these duties, which are now often formalized in regulations. Directors are expected to:

  • Fulfill their assigned responsibilities.
  • Follow the company’s constitution.
  • Act in the best interest of the company’s success.
  • Make independent decisions.
  • Use reasonable care, skill, and diligence.
  • Avoid or disclose conflicts of interest.
  • Not accept benefits from third parties.

Risk management plays a key role in helping directors meet these obligations. Managing risks effectively supports the company’s success and ensures directors exercise proper care and diligence. Therefore, directors need a solid understanding of risk management to fulfill their legal and professional duties. Typically, a company’s board includes both executive and non-executive directors. Executive directors, who are full-time employees, handle specific operational areas and manage risks directly. Non-executive directors, on the other hand, focus on oversight functions like audit, compliance, and assurance. While they contribute to strategy and performance monitoring, they usually don’t get involved in day-to-day risk management. This separation helps avoid conflicts with their oversight roles and ensures that executive directors, who are more familiar with the company’s operations, handle specific risks. Non-executive directors mainly assist in shaping strategy and monitoring its implementation, which remains the responsibility of executive directors.

Role of the risk manager

Traditionally, risk managers have focused on shaping risk policies and procedures, often with the board’s approval. They’ve handled insurance-related matters, such as managing insurance coverage and analyzing claims data. However, shifts in the insurance market, including rising premiums and advanced risk financing methods, have led many organizations to reduce the amount of insurance they purchase. This reduction has often resulted in lower insurance budgets and less spending on premiums. Risk managers don’t have a fixed reporting structure within organizations. They might report to departments like finance, human resources, or even directly to the CEO. Despite this variability, the role of risk management remains crucial. Large organizations still need a dedicated risk management coordinator to apply risk management practices across various business areas. Historically, risks have been categorized as either insurable or non-insurable, but this distinction is becoming less relevant as organizations recognize the importance of managing all risks comprehensively. The risk manager plays a key role in helping the organization learn how to leverage risk management for better outcomes. They are responsible for establishing risk strategies, systems, and procedures to achieve the organization’s risk management goals. Traditionally, risk managers were less involved in strategic decision-making, but the role is evolving. Today, they are expected to participate more actively in project management and strategy development. This expanded role offers risk managers deeper insights and a broader impact within the organization. Given these changes, the term “risk manager” may no longer fully capture the scope of the role. A more fitting title, such as “risk and resilience manager,” could better reflect the growing focus on organizational resilience. In industries like finance and energy, companies are increasingly integrating the management of credit, market, and operational risks. This shift has led to the emergence of the Chief Risk Officer (CRO) role, with the CRO often reporting directly to the CEO. However, not every organization needs a CRO. The level of risk faced by the organization should dictate the seniority and scope of the risk management role. For some, a CRO is essential and can make a significant contribution. While the CRO title is not yet universal, it is becoming more common, particularly in sectors where managing complex risks is critical.

Role of non-executive directors

The role of the non-executive director has the following specific key elements:

  1. Strategy– constructively challenge and help develop proposals on strategy
  2. Performance– scrutinize the performance of management
  3. Risk– challenge the integrity of the financial information
  4. Controls – seek assurance that financial controls and systems of risk management are robust and defensible
  5. People – determine the appropriate level of remuneration for the executive directors and have a prime role in succession planning
  6. Confidence –  seek to establish and maintain confidence in the conduct of the company
  7. Independence – be independent in judgement and promote openness and trust
  8. Knowledge – be well informed about the company and the external environment in which it operates, with a strong command of relevant issues

Role of the chief risk officer

The Chief Risk Officer (CRO) plays a crucial role in unifying different risk management processes to ensure the company uses its resources wisely. According to the COSO ERM Framework, the CRO works with other managers to implement effective risk management, tracks progress, and helps share important risk information throughout the organization. Internal auditors collaborate with the CRO as part of their responsibilities in risk management. Their job is to review the accuracy of ERM reports and offer independent, useful suggestions to improve the organization’s risk management practices. The IIA International Standards emphasize that internal auditing should cover evaluating how reliable reporting is, how efficiently operations run, and whether the company complies with relevant laws and regulations.

Role of the insurance risk manager

  • Develop a strategy to protect the company’s assets and employees.
  • Oversee the company’s insurance program through its captive insurance provider.
  • Collaborate with the captive insurance manager to maximize its effectiveness.
  • Manage relationships with insurers, monitor service providers, and ensure insurance contracts are cost-effective.
  • Track and evaluate the group’s overall risk costs and those of individual companies within the group.
  • Ensure all insurance contracts and agreements are properly stored and retained.
  • Supervise service provider activities and handle the placement of group and global insurance policies.
  • Coordinate property surveys, risk management practices, and incentive programs.

Risk committees

Most large organizations already have an audit committee, typically chaired by a senior non-executive director. Some organizations choose to expand the audit committee’s role to include risk management, while others set up a separate risk management committee (RMC) led by an executive director. There’s a strong case for making the RMC an executive group rather than part of a non-executive audit committee. This is because managing risks proactively requires executive oversight, while audit committees tend to focus on compliance and reactive assurance. Separating executive responsibility for managing risks from non-executive auditing aligns with good corporate governance. In some cases, the RMC operates as a sub-committee of the audit committee. However, this setup can create unnecessary bureaucracy and shift the focus from active risk management to compliance checks. To avoid this, organizations need to ensure that risk management remains an executive responsibility, even if the RMC reports to the audit committee. Membership of the RMC depends on the organization’s structure and its purpose. It can be a small group of senior executives focused on setting strategy or a larger group involving representatives from various departments to share knowledge. The structure and role of the RMC should align with the organization’s needs and risk profile. The RMC’s terms of reference and its position within the organization’s risk management framework are critical. In some sectors, such as banking, deciding on risk appetite and monitoring risk exposure are strategic board-level responsibilities. In these cases, the RMC might include both executive and non-executive members as a board sub-committee. However, it typically remains an executive-focused function to maintain the integrity of the “three lines of defense” model. Ultimately, the risk management structure should fit the organization’s specific context and risk profile. While a dedicated RMC may not always be necessary, its responsibilities must still be assigned to a senior committee, such as the executive or finance committee. The goal is to improve risk management practices through effective oversight and mutual support between the RMC and audit committee. Combining these committees is generally not advisable, as it risks weakening the three lines of defense, which provides a stronger safeguard.

Responsibilities of the RM committee

The role involves advising the board on risk management and promoting a culture that highlights the benefits of a risk-based approach. It includes recommending strategies and policies related to risk management and ensuring the board is informed about significant risk matters. Responsibilities also include monitoring the performance of the company’s risk management systems and reviewing reports from relevant parties. This involves evaluating the effectiveness of the company’s risk management framework by:

  • Assessing risk procedures in response to changes in the business environment.
  • Reviewing risk audit reports on key business areas to understand the level of exposure.
  • Considering major findings from risk management reviews and how management responds to them.
  • Evaluating risks associated with new projects, ventures, and strategic initiatives.

Additionally, the role requires reviewing the company’s risk exposure to ensure it aligns with the board’s risk appetite and the company’s capacity to handle risks. It involves considering improvements to the risk management approach and advising the board accordingly. Finally, it includes ensuring that risk disclosures meet financial reporting standards and provide accurate information about risk policies and key exposures.

Risk architecture


The figure illustrates the risk structure of a typical large corporation governed by the Sarbanes–Oxley Act. This framework should be clearly documented in the organization’s risk management manual. The manual should also include the terms of reference for various committees and a schedule of their activities, ensuring these align with the organization’s broader corporate calendar. For large companies with non-executive directors, the audit committee plays a key role in the risk framework. Both the audit committee and the head of internal audit are crucial in supporting the organization’s risk management strategy. Under Sarbanes–Oxley, companies must ensure that all disclosed information is accurate. This often leads to the formation of a disclosures committee, which verifies the sources and accuracy of all released information. Financial disclosures, in particular, are subject to rigorous scrutiny under this law. The risk architecture outlines the hierarchy of committees and roles responsible for managing risks and maintaining internal controls. In this setup, the corporate risk management committee oversees executive-level risk activities. At the divisional level, responsibility for risk management lies with divisional managers. They handle identifying significant risks, maintaining the division’s risk register, and ensuring appropriate controls are in place. Divisional managers receive guidance from the group risk management committee. If a divisional committee exists, it must report to the group committee, allowing for a consolidated corporate view of risk management priorities.

In public-sector or charity organizations, the risk structure differs from that of private companies. A typical setup focuses risk management on a governance and risk committee. The diagram shows how information flows and risk management activities are controlled, highlighting the central role of governance. For charities, risk governance is often more prominent than in other sectors. Reports suggest that many charity trustees prioritize governance over fundraising, indicating that risk management concerns sometimes overshadow the organization’s core mission. This can distort the organization’s focus. Risk reporting structures can vary based on the organization’s risk level and complexity. In high-risk sectors like finance, the risk committee often reports directly to the board and is typically chaired by a senior executive, such as the finance director, with other top-level representation. In general, risk management committees should consist of executive directors, as risk management is an executive responsibility. Non-executive directors focus on audit and assurance, reviewing risk performance through reports from the risk committee to the audit committee. For lower-risk organizations, the risk committee might report to an executive or operations committee rather than directly to the board. The structure should match the organization’s size, complexity, and risk exposure. There is no single “correct” risk architecture. As long as the risk committee meets its goals, the organization can decide its structure and terms of reference. However, the key distinction remains: managing risk is an executive function, while audits should be overseen by non-executive directors.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a ReplyCancel reply