Please enable JavaScript.
Coggle requires JavaScript to display documents.
Risk Management Processes, Perspectives and Responsibilities - Coggle…
Risk Management Processes, Perspectives and Responsibilities
Standard risk management process
Identify Risks > Assess Exposure > Monitor Exposure > Control Exposure
The process if performed sequentially
This is a circular process in continuous use in most organisations. There is no clear distinction between where the process starts and ends. It is commonly assumed that the process starts with risk identification and ends with risk control
Risk Identification
Risk identification involves identifying the risks to which an organisation is exposed
Organisations operate in a world of wide ranging, changing threats and opportunities. They also have to make strategic and operational decisions on a regular, if not constant, basis to maintain their activities and achieve their objectives
There are a wide variety of tools and techniques that can be used to identify risk
Risk assessment
Usually occurs once a risk or a set of risks have been identified
The purpose of risk assessment is to determine the potential significance of the risks in question.
This allows these risks to be placed in rank order to help establish their priority
Higher priority risks will usually require greater management attention in terms of risk monitoring focus and risk control
Much of the risk assessment activity that is conducted by organisations is concerned with assessing the organisation's exposure to specific risk events
Risk monitoring
The risk monitoring element of the risk management process incorporates all of the activities that an organisation uses to monitor and report on potential changes in its exposure to risk or the effectiveness of its risk controls and risk management activities in general
The purpose is to provide a comprehensive picture of an organisation's current risk profile in relation to the objectives it pursues and to provide an indication of how this risk profile may change
Risk monitoring looks at both the risks that an organisation is exposed to and the effectiveness of the various controls and other risk management activities that are used to understand and manage these exposures
Risk monitoring involves the collection and dissemination of a wide range of data from different sources. This may include
Loss data
A range of other risk, control and performance indicators such as customer and complaint data
The production of risk reports for board directors, senior management and operational/department managers
External risk reports for stakeholders such as shareholders and regulators
Risk control
Risk control involves the application and techniques to influence the probability and impacts of a risk event, or to mitigate any secondary business disruption and reputation effects that may follow the initial risk event
A wide variety of tools and techniques are available ranging from physical devices, such as door locks to financial tools, such as derivatives
There are also tools to transfer risk, such as insurance and outsourcing, as well as tools to help detect potential risk events such as smoke alarms
Roles and responsibilities for risk management
The board & executive management
Most of the regulations and standards for risk management indicate that an organisations board of directors or equivalent governing body have primary responsibility for risk management
The board has an oversight responsibility and must ensure that it receives appropriate assurance from management that the organisation has an appropriate risk management process in place and that this process is used correctly
Boards have a key role in determining an organisation's risk appetite, as well as periodically monitoring the organisations risk profile to ensure that the organisation remains within the agreed appetite for risk
The board only needs information on those risks that may cause the organisation to breach its risk appetite since these are the risks that may affect the strategy of an organisation and its ability to achieve its objectives
CRO
To support the board and organisation wide risk committee in the fulfilment of their responsibilities. This includes raising any concerns that the CRO may have regarding the risks associated with strategic decisions, major risk exposures and internal control failures that may affect the organisations ability to meet its objectives or regulatory obligations
To direct the work of the organisations risk function
To oversee the risk management activities of the whole organisation and ensure that risks are managed in a manner consistent with the organisation's appetite for risk as well as its risk management policies and procedures
To work with the compliance and internal audit functions to ensure that regulatory compliant risk management governance arrangements are in place across the organsiation
The risk manager and risk function
Most organisations will have either a dedicated risk manager or an individual with responsibility for risk management within their role
In larger organisations, it is common to have multiple risk managers and support staff as part of one or more specialist mis functions
Organisations with multiple business units or subsidiaries may have local risk functions which are co-ordinated via a group risk function
Risk managers and functions also have a key role to play in risk monitoring and reporting - they will often collect risk exposure and risk management information from across the organisation in order to provide risk reports for a variety of internal stakeholders, including the board, CRO, risk committee and business unit management
Risk managers may help with risk identification and assessment exercises such as the completion of risk registers, they may also provide advice about how to effectively control specific risks and training on the organisations risk management policies and procedures
The compliance manager and compliance fucntion
The role of the compliance function in relation to risk management is to ensure that the design and ongoing operation of an organisations risk management processes are compliant with all applicable rules and guidance
It is important that the compliance manager works closely with the risk manager or function
The compliance function can help to ensure that risk management processes are designed in a compliant manner
They may also support oversight of the risk management policy and processes to ensure that the compliance relevant elements of this policy or processes are implemented appropriately across the organisation
This might include conducting compliance audits in specific business units, functions or departments to ensure that compliance sensitive risk management activities are carried out correctly
The compliance manager may act as an intermediary between the organisation and risk management related regulatory and supervisory bodies - this might include commenting on regulatory consultation papers, answering questions about the organisations risk management activities, managing supervisory inspections and providing risk management information to regulators and supervisors in accordance with regulatory reporting requriements
Internal audit and risk management
Where an organisation has an internal audit function provided itnernally or via a third party service provider, it has a role to play in providing assurance that an organisations risk management process is effective in terms of its design and implementation
The internal audit function may conduct audits of the risk function and of the process that has been developed to support the management of risk - this might include benchmarking this process against industry standards or audits to determine whether managers across the organisation are using the process correctly
Routine business unit or function auditts as well as thematic internal audits may also identify risk management relates issues in terms of how the process is used and in terms of specific control failures or new risk exposures
Where an organisation has determined its appetite for risk, the IA function may provide an opinion o whether the organisation as a whole as well as specific business units and functions are keeping the organisations risk profile within risk apeptite
Company secretary
The role of a company secretary can vary
Where a company secretary is not responsible directly for any risk or compliance management activities, the governance role they play in supporting the activities of the board means that they must be ready to advise board members of their responsibilities for risk management and ensure that board agendas devote sufficient time to risk management
A company secretary will need to work closely with the risk and compliance managers to ensure that the board receives risk reports and risk management assurance it needs to fulfil its obligations
Finance
The finance function are a key source of financial information much of which is relevant
Eg information relevant to the financial solvency and cash flows of an organisation will come from the finance function
The finance function is a key source of risk, this includes risks relating to the accuracy of financial statements and the annual report and accounts
Health and safety
Responsibility for overseeing matters relating to health and safety may be assigned to the risk manager or risk fucntion
Where a separate function is in place, it is important that the two invidious or functions work together
The work of the heath and safety manager must be compliant with any relevant regulations as well as an organisation's risk management policy and procedures
The heath and safety manager or function will need to report information about health and safety risks and incidents to the risk function to ensure that they have a comprehsenive picture of an organisations exposure to risk
HR management
HR has a role to play wherever risk exposures may be influenced by the actions or inactions of staff
HR may support the completion of risk assessments that have a people dimension
They also have a responsibility for ensuring that HR related risk controls are operating effectively across the organisation such as recruitment and discplinary controls
They may also supply the risk function with risk monitoring related information such as staff turnover or absence rates
Information security
Day to day management of information security will usually be conducted by information security professionals working within the IT function
It is important that these professionals manage information security risk in a manner that is consistent with the organisations risk management policy, process and appetite for risk
It may also be necessary for these professionals to supply information to the risk manager or function to support their risk monitoring and reporting activities
Marketing and PR
Marketing and PR activities are a significant source of risk and they must comply with all relevant risk management policies or procedures
PR function can be an important source of information regarding any negative press reporting about the organisation and will have a role to play in helping to prevent such adverse reporting in the first instance