The board of directors
The senior management of the organisation (e.g. a board of directors or board of trustees) is charged with managing the organisation on behalf of shareholders or investors. Senior managers are therefore likely to be involved in:
• The assessment and management of strategic risk, as part of the process of strategic planning and management
• The expression of the organisation’s risk appetite, as part of the organisation’s core values and
• The formulation of risk management policies at a high level (which will cascade down to the formulation of risk management procedures and rules by functional managers and risk management officers)
Senior management also holds the ultimate responsibility to ensure that all risk management procedures are being enforced in line with organisational objectives, policies and risk appetite.
The board’s responsibilities include:
a. Considering what are the significant risks, and assessing how effectively they have been identified, evaluated and managed
b. Assessing the effectiveness of the internal control system in managing the significant risks, focusing particularly on any- significant failings or weaknesses in internal control that were reported
c. Considering whether necessary actions are being taken promptly to remedy any significant failings or weaknesses
d. Considering whether the findings indicate a need for more extensive monitoring..
The risk management function
There may be a dedicated risk officer or function (depending on the size of the organisation), with defined responsibilities for formulating risk policies and procedures, assessing organisation-wide risks, and co-ordinating risk management planning and responses to risk events.
Designated risk officers may also be appointed at the functional level, to co- ordinate risk assessment, managing and reporting in regard to particular categories of risk. These may, for example, include: transport safety officers, health and safety officers, compliance officers and environmental protection officers.
Line managers and team leaders will have a responsibility at the functional level for risk identification, notification and management within their departments:
• Formulating and/or implementing the organisations defined risk policies and procedures
• Enforcing adherence to risk mitigation rules and plans (e.g. through training, coaching, counselling and disciplinary or performance management interventions where required)
• Reinforcing a risk aware culture (through leadership style, communication, role modelling and acknowledging rewarding responsible behaviours)
• Reporting on risk events (and/or ensuring that risk events are reported by witnesses, as required by
• Relevant policies and regulations)
• Capturing information on hazards, vulnerabilities and risks from staff (e.g. initiating risk ‘circles’ or suggestion schemes, supporting whistle blowers, or encouraging upward reporting of concerns), other stakeholders (e.g. suppliers) and the wider environment (e.g. keeping up to date on risk knowledge in their occupation, profession or specialist area).
A designated risk owner should be allocated to all identified risks, and all parts of the risk process. Ownership should be allocated to individuals with the authority required to take action and mobilise resources. ISO 31000 defines a
risk owner as a ‘person or entity with the accountability and authority to manage a risk’ — emphasising that:
• Ownership should be allocated to individuals with the authority required to take action and mobilise resources and
• Risk ownership must reside with management — not just with a ‘risk manager’.
The roles and responsibilities of ownership should be well defined and communicated, particularly in relation to line managers and designated ‘risk managers’. Risk managers will generally report on risk status and mitigation measures to the risk owner, whose task it is to maintain the relevant portions of the risk register.
External and internal audit functions
The role of internal and external auditors in risk management has increased with the introduction of the Stock Exchange Combined Code, the Turnbull Report and the profile of corporate governance.
Specialist external auditors are engaged to carry out independent investigations into the corporate finances and internal controls of public companies. In the public sector, a similar role is carried out by the Audit Commission and the National Audit Office. The audit report will often include identification of areas of potential vulnerability and unmanaged risk. External audit is carried out only at intervals (usually annually) and with only limited objectives (usually, to report on the financial performance of the organisation). In-house auditors have an ongoing responsibility to ensure that internal controls are-adequate and effectively applied, and will report to the board of directors (and audit c8mmittee, where applicable) on a regular basis.
The work of the internal audit department covers all aspects of the organisation’s activities, not just the financial aspects: examining and testing all the internal controls in the organisation, and making recommendations for improvement. In the context of risk assessment, internal audit will work closely with other departments (such as procurement) to identify and assess potential risks specific to those departments. The internal audit function will report regularly to senior management and/or to the Audit Committee.
Cross-functional risk management teams
Cross-functional teams will often be used in assessing, preventing and minimising risk. This approach has benefits in:
• Co-opting those involved with hazards on a day-to-day basis, in order to raise risk awareness, secure ‘buy in’ to risk management processes, and support a risk-managing culture
• Securing the input of people with the closest experience of hazards and work environments and processes, and people who network with valuable sources of risk information (such as suppliers), in order to gain multiple perspectives on risk
• Facilitating an integrated, process-oriented, cross-functional risk management approach and culture, rather than a piecemeal or ‘silo’- based approach.
The procurement and supply function
The procurement and supply function may have a specific role in mitigating potential fosses to the whole organisation, by (for example):
a. Monitoring, identifying and assessing supply chain, supplier and supply market risk (through ongoing purchasing research)
b. Conducting supplier pre-qualification and appraisal to minimise supplier risk
c. Developing contracts to minimise commercial and supply risk through the use of contractual terms
d. Managing contracts, suppliers and supplier performance in such a way as to minimise financial, project, operational and reputational risk, particularly in regard to high-risk sourcing strategies such as international sourcing, single sourcing and outsourcing
e. Supplying information and expertise for risk evaluation of strategic decisions (such as make/do or buy, investment and project appraisal, or supply chain structure)
f. Supplying information and expertise to cross-functional project teams, to identify Procurement, supplier relationship and supply chain risks of projects
Roles and Responsibility of Risk Stakeholders
• Understanding – Risk Stakeholders should strive to understand the risks which are being discussed.
• Informing – Risk Stakeholders may be required to provide specialist information to an organization.
• Identifying – Risk stakeholders may help to identify risk.
• Providing – Some stakeholders may be expected to provide the necessary resources for the chosen action plan.
• Training – If an action plan requires education of staff or customers, someone must carry out the training.
• Communicating – Information may need to be widely spread as part of the risk management process.