In this post we explore some of the risk management roles in an organisation, how these roles implement the risk management process and how they relate to each other.
The Risk Committee is the senior risk management body in an organisation and it is responsible for auditing the effectiveness of an organisation’s risk management policies and practices. In a commercial organisation the Risk Committee is normally composed of Directors, including Non-Executive Directors. In a charity the Risk Committee is composed of Trustees. The Risk Committee may assume other tasks, e.g. setting the risk tolerance for the organisation and setting the assumptions on which risk management decisions will be based.
Risk Management Meetings
Risk Management Meetings will be scheduled at least monthly to ensure that the process remains responsive to the organisation’s situation. Extraordinary Risk Management Meetings can always be scheduled should the need arise. Risk Management Meetings would normally be chaired by the senior Risk Manager but this will not always be the case. At these meetings the up-to-date Risk Register will be reviewed, line-by-line, to review the assessment and status of all the risks recorded. A particular focus will be whether or not risk mitigation has been effective.
A Risk Manager is responsible for the the implementation of the risk management process and accountable for its effectiveness. Ideally the Risk Manager will have the authority to validate risk ratings and approve risk controls up to a certain level (this is necessary to keep the risk management process dynamic and responsive). An organisation, depending on its size, may have more than one Risk Manager. To be effective a Risk Manager needs to be empowered and a part of the management team. In some organisations this role is little more than a guardian for a spreadsheet and that is a waste.
The Risk Owner is the person held accountable for the implementation and effectiveness of a specific set risk controls relating to a single risk. The Risk Owner can delegate responsibility for the implementation of risk controls to a named Risk Actionee or named Risk Actionees (see below). This will be necessary whenever the Risk Owner lacks the necessary authority to implement the risk controls, e.g. where the action to be taken is in a different department or even a different organisation. There should be one Risk Owner for each risk and no more (this ensures that accountability is clearly assigned to a single individual).
A Risk Actionee is a person who has been given responsibility for implementation of a risk control or risk controls. The Risk Actionee reports progress, effectiveness and issues to the Risk Owner. Management must make sure that a Risk Actionee has the necessary resources and access to the necessary capabilities to implement the risk control/s. Furthermore, the Risk Actionee must possess, or be explicitly given, the necessary authority to enable them to implement the risk control/s.
Anyone who will be impacted by either the risk or the risk control is a Risk Stakeholder. It is good practice to consult with Risk Stakeholders during the risk management process and to keep them informed once risk controls have been implemented. This is particularly true for Risk Stakeholders outside the organisation. Good management of Risk Stakeholders can be a risk control itself, for example through maintaining good will which enhances freedom of action.
It is evident that organisation with an effective risk management process there will be a lot of people who will have a formal role. For some people, like a Risk Manager, this will be a permanent role, while for others their role will be more dynamic and changeable. Even people without a formal role in the risk management process can play an important part in its effectiveness.
The title of this post posed the question ‘risk management, whose responsibility is it?’. The answer is that everyone in an organisation, to a greater or lesser extent, is responsible for risk management. Yes, some people have formal risk roles, but everyone can play a role to ensure that the risk management process is effective. Given that risk management is about limiting harm to things that we value, we can also see how getting involved in risk management is in everyone’s interest.
Harry Thomsett is a consultant at the security and risk management consultancy SSI RM (https://ssi-ltd.com/). SSI RM provides security and risk management services to organisations operating in high threat areas around the world.