Risk management plays an increasingly important role in the combined assurance model; boards should ensure the role is correctly placed organisationally.
By Junita van der Colff, Manager: Advisory, ContinuitySA
If risk managers are to play their role in providing the board (and executive management) with credible assurance that the organisation’s risks have been properly scoped and mitigated, they need sufficient authority and independence. At a practical, organisational level, this inevitably translates into who the risk manager reports to.
The issue is partly resolved if a chief risk officer (CRO) is appointed at an executive or C-suite level.
However, the majority of organisations do not have either the appetite or budget for an executive-level appointment. If no CRO exists, then risk managers would have to report at an administrative level to somebody in the executive team, often the company secretary, the CFO, a legal and compliance executive, a governance executive or similar.
The key word here is “administratively”, because what is really important is that the risk manager needs to have his or her independence (and thus authority) guaranteed. This can be achieved, I believe, by ensuring that the risk manager has direct access to the CEO, and reports directly to the appropriate board committee. In this way, a non-executive position would be given the independence it needs to provide the board with assurance it can trust.
The same approach could be followed if the decision is taken to outsource the risk management function. It’s critical that whoever handles the risk management function for an organisation is able to bypass corporate hierarchies and politics, and interact directly with the board—on whose shoulders, of course, the ultimate responsibility falls.
Talk to us about your Enterprise Risk Management requirements.