Risk Management Structures and Responsibilities
How should you think about Risk Management and Risk Governance in practice? Who takes responsibility for what? You should have a plan that covers being informed about risks in your processes and operations, a solid analysis of your organisation's risk exposure, and a plan to reduce and manage risks. This should be measured with the right metrics continuously. How will you achieve this?
Different types of risks
The organisation should have a structure for managing organisation-wide risks and for the actual risk work. The framework should include processes for Risk Reporting and Risk Analysis, and is often categorised into:
- Financial risks (such as liquidity and credit risks).
- Non-financial (process control); and
- Strategic (such as cyber-attacks and resource shortages).
There are methods and tools to help analyse the different risks. For example, financial risks are often best understood through financial scenario planning, together with structured budgeting and forecasting.
Similarly, an environmental and trend analysis can make it easier to recognise and respond to strategic risks. Among the models, an organisation-wide framework for control and oversight is also needed. This is usually something that concerns the board and management.
Risk Management and Responsibility
The CEO should appoint people responsible for the organisation's Risk Management. They are tasked with providing a comprehensive and objective view of the company's risks and proposing changes to policies and processes based on observations, analyses and data. They own their identified risks but should also be able to delegate compliance and preferably be trained and educated in Risk Management.
To be able to manage risk effectively, communication is important. Both to employees, for example with risk matrices, which visualise the Risk Analysis and Risk Management. Employees should also be able to communicate with the Risk Manager. Here it is easy to get stuck in an "Excel file disco", where files get stuck in email threads. Avoid inviting such a “dance” by having a solution in place that supports Risk Management and collaboration.
You should be able to recognise risks by business area and possibly also by geography. This includes business, legal and financial risks. Responsibility for risks, controls, evaluation, and actions should be established and communicated.
In large organisations, the overall risk work should be managed by a group that has this responsibility alone. For this to work, the group must have an extensive understanding of the business and a mandate for insight into the business.
It is worth emphasising that different industries are differently 'risk-aware'. In banks, seven percent work with risk and in non-financial corporations the figure is half a per cent. This means that, statistically, a non-financial company with 1000 employees has a risk team of five people.
Crisis Preparedness and Responsibility
Ensure that the board and management are committed to Risk Management. They should define the overall risks, worst-case scenarios, actions and communication related to them.
When the crisis arrives, those with designated responsibilities have a plan for each area of responsibility that is put into action. There should be plans for each threat identified in the Risk Analysis. Some operational risks may seem very small. This is a good thing, because it makes that part of the plan easy to follow.
The CEO also appoints compliance officers, who are tasked with monitoring that the organisation is operating in accordance with internal and external regulations. One tip is for the CEO to ensure that the organisation learns from the crises it has gone through and adapts the Risk Management plan, responsibilities and possibly even compliance.
After the crisis, these questions can guide you to better Risk Management:
- What countermeasures worked best?
- Did we communicate correctly?
- Were there gaps in our Risk Analysis or Risk Management?
- Where should we deploy resources?
- Where should we stress test?
- What should we train? Who should we train?
Responsibilities of the Management Team in Risk and Crisis Management
The CEO has overall and day-to-day responsibility for Crisis and Risk Management, but in the event of a crisis in an organisation without a Risk Management group, a crisis group is often appointed on the spot. Sometimes it consists of the management team, while there may be value in keeping as few members of the management team as possible involved in the daily crisis management. This is to ensure that the organisation continues to function despite the ongoing crisis.
An alternative is for one or more members of the management team to be given designated responsibility for crisis management and to involve and inform the management team on an ongoing basis. Some members of the management team may act as spokespersons when a communication strategy related to the crisis is in place and will also need to address the cause of the crisis and the measures taken.
10-minute video demo of Hypergenes solution: