IRM ERM M1U2.2 2.2 RASP – Risk Architecture Flashcards
Risk architecture
RA defines how info on Risk is communicated through an organisation.
Risk architecture is described in Hopkin and Thompson as the risk management organisation and arrangements of the organisation. As such we could consider risk architecture to be the structure of the risk management process, aligned to the structure of the organisation.
Components of Risk Architecture:
Committee structure and terms of reference.
Roles and Responsibilities.
Internal reporting requirements.
External reporting controls.
Risk management assurance arrangements.
Budget and agreement on resources.
Agency Theory
The Corporate Finance Institute defines ‘Agency Theory’ as “the concept used to explain the important relationships between principals and their relative agent. In the most basic sense, the principal is someone who heavily relies on an agent to execute specific financial decisions and transactions that can result in fluctuating outcomes”.
In terms of businesses and relationships, these will be between the likes of the shareholders / members / trustees and executives, the board of directors and CEO, and so on.
RASP explained
The risk architecture defines how information on risk is communicated throughout the organization and forms part of the risk management framework.
The risk strategy defines the overall objectives that the organization is trying to achieve with respect to risk management.
The risk protocols are the systems, standards and procedures that are put in place in order to fulfil the defined risk strategy.
Risk architecture sets out…
The risk architecture sets out lines of communication for reporting on risk management issues and events and allocating ownership of particular risks within the organization.
Risk management responsibilities
Risk management responsibilities need to be clearly allocated to the following aspects of managing that risk: development of risk strategy and standards; implementation of the agreed standards and procedures; auditing compliance with the agreed standards.
An important aspect of the risk architecture
An important aspect of the risk architecture is to ensure that risk escalation procedures are embedded within the organization, including appropriate whistleblowing arrangements.
Risk Register
The risk management manual will be a static record of processes and procedures, whereas the other documentation, for example the risk register, should be a dynamic record of actions that are planned or are in progress. In effect, the risk register should be considered to be the risk management action plan.
Reducing Agency Problems
In order to reduce the likelihood of conflict, there are certain measures and principles that can be followed by both the principal and agent.
Transparency
Restriction
Bonuses
Centralised, Decentralised & Hybrid Model
Some CEOs prefer a centralised approach to their corporate structure, with the strategy and operations directed by a head office or other central team.
An obvious alternative to this is the decentralised approach where management responsibility is delegated to unit or divisional managers with little direction from the centre.
Many organisations adopt a hybrid approach to the general operating structure, where discretion in the design and operation of the subsidiary entities is allowed in certain areas but in others (such as brand management, health and safety, and banking arrangements) the corporate approach must be adopted.
executive or non-executive directors
Usually, board directors will be either executive or non-executive directors of the organization. In certain organizations, such as charities and most government departments, executive directors will meet separately as an ‘executive committee’ and the non-executive directors will form a ‘board of governors’. Typically, executive directors will be full-time employees of the organization with a specific area of responsibilit
Riks Manager Reporting Line
There is no single established reporting position in the structure of an organization for the risk manager. Risk managers may report the CEO, the finance director or treasury, the company secretary or group legal department or even to human resources or procurement.
Risk and Resilience
Risk Committee
Most large organizations will already have an audit committee, chaired by a senior non-executive director. An option considered by many organizations is to extend the role of the audit committee to include all aspects of risk management or to establish a separate risk management group chaired by an executive director.
Risk Register Disadvantages
the information needs to be correct, updated and to the right level of detail.
Manually operated risk registers can become unwieldy if they contain too much detail, and open to criticism if they contain too little.
Senior management may consider they have fulfilled their obligation to risk management by attending a risk assessment workshop and producing a risk register, without the need for further engagement in the risk management process.
Without the benefit of technology to manipulate and analyse the complex array of information the maintenance of risk registers can become a focus of activity such that it becomes the process rather than a tool to achieve improvements. More importantly, unless supported by technology, it is difficult for a risk register to be a collaborative tool that exists in real time.