Risk Management Responsibilities Flashcards
Why is it important to have clearly defined ownership of core processes, dependencies and risks?
Allows RM and Audit Committees to monitor actions and responsibilities
Where would the membership and responsibilities of committees be set out?
In the committee’s terms of reference
Describe the relationship between the Risk/Audit functions and risk ownership.
Risk management should be embedded in core processes and business activities and therefore owned by managers, not risk/audit functions.
Name seven risk management professional that might be involved in RM activities
- Insurance risk manager
- Corporate treasurer
- Finance director
- Internal auditor
- Compliance manager
- HSE Manager
- Business continuity manager
Describe the key RM responsibilities of a CEO, and where the role fits in the ‘three lines of defence’ model
First line.
- Determine strategic approach
- Establish RM structure
- Understand most significant risks
- Consider risks from poor decisions
Describe the key RM responsibilities of a location manager, and where the role fits in the ‘three lines of defence’ model
First line.
- Build risk-aware culture
- Agree RM performance targets
- Evaluate employees RM reports
- Ensure implementation of recommendations
- Identify/report changed risks
Describe the key RM responsibilities of an employee, and where the role fits in the ‘three lines of defence’ model
First line.
- Understand, accept and implement RM processes
- Report inefficient, unnecessary or unworkable controls
- Report incidents and near-misses
- Co-operate with management on investigations
- Ensure visitors and contractors comply with procedures
Describe the key RM responsibilities of a risk manager, and where the role fits in the ‘three lines of defence’ model
Second line
- Develop and update RM policy
- Facilitate risk-aware culture
- Establish internal risk policies and structures
- Co-ordinate RM activities
- Compile risk info and prepare board reporting
Describe the key RM responsibilities of a risk specialist, and where the role fits in the ‘three lines of defence’ model
Second line.
- Establish specialist risk policies
- Develop specialist contingency plans
- Keep up-to-date in specialist areas
- Support incident investigations
Describe the key RM responsibilities of an internal audit manager, and where the role fits in the ‘three lines of defence’ model
Third line.
- Develop risk audit plan
- Audit risk processes across the org
- Provide assurance on RM activities
- Develop RM processes
- Report on efficiency and effectiveness of internal controls
Why is a board level sponsor for risk management required, and what are they typically responsible for?
Ensures RM is given sufficiently high profile. They are usually responsible for the RASP.
How does ISO Guide 73 define a risk owner?
“A person with the authority and accountability to make the decision to treat or not treat a risk.”
An individual with accountability for an objective has accountability for the associated risk.
Describe the common law duties of Directors set out in the Companies Act 2006.
- Act in accordance with responsibilities
- Act in accordance with constitution of the company
- Promote the success of the company
- Exercise independent judgement
- Exercise reasonable care, skill and judgement
- Avoid or declare conflicts of interest
- Do not accept benefits from third parties
How does good RM support the common law duties of Directors set out in the Companies Act 2006?
Good RM promotes the success of the company, and facilitates reasonable care, skill and judgement through informed decision-making.
Boards are usually made up of exec and non-exec directors. What type of org might have a separate board non-execs?
A charity may have a board of execs with a separate board of governors.
Typically, what is the relationship between an exec director and the organisation?
Execs are usually full-time employees of the org.
Describe the 8 key roles of non-exec directors
- Constructively challenge and help develop proposals on strategy
- Scrutinise the performance of management
- Challenge integrity of risk information
- Seek assurance that financial controls and systems of RM are robust and defensible
- Determine appropriate levels of remuneration for the exec directors, succession planning
- Establish and maintain confidence in the conduct of the company
- Be independent in judgement, promoting openness and trust
- Be well informed about the org, its external environment and relevant issues
Describe the non-exec’s role in an org’s STRATEGY
Constructively challenge and help develop proposals on strategy
Describe the non-exec’s role in an org’s PERFORMANCE
Scrutinise the performance of management
Describe the non-exec’s relationship to an org’s RISK
Challenge integrity of risk information
Describe the non-exec’s relationship to an org’s CONTROLS
Seek assurance that financial controls and systems of RM are robust and defensible
Describe the non-exec’s role in the org’s PEOPLE
Determine appropriate levels of remuneration for the exec directors, succession planning
Describe how the non-exec’s relationship to CONFIDENCE in the org
Establish and maintain confidence in the conduct of the company
Describe how INDEPENDENCE fits into the role of non-exec
Be independent in judgement, promoting openness and trust
Describe how KNOWLEDGE fits into the role of non-exec
Be well informed about the org, its external environment and relevant issues
Historically the Risk Manager role was insurance focussed. What would this involve?
- Establish RM strategy
- Co-ordinate insurance programme for protecting org’s property and people
- Work with captive insurance company to ensure their maximum contribution
- Maintain key insurer relationships, cost-effective insurance contracts and monitor service providers
- Measure and monitor cost of risk performance
• Ensure safe-keeping and retention of insurance
contracts
- Supervise co-ordination of service provider activities
- Co-ordinate property survey programme, RM procedures and incentive schemes
Currently the Risk Manager role is varied and strategic and involves what?
- May report in to the HR Director, Finance Director, Company Secretary or treasurer.
- Finance or energy company risk managers may report directly to the CEO as Chief Risk Officers (CRO)
- Responsible for corporate learning re Risk Management benefits
- Develops RASP and systems for ensuring RM outcomes are achieved
- Greater involvement in project management and strategic delivery
- More broadly involved in resilience.
Describe the role of the Chief Risk Officer (CRO).
- Pulls together disparate RM activities to ensure best use of resources
- Works with other managers to drive effective RM, supporting them with communicating risk info up, down and across the org
- Works with IAs to ensure accuracy of reporting and value-added recommendations.
Describe the membership of the Risk Management Committee
The RMC membership is dependent on size and level of risks within the org. It can be a small group of senior execs setting strategy and policy, or a knowledge-sharing group with exec representation from each unit or department.
What should be considered if the RMC is a sub-committee of the Audit Committee?
Should be an executive function with clear separation from assurance and compliance activities
How might the membership of the RMC vary in banks and financial institutions and what should be considered in this arrangement?
May be a committee of the board made up of exec and non-exec board members. Three lines of defence should be maintained.
Describe the relationship between the audit committee and the RMC in the org’s structure
The RMC should be separate to the audit committee, and should not be senior to the audit committee to ensure the three lines of defence.
How might the RMC functions be undertaken in a smaller org?
The same functions may be carried out by the exec committee or finance committee
How does management style influence the way RM activities are factored in to an organisation’s architecture?
Where strategy and operations are directed by head office a centralised approach may be appropriate. Management structures that delegate responsibility to unit or divisional managers will adopt a de-centralised approach. Other org’s may adopt a hybrid approach, delegating some RM activities while maintaining a corporate approach for others e.g. Health & Safety
Explain what is meant by the “Information and monitoring” phase of the COSO ERM framework
Info & Comms: Relevant info is identified, captured and communicated in a form and timeframe that enables people to carry out their duties. Effective comms also happens down, up and across the org.
Monitoring: ERM is monitored and modifications made as necessary. Accomplished through ongoing management activities, separate evaluations or both.
Describe the advantages of a RMIS.
Standardised data, storage and analysis, complex modelling across divisions and departments, integrated governance, risk and compliance tools.
Describe the disadvantages of a RMIS.
Costly to adopt and they may lack nuance and insight. Think about RBS’ complex risk modelling mentioned in CIMA 2010, which lacked human intervention and insight.
