Risk Management Responsibilities

Question 1

Why is it important to have clearly defined ownership of core processes, dependencies and risks?

Answer 1

Allows RM and Audit Committees to monitor actions and responsibilities

Question 2

Where would the membership and responsibilities of committees be set out?

Answer 2

In the committee’s terms of reference

Question 3

Describe the relationship between the Risk/Audit functions and risk ownership.

Answer 3

Risk management should be embedded in core processes and business activities and therefore owned by managers, not risk/audit functions.

Question 4

Name seven risk management professional that might be involved in RM activities

Answer 4

• Insurance risk manager
• Corporate treasurer
• Finance director
• Internal auditor
• Compliance manager
• HSE Manager
• Business continuity manager

Question 5

Describe the key RM responsibilities of a CEO, and where the role fits in the ‘three lines of defence’ model

Answer 5

First line.

• Determine strategic approach
• Establish RM structure
• Understand most significant risks
• Consider risks from poor decisions

Question 6

Describe the key RM responsibilities of a location manager, and where the role fits in the ‘three lines of defence’ model

Answer 6

First line.

• Build risk-aware culture
• Agree RM performance targets
• Evaluate employees RM reports
• Ensure implementation of recommendations
• Identify/report changed risks

Question 7

Describe the key RM responsibilities of an employee, and where the role fits in the ‘three lines of defence’ model

Answer 7

First line.

• Understand, accept and implement RM processes
• Report inefficient, unnecessary or unworkable controls
• Report incidents and near-misses
• Co-operate with management on investigations
• Ensure visitors and contractors comply with procedures

Question 8

Describe the key RM responsibilities of a risk manager, and where the role fits in the ‘three lines of defence’ model

Answer 8

Second line

• Develop and update RM policy
• Facilitate risk-aware culture
• Establish internal risk policies and structures
• Co-ordinate RM activities
• Compile risk info and prepare board reporting

Question 9

Describe the key RM responsibilities of a risk specialist, and where the role fits in the ‘three lines of defence’ model

Answer 9

Second line.

• Establish specialist risk policies
• Develop specialist contingency plans
• Keep up-to-date in specialist areas
• Support incident investigations

Question 10

Describe the key RM responsibilities of an internal audit manager, and where the role fits in the ‘three lines of defence’ model

Answer 10

Third line.

• Develop risk audit plan
• Audit risk processes across the org
• Provide assurance on RM activities
• Develop RM processes
• Report on efficiency and effectiveness of internal controls

Question 11

Why is a board level sponsor for risk management required, and what are they typically responsible for?

Answer 11

Ensures RM is given sufficiently high profile. They are usually responsible for the RASP.

Question 12

How does ISO Guide 73 define a risk owner?

Answer 12

“A person with the authority and accountability to make the decision to treat or not treat a risk.”

An individual with accountability for an objective has accountability for the associated risk.

Question 13

Describe the common law duties of Directors set out in the Companies Act 2006.

Answer 13

• Act in accordance with responsibilities
• Act in accordance with constitution of the company
• Promote the success of the company
• Exercise independent judgement
• Exercise reasonable care, skill and judgement
• Avoid or declare conflicts of interest
• Do not accept benefits from third parties

Question 14

How does good RM support the common law duties of Directors set out in the Companies Act 2006?

Answer 14

Good RM promotes the success of the company, and facilitates reasonable care, skill and judgement through informed decision-making.

Question 15

Boards are usually made up of exec and non-exec directors. What type of org might have a separate board non-execs?

Answer 15

A charity may have a board of execs with a separate board of governors.

Question 16

Typically, what is the relationship between an exec director and the organisation?

Answer 16

Execs are usually full-time employees of the org.

Question 17

Describe the 8 key roles of non-exec directors

Answer 17

• Constructively challenge and help develop proposals on strategy
• Scrutinise the performance of management
• Challenge integrity of risk information
• Seek assurance that financial controls and systems of RM are robust and defensible
• Determine appropriate levels of remuneration for the exec directors, succession planning
• Establish and maintain confidence in the conduct of the company
• Be independent in judgement, promoting openness and trust
• Be well informed about the org, its external environment and relevant issues

Question 18

Describe the non-exec’s role in an org’s STRATEGY

Answer 18

Constructively challenge and help develop proposals on strategy

Question 19

Describe the non-exec’s role in an org’s PERFORMANCE

Answer 19

Scrutinise the performance of management

Question 20

Describe the non-exec’s relationship to an org’s RISK

Answer 20

Challenge integrity of risk information

Question 21

Describe the non-exec’s relationship to an org’s CONTROLS

Answer 21

Seek assurance that financial controls and systems of RM are robust and defensible

Question 22

Describe the non-exec’s role in the org’s PEOPLE

Answer 22

Determine appropriate levels of remuneration for the exec directors, succession planning

Question 23

Describe how the non-exec’s relationship to CONFIDENCE in the org

Answer 23

Establish and maintain confidence in the conduct of the company

Question 24

Describe how INDEPENDENCE fits into the role of non-exec

Answer 24

Be independent in judgement, promoting openness and trust

Question 25

Describe how KNOWLEDGE fits into the role of non-exec

Answer 25

Be well informed about the org, its external environment and relevant issues

Question 26

Historically the Risk Manager role was insurance focussed. What would this involve?

Answer 26

* Establish RM strategy * Co-ordinate insurance programme for protecting org’s property and people * Work with captive insurance company to ensure their maximum contribution * Maintain key insurer relationships, cost-effective insurance contracts and monitor service providers * Measure and monitor cost of risk performance • Ensure safe-keeping and retention of insurance contracts * Supervise co-ordination of service provider activities * Co-ordinate property survey programme, RM procedures and incentive schemes

Question 27

Currently the Risk Manager role is varied and strategic and involves what?

Answer 27

* May report in to the HR Director, Finance Director, Company Secretary or treasurer. * Finance or energy company risk managers may report directly to the CEO as Chief Risk Officers (CRO) * Responsible for corporate learning re Risk Management benefits * Develops RASP and systems for ensuring RM outcomes are achieved * Greater involvement in project management and strategic delivery * More broadly involved in resilience.

Question 28

Describe the role of the Chief Risk Officer (CRO).

Answer 28

* Pulls together disparate RM activities to ensure best use of resources * Works with other managers to drive effective RM, supporting them with communicating risk info up, down and across the org * Works with IAs to ensure accuracy of reporting and value-added recommendations.

Question 29

Describe the membership of the Risk Management Committee

Answer 29

The RMC membership is dependent on size and level of risks within the org. It can be a small group of senior execs setting strategy and policy, or a knowledge-sharing group with exec representation from each unit or department.

Question 30

What should be considered if the RMC is a sub-committee of the Audit Committee?

Answer 30

Should be an executive function with clear separation from assurance and compliance activities

Question 31

How might the membership of the RMC vary in banks and financial institutions and what should be considered in this arrangement?

Answer 31

May be a committee of the board made up of exec and non-exec board members. Three lines of defence should be maintained.

Question 32

Describe the relationship between the audit committee and the RMC in the org’s structure

Answer 32

The RMC should be separate to the audit committee, and should not be senior to the audit committee to ensure the three lines of defence.

Question 33

How might the RMC functions be undertaken in a smaller org?

Answer 33

The same functions may be carried out by the exec committee or finance committee

Question 34

How does management style influence the way RM activities are factored in to an organisation’s architecture?

Answer 34

Where strategy and operations are directed by head office a centralised approach may be appropriate. Management structures that delegate responsibility to unit or divisional managers will adopt a de-centralised approach. Other org’s may adopt a hybrid approach, delegating some RM activities while maintaining a corporate approach for others e.g. Health & Safety

Question 35

Explain what is meant by the “Information and monitoring” phase of the COSO ERM framework

Answer 35

Info & Comms: Relevant info is identified, captured and communicated in a form and timeframe that enables people to carry out their duties. Effective comms also happens down, up and across the org. Monitoring: ERM is monitored and modifications made as necessary. Accomplished through ongoing management activities, separate evaluations or both.

Question 36

Describe the advantages of a RMIS.

Answer 36

Standardised data, storage and analysis, complex modelling across divisions and departments, integrated governance, risk and compliance tools.

Question 37

Describe the disadvantages of a RMIS.

Answer 37

Costly to adopt and they may lack nuance and insight. Think about RBS’ complex risk modelling mentioned in CIMA 2010, which lacked human intervention and insight.