A sound system of internal control provides assurance that the organisation will not be hindered in achieving its objectives or in the orderly and legitimate conduct of its business, by circumstances, which may be reasonably foreseen. Therefore, one of the key system of an organisation's internal control is risk management. All levels of the organisation have a role in risk management.
Leaders of the organisation must ensure that risk management practices and ethos are well embedded into its culture, and set policies and procedures which ensure that the organisation complies with current best practice management arrangements. Leadership is also responsible for:
- Approving the risk management framework and monitoring its effectiveness
- Regularly reviewing the corporate risk register
- Reviewing the reporting structures on risk management
- Approving the organisation's risk appetite statement
- Overseeing the implementation of the risk management framework;
- Monitoring the management of risk throughout the organisation;
- Coordinating the management of risk for business processes that may cross the boundaries of business areas, divisions and locations (“cross cutting” issues).
Chief Risk Officer
Leaders may delegate certain risk management responsibilities to the chief risk officer. Some of their responsibilities can be:
- Identifying, measuring and managing risk;
- Quality assuring the risk management process across the organisation;
- Co-ordinating the preparation and updating of the risk register;
- Ensuring that sufficient training has been made available to management and staff and;
- Promoting a risk management culture in the organisation.
In many organisations, the audit committee has a key role to play in the risk management process. They can review and monitor various aspects of the risk management system, and can seek assurance around risk management from audits and control reviews, communications with the Comptroller and Auditor General and also Chief Risk Officer and management assurances on risk management and control arrangements.
All staff members have a key part to play in managing risk by:
- Being aware of the nature of risks in their day-to-day work as well as being aware of the corporate risk register;
- Monitoring the effectiveness of management procedures created to mitigate those risks identified;
- Being responsive to the changing nature of the risks and opportunities of the organisation and
- Proactively identifying and mitigating, where possible, significant risks and bringing these to the attention of management.
There is a wide range of relevant guidance in relation to effectively implementing risk management within organisations including risk management guidance from the Department of Public Expenditure and Reform. In terms of international best practice, International Standards Organisation (ISO) 31000:2018 Risk Management - Principles and Guidelines, provides authoritative guidance on what organisations need to do to embed risk management systems and processes.