Login required to access some wiki spaces. Please register to create your login credentials
|
TAGS: Roles; Responsibilities; Accountabilities
Risk management should work at any organizational level, as well as through participation by the entire staff, according to respective roles and functions.
The governing board is responsible for ensuring the setup of an effective risk management system throughout the organization;
The risk committee/board entity is an oversight entity ruling the risk management system together with other strategic matters. The committee/board sets risk appetite in cooperation with senior management, and communicates it throughout the organization. The committee/board is responsible for: monitoring compliance with the organization’s risk policy; monitoring the adequacy of controls; monitoring changes to the organization’s risk profile, considered as a part of the organization’s strategy and planning processes; assisting the senior management in selecting the key risks; periodically reviewing the risk management reporting system as well as the adequacy of risk management resources; escalating and reporting material risk issues to the chief statistician for consideration.
The risk manager works under the guidance of the committee/board, and is skilled (or even certified) in risk management, and supported by sufficient staff for the size of the organization (see below risk management unit). The risk manager is responsible for: cooperating with top management in identifying high risk areas related to strategic or business processes; cooperating with top management in defining treatment actions related to key risks and supervising the risk management process. Its role should also include: promoting a consistent use of risk management and ownership of risk at all levels within the organization; building a risk-aware culture throughout the organization, including proper education and training; developing, implementing and reviewing risk management; coordinating the other advisory functions on specific aspects of risk management; coordinating responses when risks impact more than one area; managing quality within risk management; reporting, escalating and communicating risk management issues to key stakeholders.
Top management is responsible for: ensuring that there is a fit-for-purpose and up-to-date risk management framework, that processes are in place and that risk management is adequately resourced and financed; providing strategic direction on the appropriate consideration of risk in decisions, setting risk appetite and associated authority; approving the risk management policy, and disseminating culture on managing risk; ensuring that key risks facing the organization are properly assessed and managed; providing direction and receiving feedback on the effectiveness of risk management and compliance with the risk management policy.
The Head of department/divisions/units must actively manage risks that are part of daily work through complying with the enterprise risk management framework. In particular, such offices: establish risk management objectives and formulate key risk indicators; clarify the risk management strategy and risk appetite to their staff; implement the risk management processes; manage the risks that fall within their areas of responsibility; cooperate in identifying key risks; monitor risk management action programs; regularly report to senior management any news or changes to existing risks, or failures of existing control measures.
All staff must take risks into account when making decisions and are responsible for an effective management of risks, including identification of them. All staff are responsible for understanding and implementing risk management policies and processes.
Internal audit (see details in Section 2, Ch. 5) is responsible for reporting to the board on the adequacy of risk management processes within the organization, giving assurance on: their design and how they are working; the effectiveness of controls and response actions to key risks; reliability and suitability of risk assessment. The achievement of the internal audit mandate is performed by an independent office that directly reports to the chief statistician.
The risk management unit is coordinated by the risk manager and is responsible for: collecting the risk identification form that is filled in by those structures (directorates, divisions, units) under the responsibility of the related risk owner; analysing these forms and proposing preliminary treatment actions, escalating risk if it exceeds the unit’s level of authority; validating the closing solution; setting tasks, risk-indicators, targets and deadlines for proposed actions; preparing documentation for escalated risks and submitting it to appropriate management level (in particular for cross-cutting actions); monitoring the implementation of control actions, to evaluate the results and proposing corrective actions; filling-in the risk register; filing risk documents; preparing risk documentation and submitting it to the risk manager; preparing risk management meetings.
Descriptions of tasks, deadlines and responsibilities for all the risk management process actors must be included in a procedure to be made known throughout the whole organization.