In the latest Mastering Risk Management podcast chat Anthony Wilson and Brett Palmer chat about how to resource the risk management function, and where it might sit in the reporting structure of the organisation.
In our January ’23 blog “Risk Management Resourcing – Think Again. There is a Better Way” we look at the various options available to organisations in how they resource their risk management function. Key to this is the stage of the Risk Management journey the organisation is on, and the key difference in required skills depending on the need for ongoing management, or management of change.
This latest podcast chat "Risk Resource Report" delves into the often-sensitive subject of where the risk function should report which is often an early indicator on the attitude to risk management that prevails, reporting to, or part of the C-Suite when the importance of risk management is understood, and elsewhere when it is not.
It is, of course, never a simple matter of one size fits all. And it’s important to understand the difference between the roles and responsibilities of risk management in the 1st and 2nd lines. Clearly, the 2nd line – the centralised risk management function that provides framework, support, tools (etc), needs to be independent of the business. We have lots of precedent for what can go wrong when that isn’t observed, with Enron (for those that remember) coming readily to mind.
Where the organisation is challenging the role or effectiveness of risk management the key requirement is that it report to an influencer. A change agent that is able to support the changes being driven across the organisation in the risk management function and capability. That is rarely going to be a role outside of the C-Suite. We find that whilst the role should report to the CEO, it is often the CFO that is best able to influence and drive the required change support. This isn’t the case with all CFOs, as some are more strategic in the role than others.
It becomes entirely different when the risk management function is already established, where the need to drive change is reduced. This may well see the role reporting to the CEO. In some organisations we have seen the Chief Risk Officer reporting to the Chair of the Audit & Risk Committee, with a dotted line to CEO. While the intent of such a line is admirable, in practice it is a little more challenging than it sounds.
This all links to the fundamentally important “tone at the top” messaging that needs to be consistently conveyed across the organisation. If that isn’t evident, then it won’t make much difference at all to who the risk management function reports as it simply won’t be taken seriously by anyone. Thankfully, there seems to be growing recognition of the importance of this by Boards and Executives who we generally find to be committed to change to enhance their risk management capability. In those organisations where that commitment is recognised and supported, risk management has developed, or is developing, a recognition of the value it brings to an organisation in the creation (opportunity risks) and protection (threat risks) of value.
From risk comes opportunity.