Not many years ago, many managers believed that internal auditors were responsible for internal control. That was dispelled when COSO published Internal Control–Integrated Framework in 1992. It made it clear that management was responsible for the design and operation of internal controls, the board provided governance, and internal audit’s job was to audit the controls and provide assurance they were effective. The CFO retains a critical role as the champion of effective internal control, not only over financial reporting and other finance-related activities, but in all areas critical to the success of the enterprise.
Are people now making a similar mistake when it comes to risk management? A June 29th article clearly indicated that as more companies hire Chief Risk Officers, executives are looking to them as the primary owners of risk management.
Let’s see what COSO said in its 2004 Enterprise Risk Management–Integrated Framework:
“The chief executive officer is ultimately responsible and should assume ownership.”
“Other managers support the entity’s risk management philosophy, promote compliance with its risk appetite, and manage risks within their spheres of responsibility consistent with risk tolerances.”
“A risk officer... and others usually have key support responsibilities.”
It very clearly says that the CRO has a support role and “other managers… manage risks within their spheres of responsibility.” But it also says that the CEO owns risk management. Is this correct and is it practical? A Business Finance article reported that they found “CEOs holding iron clad accountability for ERM.” But they also said that the CFO was most frequently the executive with “direct oversight of the core ERM team.” Does that mean that the CEO should look to the CFO to ensure effective risk management processes and practices? My opinion is that the CFO has a key role to play — as a leader and champion — but that the executive leadership team should be responsible collectively for managing risks. The CEO may be the ultimate owner in theory, but in practice he works through the management team.
This view is supported in the 2009 ISO 31000 risk management standard, It says that “risk management is not a stand-alone activity that is separate from the main activities and processes of the organization. Risk management is part of the responsibilities of management and an integral part of all organizational processes, including strategic planning and all project and change management processes.”
In my June 15th article on “How to manage risk management”, I said that risk management is “about managing the potential effects of uncertainty throughout your business operations. Whenever executives and the boards discuss strategies, they should be considering risk. Whenever a manager makes a decision, she should be thinking about the risks and doing something about them.” In other words, risk management is an integral part of every business process, every decision-making process, and every management action.
Before answering the question of “who is responsible for managing risk”, let’s ask another question: “who is responsible for optimizing performance?” The answer is, of course, the management team — individually and collectively, with leadership by the CEO and the CFO. The CFO in particular is concerned with anything that may detract from optimizing performance and achieving financial and operational goals.
The people who are responsible for optimizing performance are also responsible for managing risks. After all, the risks we are concerned about are those that enable us to achieve our strategies and objectives and deliver optimized performance. The CRO acts as a facilitator, supporting analyst, cheerleader, and guide.
In my ideal organization:
The board provides oversight on risk management, approving the risk appetite and strategies of the company.
The CEO is responsible to the board for delivering performance and value. To do this, he and his team have to manage risks. In that respect, he is ultimately responsible for the management of risks.
The management team is collectively responsible for managing risks to the organization, and each executive for managing risks within his area of responsibility.
The CRO is a facilitator, helping develop standards and policies, coaching and guiding executives and managers, and providing the reports that give the leadership team and board an enterprise-wide view of risks to the organization.
The CFO is a champion of risk management across the enterprise and an advocate within the leadership team, in addition to managing financial-related risks and possibly supervising the risk office. Since failures in risk management are highly likely to lead to a failure to achieve strategies and goals, including financial and operational performance, the CFO should be very active and ensure that the risk management program is effective.
What do you think? Who should own risk management? I welcome your views.