Risk management is about managing the potential effects of uncertainty throughout the company's operations. Whenever executives and the boards discuss strategies, they should be considering risk. Whenever managers make decisions, they should be thinking about the risks and doing something about them. In other words, risk management is an integral part of every business process, every decision-making process, and every management action.
The value of risk management is in its ability not only to protect value but to enhance performance and value creation. Decisions that are made with an understanding of related risks and how to manage them will be more successful.
So, who should own risk management? The managers and executives who are responsible for performance should also be responsible for managing risks to their objectives, because the two ý risk and performance - are inextricably linked. In other words, everybody should collectively own risk management. The CFO has a key role as champion but needs the help of the rest of the executive team.
Ideally, then, responsibility for risk management should break down as follows:
* The board provides oversight on risk management, approving the risk appetite and strategies of the company.
* The CEO is responsible to the board for delivering performance and value. To do this, the executive and his or her team have to manage risks. In that respect, the CEO is ultimately responsible for the management of risks.
* The CFO is a champion of risk management across the enterprise and an advocate within the leadership team, in addition to managing financial-related risks and possibly supervising the risk office. Since failures in risk management are highly likely to lead to a failure to achieve strategies and goals, including financial and operational performance, the CFO should be very active and ensure that the risk management program is effective.
* The chief risk officer is a facilitator, helping develop standards and policies, coaching and guiding executives and managers, and providing the reports that give the leadership team and board an enterprisewide view of risks to the organization.
* As a whole, the management team is collectively responsible for managing risks to the organization, and each executive for managing risks within his or her area of responsibility.
Norman Marks CPA is a vice president with SAP and a long-term internal audit and risk-management practitioner. He has been honored for his thought leadership by the Institute of Risk Management (honorary fellow) and the Open Compliance and Ethics Group (fellow). He regularly blogs and provides updates on Twitter, @normanmarks.