Identifying critical stakeholders and their responsibilities
Enterprise risk is a multifaceted challenge that demands collaboration across the organization. While the CEO or the board may ultimately be responsible for the enterprise's risk strategy, other stakeholders have critical roles to play.
Corporate governance principles mandate that the board oversees the risk management process, influencing the methods by which management identifies and assesses risks. They need to explicitly define which risks require regular discussion by the entire board and which can be typically entrusted to a specific board committee. Although many boards possess an established risk governance framework, it remains imperative to regularly evaluate this structure in light of emerging risks.
The board is expected to set a distinct risk tolerance level for the organization - defining the maximum level of risk acceptable for each individual risk, in contrast to the overall risk appetite, which represents the total amount of risk the organization is willing to accept within a specific risk profile.
In some sectors like financial services, firms will establish a risk committee. This authorized sub-committee of the board is tasked with evaluating the organization’s risk appetite and tolerance, reporting its findings back to the board. Additionally, it reviews the enterprise risk management framework, which includes the principles, policies, culture, organization, behaviors, systems, processes, and procedures.
The concept of risk ownership operates under the premise that while risks can be broadly categorized, such as operational, financial or strategic, their nuances require intimate knowledge of specific areas.
Assigning ownership to those with the relevant expertise and authority ensures more effective risk management. For instance, risks relating to your organization’s website would ideally be managed by someone from the IT department, who understands the intricacies and potential impact on the digital infrastructure. This approach can help mitigate problems in large firms, where the board can be improperly briefed regarding the specifics of certain risks.