Risk managers may begin the implementation of the selected risk governance model by documenting risk management roles and responsibilities. It is quite common to describe risk management roles and responsibilities in risk management policy or a framework document. This approach seems simple to implement, yet not very effective, as business units often don’t feel ownership of these documents, instead they consider them irrelevant in everyday business and simply ignore them. There is a better way.

It is considered more effective to incorporate risk management roles and responsibilities into existing job descriptions, operational policies and procedures, various committee charters and working groups. Risk management roles and responsibilities must be identified and documented for all levels of management. As mentioned by a number of the risk managers we have interviewed, it is a much more effective than listing roles and responsibilities in the risk management policy or framework document.

That being said some people feel quite sensitive about their job descriptions, so instead of initiating major changes and updates for the sake of integrating risk management roles and responsibilities, wait for the HR to initiate change on other topics and add risk management points as part of the broader changes.  

Some of the common roles and responsibilities include:

Board of directors (if available)

• 
  
• Provide oversight of the overall risk management effectiveness
  
• Make Board level decisions with proper consideration for risks
  
• Review and establish risk-adjusted appetites/limits for certain business activities, types of risks (usually required by law) or decisions
  
• Set risk-adjusted performance targets and KPIs for CEO and the management
  

CEO

• 
  
• Responsible for establishing the overall risk management framework
  
• Make decisions with proper consideration for risks
  
• Approves the strategy, business plans and budgets based on the risk management information
  
• Set risk-adjusted performance targets and KPIs for senior management
  
• Provide timely and accurate disclosure for risk-adjusted performance, most significant risks and their treatments to the Board of Directors / investors / owners
  
• Allocate responsibility for effective risk management to risk owners
  
• Assign responsibility for designing and implementing the risk management framework
  
• Allocate resources necessary to perform business activities with risks in mind
  

Risk manager

• 
  
• Design and implement the risk management framework
  
• Coordinate risk management activities and provide methodological support for the risk-based decision making
  
• Participate in the decision-making process (if required)
  
• Participate in the preparation of management reports, providing relevant information about risks and their treatments
  
• Coordinate the work of the Risk Management Committee (if applicable)
  
• Provide risk management training or integrate risk management into existing trainings
  
• Implement activities designed to integrate risk management into the overall culture of the organization
  

Other business unit heads:

• 
  
• Identify, assess and treat risks associated with business activities or decision-making within their area of responsibility
  
• Allocate resources necessary to manage risks within their area of responsibility
  
• Optimize business processes or decision making based on the information about risks.
  

Work with your HR team to include ISO31000 knowledge and risk management competencies in job descriptions / position descriptions for new hires.