Example: Monash University Risk Procedures
1. Establishes the function of the Risk and Compliance Unit (specialist
second line risk managers) to develop and maintain the risk
management framework.
2. Responsibility of the RCU to provide risk management advice and
services. Like many organisations they are not the functional
specialists skilled to manage the risks (eg. property risk) but they are
experts in the discipline of risk management (i.e. a “devolved” model)
3. Accountability to report matters to the Audit and Risk Committee of
Council (governing body)
4. Implement the University’s Enterprise Risk Management function by:
a.
Establish key risk indicators
b.
Report on the risk profile
c.
Identify and report emerging risks
d.
Maintain a register of operational risk issues
e.
Identify and assess regulatory obligations
f.
Assist risk assessments on key projects
35
Three Lines of Defence model of risk governance
First Line
Line managers. Those that are responsible to operate the
business, invest in projects, etc., and are therefore the
creators of the risk. Their responsibility is to ensure risk is
integrated in all decisionmaking and risk is maintained
within appetite. Do the actions that control risk.
Second Line
Functional specialists not involved in profit generating or
operations. Role is to design and implement the risk
framework, provide assistance and expertise to the first line
in performing risk management, collate information and
report and escalate issues to the Board and governance
committees. Typically includes the Enterprise Risk
Management function and Chief Risk Officer.
Third Line
Audit function. Their role is to assure
the Board that the risk
management framework is operating effectively. They do
not do risk management or design the risk management
framework
Aim is to strengthen governance by separating roles and accountabilities.
36
Example: Roles and responsibilities for Monash University
Illustrates:
1. three lines of defence
and oversight
2. role of the central
Enterprise Risk
Management function
(the RCU)
3. similar in any large
diversified business
Source: Monash University Risk Management Manual
37
The Risk Appetite Statement
The
Risk Appetite Statement (RAS) is a formal written statement
approved by the Board that:
•
Defines the types of risks that the organisation is willing and not willing
to take; and,
•
The amount of those risks it is willing to take.
38
Example of a Risk
Dashboard showing
levels of risk appetite
consumed.
Source: Enterprise Risk
Management: Where is the
Evidence?, McKinsey Working
Papers on Risk No. 53, 2014.
Key terms used when describing an organisation’s
risk appetite
39
Capacity versus tolerance
●
Remember capacity is the maximum risk the organisation can
sustain for that risk
●
Tolerance is how much variation in risk the Board is willing to
accept
●
The risk appetite is the maximum tolerance and is a function
of the Board’s attitude to risk
●
Existing risk profile is how much risk currently exists shown
relative to tolerance and capacity
40
You've reached the end of your free preview.
Want to read all 49 pages?
- Three '16
- risk principles
