Example: Monash University Risk Procedures 1. Establishes the function of the Risk and Compliance Unit (specialist second line risk managers) to develop and maintain the risk management framework. 2. Responsibility of the RCU to provide risk management advice and services. Like many organisations they are not the functional specialists skilled to manage the risks (eg. property risk) but they are experts in the discipline of risk management (i.e. a “devolved” model) 3. Accountability to report matters to the Audit and Risk Committee of Council (governing body) 4. Implement the University’s Enterprise Risk Management function by: a. Establish key risk indicators b. Report on the risk profile c. Identify and report emerging risks d. Maintain a register of operational risk issues e. Identify and assess regulatory obligations f. Assist risk assessments on key projects 35
Three Lines of Defence model of risk governance First Line Line managers. Those that are responsible to operate the business, invest in projects, etc., and are therefore the creators of the risk. Their responsibility is to ensure risk is integrated in all decisionmaking and risk is maintained within appetite. Do the actions that control risk. Second Line Functional specialists not involved in profit generating or operations. Role is to design and implement the risk framework, provide assistance and expertise to the first line in performing risk management, collate information and report and escalate issues to the Board and governance committees. Typically includes the Enterprise Risk Management function and Chief Risk Officer. Third Line Audit function. Their role is to assure the Board that the risk management framework is operating effectively. They do not do risk management or design the risk management framework Aim is to strengthen governance by separating roles and accountabilities. 36
Example: Roles and responsibilities for Monash University Illustrates: 1. three lines of defence and oversight 2. role of the central Enterprise Risk Management function (the RCU) 3. similar in any large diversified business Source: Monash University Risk Management Manual 37
The Risk Appetite Statement The Risk Appetite Statement (RAS) is a formal written statement approved by the Board that: • Defines the types of risks that the organisation is willing and not willing to take; and, • The amount of those risks it is willing to take. 38 Example of a Risk Dashboard showing levels of risk appetite consumed. Source: Enterprise Risk Management: Where is the Evidence?, McKinsey Working Papers on Risk No. 53, 2014.
Key terms used when describing an organisation’s risk appetite 39
Capacity versus tolerance ● Remember capacity is the maximum risk the organisation can sustain for that risk ● Tolerance is how much variation in risk the Board is willing to accept ● The risk appetite is the maximum tolerance and is a function of the Board’s attitude to risk ● Existing risk profile is how much risk currently exists shown relative to tolerance and capacity 40
You've reached the end of your free preview.
Want to read all 49 pages?
- Three '16
- risk principles