The ideas behind this would be that ‘risks are managed where they occur’. It’s a complicated question, but an uncomplicated answer – in short, no, according to risk thought leader Chris Corless.
Let’s dive into this a little more deeply before we dismiss the idea entirely. For argument’s sake, let’s keep using the idea of three lines of defence as a basis. Hopefully, my answer will be helpful regardless of whether you buy into the three lines of defence model or not.
Risk should be managed where they occur and while it is management’s role to manage the risks from a top-level perspective, they must also be simultaneously working to achieve the results the firm has committed to achieving, rather than doing the work of the risk manager.
Placing the responsibility to manage the risk with another party (such as senior management) lends itself to an abdication of responsibility by management and also reduces the effectiveness of the firm’s risk management because it is always a bolt on exercise that is carried out at some point in the future by people who have fewer resources.
The fact is that risks are better managed by the people who own the objectives because they have a better understanding of the risk and a greater chance of managing the risk in real time.
Credit risk is one example where I have seen both sides of this coin. In some organisations, there is both a sales organisation and separate risk function to manage credit risk. Other organisations drive the sales organisation to manage credit risk as part of their sales roles. There are exemptions to every rule but I have seen much greater success with the latter set up because managing whether the organisation gets paid or not is a fundamental consideration to the making of a sale which, if incorporated into the responsibility of the sales organisation, ultimately leads to better risk management.
That said, I think there is an argument for the risk function to provide business partnering support to those who are managing the risks day-to-day. This is especially true if you are early on your maturity journey. Perhaps the function or organisation’s risk policies are a little overzealous or too much of an administrative burden, however, having a helping hand to help simplify risk management for management will be helpful for all.
By doing it this way, management won’t get frustrated with too much admin burden or frameworks that need maturing to be more useful and the risk function will get feedback on what is, and what is not, working as they work to improve.
Over time there is a level of trust that develops between the risk function and the business. The business gets the helping hand it needs, while the function and organisation obtain the deep insights it needs to be able to understand how well the business is using risk to achieve better and less variable outcomes.
So ‘no’ the risk function shouldn’t be taking ownership of the risk and ‘yes’ the risks should be managed where they are in the organisation as part of the drive to achieve the desired business outcomes.
That said, the risk function should be prepared to help ensure that management can achieve the minimum requirements and for areas of big risk independently ensure the minimum requirements have been met and work to find faults with management’s thinking.
Don’t be fooled though, this productive relationship is by no means easy to accomplish and requires the right culture to occur productively.