According to COSO, “Enterprise Risk Management is a process, effected by an entity’s board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, manage risk to be within its risk appetite and to provide reasonable assurance regarding the achievement of entity objectives.”
The role and responsibility of the Board is not only to establish the strategic direction, goals and objectives for the organisation but should also ensure the structure and supporting environment for risk management to operate in an effective and efficient manner is created and maintained.
As implied, the Board is not expected to set the scene and brush off down to the executive management and lower levels. Apart from leading by example, the Board of Directors, directly as a Board or through a non-executive committee or other function that would fit in well with the structure of the organisation, need to maintain oversight that the established framework is functioning well.
Whilst the day-to-day operations and risk management processes would be the responsibility of management (1st line) with support and review from the 2nd and 3rd lines of defence, it will be the Board that will need to oversee (not micro-manage) and gain assurance that the core strategic objectives are not, and to a greater degree will not, be at risk. To this end, the Board’s focus will remain central on those risks that may have a relevant impact on the strategic objectives set forth thus causing substantial damage to the organisation. The Board’s vision on risks would not be siloed to any specific department or unit but would and could take into consideration multiple risks (which alone will have minimal impact, but if incurred at the same time could have a greater impact on the outcome of the objectives.
It is therefore important for most organisations to ensure that have an appropriate framework in place, which includes the necessary governance structure, processes and systems to manage the risks, events that may influence the organisation’s viability.