Where should risk management sit in the organisation?

A thought-provoking question and one that I will reserve for my most favourite answer – it depends! All kidding aside I think many options can work depending on the culture and maturity of the organisation as well as the capability of the relevant leaders.

That said I will explain some considerations that I think can be crucial to enable robust and resilient risk management over time. I’ll assume that we are referring to where the risk management function should sit within the organisation.

Risk functions have responsibility across the entire entity and support the CEO and the Board in their efforts by driving the integrity of risk insights to enhance decision making; as such a strong argument can be made for the risk function to report directly to the CEO. Often though the CEO already has too many direct reports and there is little appetite to add another even if it is the most logical solution. If that’s the case, then I think there are a few options that place the risk function as a sub-function each having pros and cons.

One potential common con with placing risk as a sub-function is ensuring the leader it reports into has the capability and desire to mature risk. This is important because risk management as a discipline is probably the function that needs maturing the most. Without capable senior leadership, the risk function is pretty much doomed as its leader will focus on his/her core competencies leaving the risk function to at best meander a long or at worst minimise it because of a lack of interest/understanding. While this can happen regardless of the broader function the risk function reports into I think there are three functions to place the risk function in that make the most sense depending on your culture and risk maturity.

The Chief Legal Officer/Company Secretary. Leader of Strategy and Planning, and Chief Improvement/Transformation Officer are three potential areas that can be a home for the risk function depending on the maturity of these functions, their Leaders and the risk function.

The Chief Legal Officer/Company Secretary is often becoming the home of functions that support the entire organisation and all things related to the core governance of the organisation both at the executive and board levels which makes including the risk function a natural fit. If your primary focus is improving how the organisation considers risk related to strategy, planning and decision making then it might make more sense to place the risk function inside the broader strategy and planning function.

Finally, some organisations have a Chief Transformation/Improvement Officer with the primary responsibility of measuring uncertainty/variability in the organisation and tracking plans to reduce it where there is a meaningful impact. I think it could also be a natural home for the risk function especially if you think of your risk function as one that helps address unwanted risk and uncertainty in the organisation. I am hoping that the Strategy/Planning functions, Transformation and Risk functions come together more cohesively in the future as I think it might be the best way to combat risk and uncertainty across all aspects of the organisation.

I don’t think we can have a conversation about where to place the risk function in the organisation without discussing how the function interacts with the Board. In many instances, the Risk and Audit committee is the key interface to the board. This particular committee typically has a high volume of heavy issues involving financial reporting/accounting treatment and internal audit which tends to focus the expertise on the committee in these areas; in other words, there can be a lot of focus on the Audit side of the name.

In Australia, at least, the Sustainability committee also has an interest in risk especially those related to health, safety, environment and communities which can at times create silos of risk right from the board level down. Fortunately, I think there is a relatively easy way to overcome these challenges – specifically have a dedicated risk management committee with its own chair. This help to ensure that silos around risk are broken down at the board as well as provides sufficient time, capacity and hopefully skills to discuss all things risk at the board level.

Every organisation is different, and not everyone will experience the challenges I have identified, at least that might be true in the present, and that’s because of the current people in the roles. But if there is one thing that is true with organisations is that people change and with them sometimes the effectiveness of the governance structure – so why not work to alleviate that possibility especially if it has a periodic impairment of properly functioning risk management.