Structuring and maintaining a risk management process that is integrated can be daunting, and despite the tremendous amount of documentation surrounding the topic most organizations are still in the early years of maturity. A common challenge that organizations face is the identification of roles. The assignment of roles depends greatly on the structure and culture of your business, and therefore any method you adopt must respect these unique attributes. While developing a structure for a client I came across ENISA‘s efforts and found them to be quite practical.
Classic roles for integrating risk management with operations must include:
- Senior Management/Board of Directors
- This role is accountable for inventing Risk Management in the organization, defining the basic participating roles, creating and communicating risk awareness, as well as deciding on the degree of risk tolerance of the organization. The Senior Management will not be directly responsible for any of the Risk Management processes (since it does not execute them) and hence does not appear as a role in any of the swimlanes in the model.
- Risk Manager
- The Risk Manager is chiefly responsible for the definition, structuring, implementation, and coordination of Risk Management in the organization. The Risk Manager can be an individual or a group, which may be hierarchically organized (local, global Risk Manager).
- Risk Owner
- The Risk Owner is usually an officer in a business unit/functional unit. The Risk Owner is responsible for dealing with risks in his business unit. The maintask of this role is to implement Risk Management processes according to the guidelines defined by the Senior Management and the Risk Manager. Often the role is assigned to the same person as the role Domain Expert (especially in smaller organizations), due to a flat organizational hierarchy.
- Internal Audit
- Internal Audit is responsible for monitoring the Risk Management processes. Events are being tracked and the processes are being evaluated towards the background of the previously created Risk Management plans.
- Domain Expert
- The role Domain Expert is responsible for assisting the management of risks by delivering input from a specific domain perspective (consulting role). His special knowledge about a particular domain in the organisation serves as a basis for identifying and treating the specific risks in that area. Additionally, the role participates in the process of monitoring the risks. The Domain Expert may be an internal or external (consultant) person. Due to his role specification he will not be responsible for any of the Risk Management processes and hence not appear as a role in any of the swimlanes in the model. Often the Domain Expert role is assigned to the same person as the Risk Owner role (especially in smaller organisations), due to a flat organisational hierarchy.
The ENISA RM/RA Framework is presented using the outputted HTML files from ADOit. This allows users to navigate but not edit the contents. Check out ENISA’s site to see the output. Organizations should consider the steps that must be taken in order to properly construct such a visualization – Identifying the processes, determining the flow of information between the activities, and finally relating data to activities. This simple process will rapidly mature your organization’s understanding of cross dependencies and criticality, while providing a method of communication.