First-line risk management leadership is all about engagement: placing responsibility for the various building blocks of an effective risk management program—strategic alignment, expertise, processes, assurance—with the line of defense best prepared to execute them.
Shifting risk management activities to the first line of defense is only one part of moving towards a more proactive, strategically aligned risk management program. Building a risk management ecosystem optimized for today’s challenges requires buy-in across the enterprise. Here are five steps that can set your organization on the right path.
The Chief Executive Officer (CEO) must set the tone for a constructive risk culture, promote a coherent, organization-wide risk appetite framework, and align risk management with strategic planning.
The Chief Financial Officer (CFO) should support calibration of risk management decision making by allocating resources to the lines of defense and to decision making points.
The Chief Risk Officer (CRO) enables effective risk management by promoting active monitoring, leading risk tolerance training, and coordinating with the CIO/CISO to manage cyber risk organization wide.
The Chief Compliance Officer (CCO) takes a leadership role in helping the organization aggregate risk. CCOs are more likely than other titles to say they have a formal process for aggregating risk across the company and that they review results against a defined risk appetite (58% vs. 51% for CROs).
The Chief Information Officer (CIO), who owns all the technology risk, equips the lines of defense with the necessary technology for predicting and monitoring risk. The Chief Information Risk Officer (CIRO) coordinates with the CRO to monitor cyber and data privacy risk.
The Chief Audit Executive (CAE), as the last and objective line of defense against risk, must continually evaluate the risk management program overall—including the CRO’s effectiveness—”and independently assess first and second line risk activities.
The Board of Directors supports the CEO in setting a top-down risk culture and overseeing aggregated risk in the context of the organisation’s risk appetite and risk tolerance framework.
“Shifting risk responsibility back to first line and moving the second line into the oversight role takes a great deal of collaboration, but it can be difficult to collaborate and provide effective challenge at the same time.”