Risk management responsibilities
265
For a large organization with non-executive directors, the audit committee should 
also be shown in the risk architecture. The role of the audit committee and the role 
of the head of internal audit are important in fulfilling the risk management strategy 
of the organization.
For organizations subject to the requirements of the Sarbanes–Oxley Act, there 
will also be a requirement to ensure that all information disclosed by the company is 
accurate. In many large organizations, this requirement has resulted in the establish-
ment of a disclosures committee. The role of the disclosures committee is to check 
the source and correctness of all information that is disclosed by the organization. 
Sarbanes–Oxley requires that financial information is evaluated to a higher level of 
scrutiny.
The risk architecture of an organization sets out the hierarchy of committees and 
responsibilities related to risk management and internal control. In the structure 
shown in Figure 22.1, the corporate risk management committee focuses on execu-
tive risk management activities.
Risk management responsibilities for activities at divisional or unit level should 
be allocated to divisional management. Divisional management is responsible for 
coordinating the identification of significant risks at divisional level, compiling the 
risk register for the division and ensuring that adequate controls are identified and 
implemented.
Divisional management should be provided with guidance from the group risk 
management committee. If there is a divisional committee, it should be required to 
send reports to the group risk management committee, so that the corporate or 
group overview of risk management priorities can be established.
For a public-sector or charity organization, the risk architecture will be somewhat 
different. Figure 22.2 sets out a typical risk architecture for a charity. In this case, 
risk management activities are focused on the governance and risk committee. The 
flow of information and the control of risk management activities are illustrated by 
the arrows in Figure 22.2.
It is clear from Figure 22.2 that risk governance for charities is a much higher-
profile issue than in many other organizations. There have been reports that trustees 
of charities consider governance issues to be their primary concern. This implies
that many trustees of charities consider that governance is more important than
raising money for the charity that they support. This could be an example of con-
cerns about risk management becoming so great that they deform the nature of the 
organization.
There are many ways for risk management reporting lines to be established. The 
reporting structure should be proportionate to the level of risk and the complexity 
of the organization. For high-risk organizations, such as those in the finance sector, 
the risk committee is likely to be a direct sub-committee of the board. In these
circumstances, it is likely that the risk committee will be chaired by the group finance 
director and it will have other senior representation from the board.
In general, the risk management committee should be an executive committee 
made up entirely of executive directors with no non-executive director membership. 
This is because the management of risk is an executive function and non-executive 
directors are primarily responsible for audit and risk assurance. Typically, the risk 

Download 3.45 Mb.

Do'stlaringiz bilan baham: