Fundamentals of Risk Management
Risk management responsibilities
Download 3.45 Mb. Pdf ko'rish
|
Fundamentals of Risk Management
- Bu sahifa navigatsiya:
- Control of selected hazard risks Cost of risk controls
|
Risk management responsibilities
269 In simple terms, there is no single answer that is appropriate for all organizations. In many cases, a separate risk management committee may not be proportionate to the level of risk faced by the organization. In these cases, the responsibilities that would have been undertaken by a risk committee will still need to be allocated to a committee of appropriate seniority. Some organizations allocate risk management responsibilities to the executive committee or the finance committee of the board. The overall aim is to achieve a prioritized, validated and audited improvement in risk management standards in the organization. The risk management committee and the audit committee should, therefore, operate in a way that provides mutual support. However, combining the two committees into a single group, or placing one committee as superior to the other will not be the best way forward for most organizations. The major concern when combining risk and audit committees is that the organization will then be operating a two lines of defence model, rather than the three lines of defence model that will provide greater protection. 23 Control of selected hazard risks Cost of risk controls The inherent level of a risk is the level of the risk with no control measures in place. This is sometimes referred to as the gross level of the risk. The current level of risk is the level that takes account of the control measures currently in place. This is sometimes referred to as the net level of risk or the residual risk. Throughout this book, ‘current level’ has been used instead of ‘residual level’, because this implies a much more dynamic approach to risk management. Figure 23.1 provides an illustration of the control effect or control vector when controls are put in place. When considering the inherent, intermediate (when more than one control is in place) and target risk levels, the organization should be aware of the cost involved in implementing controls. The cost of the control measures should be considered to be part of the total cost of risk for the organization. The organization can then evaluate whether the controls in place are cost-effective. As can be seen in Figure 23.1, a series of lines can be drawn for Risk A to represent the effect of each individual risk control measure. It is obvious that the longer the line, the greater the effect of the control. It is also the case that the longer the line, the greater the control effort, in terms of management time, effort and money. For Risk A, three controls (Control A1, Control A2 and Control A3) are required to get to the target level of risk. For Risk B, only one control is required (Control B1) and this demonstrates that much more effort is needed to maintain Risk A at the target level of risk. Management and internal audit need to be aware of this, so that they can ensure that all of the controls (especially for Risk A) are operating in an effective and efficient manner. A simple diagram like Figure 23.1 provides an illustration of the distance between the inherent and current level of the risk. If a lower target level of risk is established, additional control effort will be required in moving the level of risk from the current to a new target level (not shown in the figure). This simple illustration of control effort is important, and demonstrates that there is value in undertaking a risk assess- ment at the inherent level of risk (if this is possible), so that the required control effort can be clearly identified and illustrated. Download 3.45 Mb. Do'stlaringiz bilan baham: 
|