INTHEBLACK August 2022 - Magazine - Page 49
Manjuni Gregory,
Australian Office of
Financial Management
“It must be a framework that is
operationalised across the entire business.
What are the governance arrangements?
Who ultimately owns the risk? How do we
report on risk? How do we develop our key
risk indicators?”
AMY GRACE CPA, EY
that’s a risk or a vulnerability, they probably won’t
speak up about it.”
Deeply connected to people and engagement, risk
management is clearly related to organisational culture.
An organisation attempting to execute a risk
management strategy in an environment in which
staff simply don’t care about the business will be
working against its own objective and purpose,
Sisson says.
“It becomes a risk vortex,” she says. “Even though
the organisation has the best intentions, they are
actually creating the very environment they were
trying to protect themselves from.”
BEST PRACTICE FOR RISK MANAGEMENT
The international risk management standard
known as ISO 31000 helps walk a business
through the purpose of risk management to the
specific business, the identification of relevant risks
and the management and mitigation of those risks.
However, without a framework that brings
everybody in the organisation on board, success
will still be difficult to achieve.
The broadest answer to the question of who
has responsibility for risk management within an
organisation, is – everybody.
If risk is related to culture, everybody plays a role.
More specifically, the owner of the strategy
depends on the risk itself, Gregory says.
“If it’s related to a particular team, the risk
owner might be the head of that team,” she says.
“Depending on the organisation and their risk
framework, they might already articulate at what
level of the business various risks should be allocated
for ownership. It might be senior managers for
certain risks, and project managers for others.
“It should be somebody who has the accountability
and authority to progress actions.”
The risk management strategy must be discussed
regularly at the very highest levels, Grace says.
“It cannot be a document the risk manager pulls
out of their drawer every now and again,” she says.
“It must be a framework that is operationalised
across the entire business. What are the governance
arrangements? Who ultimately owns the risk? How
do we report on risk? How do we develop our key
risk indicators?
“Capture that lifecycle of what risk management
should look like, based on the standard but in the
context of the individual organisation, and embed it
in all parts of the business, and the risk management
rubber will hit the road.”
intheblack.cpaaustralia.com.au August 2022 49