Roles and Responsibilities
As noted, experience shows that a company starting down the ERM path often does so because of impetus from the board of directors. The board or audit committee wants to be sure the company is appropriately identifying and managing risk, and that the board itself is apprised of the most significant risks and how management is dealing with them.
Accordingly, senior management tends to focus initially on the upstream reporting, seeing to it that managers at various levels provide the risk-based information that ultimately is processed and synthesized for presentation to the board. An associated natural inclination is to assign to one individual, perhaps a chief risk officer, responsibility for accumulating the information and developing presentations to the board. And a related tendency is to look to that individual to ensure that risks remain within desired risk tolerances and that the totality of risk is within the company's risk appetite. That is, this chief risk officer is responsible for risk management in the company.
While this approach is appealing in its simplicity and focused accountability, it seldom works, for at least two critical reasons. First, reporting risks upstream through a centralized function adds administrative burden and actually gets in the way of enabling managers to interface in normal reporting relationships to deal effectively with risk in their spheres of responsibility. And second, it's not possible for any one staff individual ...