The Board is Responsible.
The CEO is Responsible.
Top Management is Responsible.
The CRO is Responsible.
The Business Unit Heads are Responsible.
The CFO is Responsible.
And on and on…
But this sounds like a recipe for disaster. When everyone is responsible, often no one takes responsibility. And if everyone is responsible, how is a decision ever reached?
Everyone needs to have different responsibilities within an ERM program. So most often, people are given partial responsibility for ERM depending upon their everyday job responsibilities.
And in addition, a few people are given special new responsibilities and new roles (usually part time) are created to crystallize those new roles and responsibilities. Those new roles are most often called:
- Risk Owners
- Risk Committee Members
But there are lots and lots of ways of dishing out the partial responsibilities. RISKVIEWS suggests that there is no one right or best way to do this. But instead, it is important to make sure that every risk management task is being done and that there is some oversight to each task. (Three Lines of Defense is nice, but not really necessary. There are really only two necessary functions – doing and assurance.)