Risk Architecture and

Structure
This risk architecture should be set out in the risk management policy for the
organization. Terms of reference of the various committees and a schedule of
the activities should also be established, either in the risk management
policy or in a calendar of risk management activities. This schedule of
activities should be aligned with the other corporate activities in the
organization.
For a large organization with non-executive directors, the audit committee
should also be shown in the risk management architecture. The role of the
audit committee and the role of the head of internal audit are important in
fulfilling the risk management strategy of the organization
Divisional management should be provided with guidance from the group
risk management committee. If there is a divisional committee, it should be
required to send reports to the group risk management committee, so that the
corporate or group overview of risk management priorities can be
established
 Corporate Structure
There are many ways for risk management reporting lines to be established. The reporting
structure should be proportionate to the level of risk and the complexity of the organization.
For high-risk organizations, such as those in the finance sector, the risk committee is likely to
be a direct sub-committee of the board. In these circumstances, it is likely that the risk
committee will be chaired by the group finance director and it will have other senior
representation from the board. In general, the risk management committee should be an
executive committee made up entirely of executive directors with no non-executive director
membership. This is because the management of risk is an executive function and non-
executive directors are primarily responsible for audit and risk assurance. Typically, the risk
management committee will send reports to the audit committee, and that will be the
opportunity for non-executive directors to evaluate risk performance and obtain risk assurance.
There are many ways for risk management reporting lines to be established.
The reporting structure should be proportionate to the level of risk and the
complexity of the organization. For high-risk organizations, such as those in
the finance sector, the risk committee is likely to be a direct sub-committee of
the board. In these circumstances, it is likely that the risk committee will be
chaired by the group finance director and it will have other senior
representation from the board. In general, the risk management committee
should be an executive committee made up entirely of executive directors with
no non-executive director membership. This is because the management of risk
is an executive function and non-executive directors are primarily responsible
for audit and risk assurance. Typically, the risk management committee will
send reports to the audit committee, and that will be the opportunity for non-
executive directors to evaluate risk performance and obtain risk assurance.
Most large organizations will already have an audit committee, chaired by a
senior non-executive director. An option considered by many organizations is
to extend the role of the audit committee to include all aspects of risk
management or to establish a separate risk management group chaired by an
executive director. There is a strong justification for the RMC to be an
executive group, rather than part of any existing non-executive audit
committee. This is necessary because risks need to be managed in a proactive
manner as an executive responsibility. The existing audit committee is likely
to treat the management of risk as a non-executive (reactive) auditing of
compliance. Separation of executive responsibility for the management of
risk from non-executive responsibility for auditing and review of compliance
will also be consistent with good corporate governance principles.
Some organizations have established the RMC as a sub-committee of the audit
committee. If this is the case, actions need to be taken to ensure that risk is
managed as an executive responsibility, rather than audited as a
compliance/assurance issue. In fact, establishing RMC as a sub-committee of
the audit committee could impair the work of RMC because of increased
bureaucracy and an unhelpful emphasis on auditing and compliance, rather
than proactive management of risks. Membership of the RMC is another
question that needs to be addressed. The fundamental decision to be taken in
large organizations is whether the risk management committee should be a
small senior executive group setting strategy and policy or whether it should be
a knowledge-sharing group with representation from each of the units or
departments within the organization. The answer will depend on the structure
of the organization and the intended role of the committee
 To keep under review the effectiveness of the risk
management infrastructure of the company, including:
• assessment of risk management procedures in accordance with changes in the
operating environment
• consideration of risk audit reports on the key business areas to assess the
level of business risk exposure
• consideration of any major findings of any risk management reviews and the
response of management
• assessment of the risks of new ventures and other strategic, project and
operational initiatives
 Risk Communications
Accurate communication on risk issues is vitally important. Internal communication within the
organization will be undertaken through the risk architecture. This is the formal risk communication
structure related to risk control activities and the collecting of information for external risk reporting
purposes. For example, a road haulage company may wish to bring focus to the efficient operation of the
organization and ensure that risk management receives appropriate attention. In these circumstances, the
company might decide to introduce a number of measurable loss control programs. The board of the
company has requested a report at every board meeting on the number of road accidents, frequency of
vehicle breakdowns, level of fuel consumption and reported incidents during deliveries. These reports
will enable the board to benchmark the performance of the company, in comparison both with
competitors and also with historical data for the company itself. In this case, the board is monitoring
performance, whereas the management of the improved risk performance remains an executive
responsibility to be delivered by line management.
Within some organizations, risk communication may also be more informal.
Communication will take place during risk assessment workshops and at risk
training courses. Communication arrangements are part of the risk culture
and this is considered in more detail in a later Part of this book. External risk
communications should be considered as having two components.
Communication will need to take place with external stakeholders, including
the media, the general public and pressure groups.
For example, if a road haulage company wishes to extend the vehicle storage
depot, there will be a need to communicate with stakeholders, as well as
local authority planning departments. The company will need to prepare
arguments that provide an evaluation of any risks to the community that may
increase when the depot is extended. The public perception of what is
proposed and the impact on the vicinity may not be fully accurate.
Accordingly, the company will need to prepare honest, open and detailed
arguments that assure all interested parties that adequate risk control
arrangements are in place
 Risk Communication
The formal development of risk communication as a subject began in the late 1970s
with efforts by the nuclear and chemical industries in the United States to counteract
widespread public concern about those technologies. It was believed that clear,
understandable information was all that was needed to make people see that the risks
were lower than many feared. For decades this approach has failed, and most risk
communication experts say it is inadequate. Perceptions of risk, and the behaviours
that result, are a matter not only of the facts but also of our feelings, instincts and
personal life circumstances. Communication that offers the facts but fails to account
for the affective side of our risk perceptions is simply incomplete
 Risk Communication
Risk communication is also commonly thought of as what to say under crisis
circumstances, but this is inadequate. While it is certainly true that
communication in times of crises is important in managing the public
response, countless examples have taught that a great deal of the
effectiveness of risk communication during a crisis is based on what was
done beforehand
 Risk Maturity
.The characteristics of each of these levels are described in the table. Clearly,
it is better for an organization to seek a higher level of risk maturity.
However, the approach to achieving risk maturity in the organization should
be proportionate to the level of risk that the organization faces. The level of
risk maturity within an organization will help define the level of
sophistication that the organization has in its risk management activities
 Four levels of risk maturity
• Level 1 Naïve
• Level 2 Novice
• Level 3 Normalized
• Level 4 Natural
 Level 1-Naive
Level 1 organizations are unaware of the need for the management of risk or
do not recognize the value of structured approaches to dealing with
uncertainty. Management processes are repetitive or reactive, with
insufficient attempt to learn from the past or to prepare for future threats or
uncertainties.