Who Has or Should Have the Ultimate Responsibility for Managing Risk?

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.


Last year, CFO.com published an article by me on the topic of "Who owns risk management? Everybody". The original and longer version is shown below.


Not many years ago, many managers believed that internal auditors were responsible for internal control. That was dispelled when COSO published Internal Control–Integrated Framework in 1992. It made it clear that management was responsible for the design and operation of internal controls, the board provided governance, and internal audit’s job was to audit the controls and provide assurance they were effective. The CFO retains a critical role as the champion of effective internal control, not only over financial reporting and other finance-related activities, but in all areas critical to the success of the enterprise.

Are people now making a similar mistake when it comes to risk management? A June 29th article clearly indicated that as more companies hire Chief Risk Officers, executives are looking to them as the primary owners of risk management.

Let’s see what COSO said in its 2004 Enterprise Risk Management–Integrated Framework:

  • “The chief executive officer is ultimately responsible and should assume ownership.” 
  • “Other managers support the entity’s risk management philosophy, promote compliance with its risk appetite, and manage risks within their spheres of responsibility consistent with risk tolerances.”
  • “A risk officer... and others usually have key support responsibilities.”

It very clearly says that the CRO has a support role and “other managers… manage risks within their spheres of responsibility.” But it also says that the CEO owns risk management. Is this correct and is it practical? A Business Finance article reported that they found “CEOs holding iron clad accountability for ERM.” But they also said that the CFO was most frequently the executive with “direct oversight of the core ERM team.” Does that mean that the CEO should look to the CFO to ensure effective risk management processes and practices? My opinion is that the CFO has a key role to play — as a leader and champion — but that the executive leadership team should be responsible collectively for managing risks. The CEO may be the ultimate owner in theory, but in practice he works through the management team.

This view is supported in the 2009 ISO 31000 risk management standard, It says that “risk management is not a stand-alone activity that is separate from the main activities and processes of the organization. Risk management is part of the responsibilities of management and an integral part of all organizational processes, including strategic planning and all project and change management processes.”

In my June 15th article on “How to manage risk management”, I said that risk management is “about managing the potential effects of uncertainty throughout your business operations. Whenever executives and the boards discuss strategies, they should be considering risk. Whenever a manager makes a decision, she should be thinking about the risks and doing something about them.” In other words, risk management is an integral part of every business process, every decision-making process, and every management action.

Before answering the question of “who is responsible for managing risk”, let’s ask another question: “who is responsible for optimizing performance?” The answer is, of course, the management team — individually and collectively, with leadership by the CEO and the CFO. The CFO in particular is concerned with anything that may detract from optimizing performance and achieving financial and operational goals.

The people who are responsible for optimizing performance are also responsible for managing risks. After all, the risks we are concerned about are those that enable us to achieve our strategies and objectives and deliver optimized performance. The CRO acts as a facilitator, supporting analyst, cheerleader, and guide.

In my ideal organization:

  • The board provides oversight on risk management, approving the risk appetite and strategies of the company.
  • The CEO is responsible to the board for delivering performance and value. To do this, he and his team have to manage risks. In that respect, he is ultimately responsible for the management of risks.
  • The management team is collectively responsible for managing risks to the organization, and each executive for managing risks within his area of responsibility.
  • The CRO is a facilitator, helping develop standards and policies, coaching and guiding executives and managers, and providing the reports that give the leadership team and board an enterprise-wide view of risks to the organization.
  • The CFO is a champion of risk management across the enterprise and an advocate within the leadership team, in addition to managing financial-related risks and possibly supervising the risk office. Since failures in risk management are highly likely to lead to a failure to achieve strategies and goals, including financial and operational performance, the CFO should be very active and ensure that the risk management program is effective.

 What do you think? Who should own risk management? I welcome your views.


Posted on Mar 3, 2012 by Norman Marks

Share This Article:    

  1. In my opinion organizations have an obligation to create and preserve value for their shareholders and stakeholders. So my question is who owns Value Management in your organization?

  1.  Mike- if you manage the risks as Norman is indicating above, then you will have managed the value because the value will be articulated through the strategic objectives which will have been articulated and spelled out. So  the answer to your question as to who owns the value, are the parties that Norman has articulated above. For example, if a company has a strategic objective this year of reducing supply chain costs by $1 billion- this is a value proposition. There will be risks to achieving this objective. What Norman is saying is to "follow the yellow brick road" as he articulates above in terms of who owns what.

    Norman- I agree with everything you are saying. I might add a bit more meat and potatoes to the section where you say that the Board provides the oversight on risk management. I would spell out the key things that this entails so that it is not left in a vaccum. For example, they are responsible for making sure that what they receive from Management is indeed a comprehensive prioritized  summary of the business risks and that such risks do not exceed the risk appetite/risk criteria of the company. They should also make sure that an independent review of the risk management program is performed preferably by the internal auditors

  1. Norman,

    Overall I agree with everything you discuss in your article. However, when it comes to responsibilities, roles and accountability for risk management and in particular the Board, I would like to argue that their role is a bit more encompassing than just simply approving the risk-appetite. To adequately discharge its responsibility for oversight, the Board must ensure they understand the rationale and overall adequacy of the process by which management identifies, measures, classifies and manages key risks associated to relevant business objectives. A key first step in any ERM is to set the proper risk appetite of the organization, which may be quite different from the risk appetite of management or that of the board members. While management owns the risk management process, the Board is responsible for ensuring that management is going about it in a way that provides a reasonable assurance that the process in place is dynamic and effective and that management criteria for setting risk appetite is consistent with the overall risk appetite of the organization and its stakeholders. The Board plays a key role on keeping management honest and focused on the management of key business risks. 

    Hope you find this useful to further complement your discussion, which I personally find to be very useful.



    Fernando A. Fernandez, CPA, CGMA, CIA

    Linea International, LLC.


  1.  To me, the board is altimately responsible for governance of risk.It can delegate the risk management policies and plans to the CEO and his senior management team for implementation  but  altimately responsibility rest with them. This should be expressed in the board charter. Responsibilities should be manifested in a documented risk management policy and plan.They are the ones to approve the policy and plans.The risk appetite and setting of the level of risk tolerance is its responsibilties

  1. That's is perhaps the problem as many look at mostly at downside risk and not opportunity.  They follow (as Norman and Arnold suggest) the yellow brick road when they have the opportunity help lead the path to the gold pot of the creation of value.  I guess somebody else suggested something like a herd mentality. 

    I believe most CEO's are great value creators (in the teams they develop) and less so risk managers.  Which do you want to be? 

  1. In all the research on organisational effectiveness clarity of role is key. So I think its important to spell out what ideal roles might be, as Norman trying to do. My builds:

    The Board ~ also have a key role in determining assurance over risks ~ be it IA, specialist reviews or direct assurance from management

    Line management and staff  ~ deserve a mention. Key here is the role in risk identification and hands on action.. 

    Then in terms of the CFO's stewardship of risk ~ I'm not sure this is always the best place. If you are not areful risk process takes on a very financial focus ~ everything being reduced to impact on £/$ etc. Blind spots here can include reputational risks not easily quantified financially and the negative aspects of cost savings programmes themselves (which can get a "halo" and not be subject to critisism themselves).. 

    IA and other assurance providers ~ probably merit a mention as well, in terms of the assurance role; but if IA is increasingly looking at non financial risks should the whole board play a role in approving the plan, the risk being that the Audit Committee have their own bias of financial control / process / compliance risks versus wider organisational risks? 



  1. Who should have the ultimate responsibility to risk management would depend on the business model, culture of the organization and several other parameters. ISACA says that the CEO/CFO is responsible for the framework and the board reviews and approves the risk assessment. But since these are only guidelines, the actual implementations differ from organziation to organization. However the importance of staff working on the field who can provide inputs on risk identification should not be ignored.

Leave a Reply