Governance structure

The organisation has a structure for governance in place that supports Risk Management by providing clearly defined accountabilities, expectations and reporting requirements for all relevant parties.

A good organisational structure supports the effective management of risk. The structure should be appropriate to the organisation but typically would provide for three levels of governance with respect to risk:

  • Direct responsibility for the management and control of risk (ie staff and management working within or managing operational business units and the Board).
  • Co-ordination, facilitation and oversight of the effectiveness and integrity of the risk management framework (eg the risk committee and risk management function.
  • Provision of independent assurance and challenge across all business functions in respect of the integrity and effectiveness of the risk management framework (ie internal and external audit).


An effective structure would typically:

  • Have clear accountability and expectations which will help achieve business objectives and ensure decisions are co-ordinated and consistent with stated risk appetite and policy. The following should be carefully considered:
          • Appropriate allocation and communication of roles, responsibilities and accountabilities across the business, and the setting of appropriate rules and processes for risk based decision making and reporting.
          • All relevant parties to understand their roles, responsibilities and accountabilities, including what is expected of them and their authority for decision and reporting (ie each relevant individual is able to explain who they are accountable to, in what manner and how the risk appetite and policy applies to their role).
          • All relevant parties to understand the relationships and associated tasks between key business and functional areas, share relevant information and take account of all relevant and significant factors in order to make informed decisions.
        • Have a commonly agreed and understood terminology and language for risk that compliment the organisation's culture and business practice, used by, and readily available to, all members of the organisation:
  • Ensure that appropriate risk information flows around the organisation on a timely basis, and that there are processes in place to escalate risk issues. To be effective, escalation processes would typically:
    • Be accessible to all.
    • Have clearly laid out procedures, trigger points and escalation points; and
    • Enable escalation through authority levels.
  • Maintain the confidentiality, integrity and availability of information, particularly relating to those processes critical to the success of the business.
  • Provide appropriate risk management tools, that are easily accessible, to support its processes and its staff.
  • Provide appropriate training and development, for all staff, surrounding all aspects of the firms approach to risk management (ie policies, terminology and tools).
Last updated on 08 Jul 2008