By Bea Stafford – 1st Risk Solutions
Unravelling the operational risk management roles and responsibilities with a RACI.
Put simply, a RACI model (Responsible, Accountable, Consulted and Informed) clearly breaks down ‘who owns what’, ‘who needs to do what’, ‘who is consulted about it’, and ‘who is informed’ for a list of tasks.
A clear RACI model has long been recognised as having significant benefits in the project, change or reengineering space, however we have also found it to be vital within operational risk management and the 3 Lines of Defence (LoD) model, where the RACI is fundamental to a successful framework – regardless of the size of your organisation.
Most organisations have adopted the 3LoD risk management model, but in our experience, few have clearly defined the RACI for the risk management activities, with demarcation of the activities between the 3 lines.
This lack of a clear, defined RACI results in confusion as to who is actually ‘accountable’, has ownership, or is ‘responsible’ for performing the individual activities such as risk assessments, or monitoring of key controls. This is particularly true within smaller organisations, where people are often wearing multiple hats. However, the lack of a RACI in larger organisations can lead to duplication of tasks which are not value add, or worse still, complete gaps in real accountability which are only illuminated when a significant event occurs.
Benefits of performing a clear, easy to understand and agreed RACI
- Holding groups and individuals to account
The RACI clarifies the division of accountabilities and responsibilities between the 1LoD and 2LoD for risk ownership, risk management and governance, at a task level and by risk type. This prevents any ambiguity, holds people to accountable tasks, and it also prevents people from avoiding their responsibilities or accountabilities within the 1LoD and 2LoD.
- Clarifies 2LoD scope
When a RACI is not in place, the 2LoD, with the best of intentions, often steps in and performs risk management activities (such as risk and control assessments) that should be owned and managed by the 1st line- therefore preventing independence and putting themselves in a precarious position of ‘marking their own homework’.
- Clarifies dual LoD responsibilities of functions – HR, Compliance, Finance, Technologies.
The RACI clarifies the responsibilities and accountabilities for the functions within an organisation which may have both 1LoD and 2LoD responsibilities and accountabilities.
HR will normally own ‘people’ risk and the HR policy within an organisation as a 2LoD function, with ‘people’ risks being managed day to day within each 1st Line business process in accordance to the HR policy. However, HR may also have accountability and responsibility for some 1LoD processes, such a Payroll.
- Clarifies demarcation with the 2LoD.
The RACI clarifies the role, and provides clear demarcation of the different 2LoD functions (such as HR, Compliance, Technologies and Finance) their responsibilities and accountabilities for their risk types, and how they fit within the wider ‘Operational Risk Framework’.
- Clarifies the roles of 1LoD risk and control departments vs 2LoD risk and control
Within larger organisations, the RACI not only also clarifies the roles, responsibilities and accountabilities between Group, regional or line of business operational risk departments; the RACI is also essential to clarify the roles, responsibilities and accountabilities between the specific risk and control functions in the 1LoD, and those in the 2LoD.
Under the current regulatory environment, and the focus on personal accountability, which will be further driven by the requirements of the Senior Manager Regime and the ‘responsibilities statement and responsibilities map’, the need for a clear, understood, and achievable RACI within your risk management framework has never been more essential.
© 1st Risk Solutions Limited- all rights reserved