Many organisations do not have a risk manager or a Chief Risk Officer (CRO). They feel that they may not have a full time job for the person, or that recruiting a person with the right skill set and employing them at the right level may be too expensive. They are right. Others feel it's a good idea to assign responsibility for risk management to the internal auditor or the finance manager. This may be a step in the wrong direction. Is there another option to consider?

In my opinion, where work can be done more effectively, and more efficiently, by an outsider than an insider, the work should be given to the outsider. Engaging a part-time CRO, with the right knowledge, skills, and experience can add value and bring proper risk governance and risk management to an organisation. The services of a part-time CRO can range from a full end-to-end solution to almost anything in between. A full service solution typically comprises developing and implementing Enterprise Risk Management and the ongoing execution of the programme in the role of CRO on a retainer basis. A part-time outsourced solution is practical, flexible, scalable, and can be adapted to suit client requirements.

A part-time CRO works with the board, the executives, and the senior management team to develop and maintain the organisation’s overall Enterprise Risk Management programme. Typically the service will include:

• reviewing any existing risk management initiatives: charters, policies, plans, and other risk management documentation;
• performing a gap analysis against the applicable risk management regulations and guidelines and making recommendations to close important gaps identified;
• developing the required charter, policy, and risk management strategy;
• defining the risk universe and setting the risk appetite and tolerance;
• developing the terms of reference for a risk management committee and participating in it;
• reviewing the existing risk management methodology and defining an appropriate risk management framework for the client organisation, taking into consideration COSO ERM, ISO 31000 and, if applicable, the requirements of specific legislation such as the PFMA and MFMA;
• reviewing the current risk assessment process and the current risk register;
• conducting an enterprise-wide risk identification process;
• preparing and facilitating risk assessment workshops;
• developing mitigating strategies for the top risks, assigning a risk owner, and setting implementation timeframes;
• developing a monitoring and reporting process for the top risks; and
• participating in the ongoing risk management process.

The Retlaw Fox offering is unique in that we can integrate risk management training, to meet your organisation’s specific requirements, into the offering. For further information or to obtain a quotation for part-time CRO services please visit www.retlawfox.co.za or email info@retlawfox.co.za.