The need to establish a Risk Management function will depend on, amongst other things, the industry and the organization. Typical drivers have been the need for management and control in challenging areas which are exposed to a high risk of significant financial losses, physical damage and loss of human life. Furthermore there are a number of regulated industries which place concrete requirements on the organisation, structure and performance of risk management activities which will raise requirements over and above the recommendations described in these Guidelines.
Increasingly it is seen that the management of positive and negative uncertainty related to a volatile environment and future financial development has led to risk management achieving acceptance as an important strategic tool. It is the case that, in line with international development, Norwegian statute requires the establishment of a Risk Management function as an element of sound governance.
In this guidance we have tried to describe best practice for the Risk Management function regardless of industry, regulation and size. It does not cover legal requirements; rather it introduces the basic principles of the function. Individual adaptations will naturally depend on each organisation’s nature, size, complexity and organisational culture.
These Guidelines seek to provide some clarification and limitations regarding the organization of a Risk Management function. This includes the distribution of roles and responsibilities between the different control functions of an organization, such as internal audit, the Risk Management function and the Compliance function.
Risk management will take place at many and varied levels in an organisation. These Guidelines describe the function for Enterprise Risk Management (ERM). The principles which are described will also have validity for those working with risk management within a more limited and specialised area of an organisation.
'Guidelines for the Risk Management function' has been developed by a group whose members work in the risk management area in several different industries. The working group is a committee of Network Risk Management, a sub-faculty of the Association of Internal Auditors Norway (IIA Norge).