Risk Management makes it necessary to identify the duties, roles and responsibilities for each company function and for each person who carries out critical or operative activities within the organization. The element to be considered above all in the assignment of the responsibilities is the analysis of the managerial context: understanding where the Risk Management functions becomes a key element for the definition of clear and specific organizational roles in order to carry out efficiently the company plans.
The risk manager, together with his team, must support the management and identify the risks, understand and use the methods and the instruments necessary to manage the Risk Management process, make the staff responsible for specific policies of taking care of the risk and ensure that the risk culture is spread internally in the organization. The risk manager in large companies in usually the CEO or the CFO, whereas in small and medium size companies the role is usually held by the CEO. Strong interrelationships between the operational and control functions are necessary to define, monitor and improve the business system with policies for risk appropriate to the different situations which the organization faces. The Risk Management, internal controls, and the audit function provide channels of useful information for the board of directors and to monitor the efficiency of the Risk Management function and of the internal controls.
The Federation of European Risk Management Associations (Ferma) has identified three different levels of control: