Whether you are an organization of 2 or 200,000 people, each one of you is a risk manager.  With that said, when the roles and responsibilities for managing your risks are well defined you can rest easier knowing that the various risk management tasks are not falling between the chairs.

What are the different risk management roles and responsibilities?

Roles and responsibilities can be organized into three groupings:

  1. The person who owns the risk, and therefore assesses and manages the risk.
  2. The person or group who designs the standards for managing and reporting on risks.
  3. The person or group who provides independent assurance on the status of risk management efforts of your business.

This grouping is the basic premise of a three lines of defense model.  This model is intended to segregate roles and responsibilities to avoid conflicts of interests within the risk management process.


Some of the roles and responsibilities can be performed by a group of people. This depends on the size and complexity of your business. However, at a minimum at least one person should be assigned to fulfill each role. And preferably, this person does not perform one of the other two roles.

First Line of Defense: Assessing and Managing Risks

The first line of Defense in Risk Management

In the ideal world, there should only be one risk owner who is responsible for assessing the status of a risk. She or he is also responsible for managing it to ensure that it is consistent with your risk management standards. 

The risk owner is the person responsible for the process the risk is linked to. And, is the person who best understands how the risk can materialize. As a result, this person is best suited to present solutions for mitigating the risk.  

When this role sits with one person, it can ensure that everyone knows who to go to for questions about the risk.

Second Line of Defense: Designing Risk Management Standards

The second line of defense in risk management.

The group or person assigned to design risk management standards should be independent from the person who manages the risk.  This is because this group or person will be responsible for reporting on whether the risk is adhering to the standards. Combining the roles could make it very difficult for them to tell on themselves when something goes wrong or needs improving.  Therefore, you should try to avoid this if possible to ensure the integrity of your risk reports.


Third Line of Defense: Assurance of Risk Management Efforts

The third line of defense in risk management

This role is intended to help you understand where improvements may be needed to your risk management framework and execution. It is important to understand if there are gaps in the risk management design, the execution of the design, or both.

This person or group plays an assessing and reporting role. And therefore, the role is typically performed by an audit function. Accordingly, this person or group should not be responsible for the decisions made when designing the standards or managing the risks. This is because he or she can be placed in a compromising position when it may be required to report less than good news.

We are all expected to call out potential and actual risks

While assigning the responsibilities for risk management is important, do not let this stifle the call to action when something has gone or could go wrong in your business.  Regardless of your role, as risk managers we should all have a responsibility to speak out when a risk is apparent, either before it can occur or after it has occurred and address it as required.

Visit our YouTube Channel

For more on risk management governance, check out this video.