Who is responsible for risk oversight?

If you Google “risk oversight”, you will usually get an article (more often than not written by a consultant) about oversight of risk management by the board.

But I believe that is far too narrow a perspective.

Consider:

• Every decision-maker is responsible for understanding all the risks relative to their decision.
• Every process owner should understand and manage all the risks to the effectiveness of their process or function.
• Every manager should be able to tell you what the risks are to their function, as should every department head. They should also be aware of and comfortable with how their team identifies and assesses risks, makes related decisions, and considers those risks in the process.
• Every senior manager should oversee effective risk-taking by their entire team and contribute to the effectiveness of risk-taking by other members of management.
• Every senior manager should ensure that risk identification, analysis, evaluation, and response by their team is effective.
• The CEO and their executive committee should ensure that risk management processes and activities across the organization are effective, and risks are within desired boundaries.
• The CEO should provide their assessment of…