The Conference Board of CanadaCorporate Governance and Risk Management: The Integrated Tool1
A Strategic and Comprehensive Exercise2
Purpose of matrix: To determine whether someone is currently responsible and/or evaluate who ought to be responsible for which key risk areas and at what levels of responsibility in an organization.
While not explicit in the model, effective two-way communication needs to occur throughout each of the following steps. The risk management process includes:
For each area/source of risk (row in the table following):
1. Determine if someone is currently responsible for each step above (place number under the applicable column).
2. Evaluate what gaps exist in risk management and determine actions to be taken (final column).
3. Consider each area of risk and decide how it pertains to the organization. The key to the success of this particular analysis is not to spend too much time thinking about it. First impressions are usually the best.
4. Some spaces may be left blank, and more than one number can be placed in any given cell.
5. A question mark may be placed in any given cell if you are uncertain whether the position holds responsibility.
“Documentation” refers to a specific document(s) prepared (e.g., turnover statistics, exit interview summary).
“Date” is the day, month, or year each step is completed (e.g., quarterly reports in Feb/May/Aug/Nov).
“Champion” indicates the lead individual responsible.
9. Analyze the results: look for gaps to determine overlaps, disagreements, misalignments, skills and resource gaps, level of empowerment, etc.
10. Resolve and clarify any issues uncovered in step 9.
11. Roll out final decisions into risk policy, common risk language, job descriptions, responsibility mandates, and performance management systems.
For example, if the HR senior research staff person identifies the retention risk, plac