In this guidance, we outline “good practices” for the Risk function regardless of industry, regulation and size.
It does not cover legal or regulatory requirements; rather it introduces the basic principles of the function. Each organisation needs to make individual adaptations depending on its nature, size, complexity and organisational culture.
The guidance delineates the organisation of a Risk function, responsible for the overall risk management in an organisation. This includes the segregation of roles and responsibilities between the different control and assurance functions of an organisation, such as internal audit, the Risk function and the Compliance function.
Several industry-specific guidelines have been developed internationally which describe the elements and requirements characteristic of an efficient and effective Risk function adapted to specific regulatory requirements. There are however common elements in these, which, together with the experience of Norwegian organisations, forms the basis for this guidance.
Risk management must take place at all levels of the organisation. Hence, whilst the focus in this guidance is on ERM, the principles are also valid for those working with risk management within more defined, specialised areas of an organisation.
