1.4 Governance model

The governance model describes how the various functions of an organization are managed as a whole. It also includes common, cross-cutting functions, such as the governance of development projects and risk management.

The governance model is not, necessarily, precisely documented, but it is still visible and tangible. It especially affects the development of the organization’s culture.

Portfolios as governance tools

Portfolios are governance tools. There are portfolios for managing projects, IT systems, product development projects, personnel and risks, among other things.

Companies and organizations usually switch to portfolio management in order to make decisions based on up-to-date and comparable information, manage entities and use their resources as efficiently as possible.

Portfolios are generally open to the entire organization, which makes decision-making transparent and information traceable.

The main principles of portfolio management

Organization of risk management

Before we move on to the next part of the course, let’s take a brief look at different ways to organize risk management.

The organization is connected to a governance model, so it can be different in line and matrix organizations.

Large organizations may have a centralized ERM department governed by a Chief Risk Officer (CRO). The department may report, for example, to a financial or managing director, a risk management group or the board.

A risk management group or several groups operate at different management levels to carry out risk assessments and prioritizations.

Large organizations have common documented and standardized processes, risk portfolios and work tools. Organizations ensure the success of their risk management by carrying out comprehensive training and using external auditors and experts.

In small and medium-sized organizations, risk management is typically the responsibility of managers and key personnel. The managing director also actively participates in risk management. Processes may be documented but are less formal than in large companies. A risk portfolio is also usable in medium-sized companies, although many are happy enough to use tabular risk registers.

SME organizations acquire risk management training and external expertise as needed.