It’s all too common…we ask someone to help with something just to be disappointed later. It’s frustrating…believe me I know.
When it comes to managing risks and opportunities, we assign an “owner” to manage the day-to-day and ensure someone is responsible for the risk (and oversee the mitigation activities). As I discuss in this article on how to assign a risk owner, risks should only be handled by those who are closest and have the most expertise.
If an individual risk owner is not assigned, by default, the entire organization will own the risk and it will most likely fall through the cracks, thus leading to a host of negative consequences.
So, based on this quick summary and my previous article, it should be clear why assigning a risk owner is so important and what their job is.
But things don’t always work out as planned, which leads us to how you can take 3 simple steps to ensure that the designated risk owner does what they need to do…
#1 – The first step to ensuring a risk owner meets their obligations is to have clear expectations.
One best practice that virtually all thought leaders agree on is that ERM should only own risk(s) under a very narrow set of circumstances. After all, the job of the risk manager is to facilitate a process for identifying, assessing, monitoring a risk, and so on, not to actually “manage” the risk (despite the name “risk management”).
In that same vein, ERM’s responsibility is to clearly articulate what a risk owner’s responsibility is and why these activities are important to the organization. These expectations should also be communicated in a variety of ways; don’t just tell everyone in a meeting or on a call, but put it in writing as well. Visual aids like infographics or video tutorials can be really useful as well, especially considering most of us are visual learners.
With expectations clearly articulated to risk owners throughout the company, you now have something to benchmark performance against.
You have a decision around any risk and action plans developed for any mitigations. However, something may seem off; perhaps key risk indicators are flashing red. If the mitigation plans are not being met, why not?
Sometimes there are valid reasons. In his book Prepare to Dare, Hans Læssøe explains it this way:
Organisations change over time, and hence the current “owner” of a particular uncertainty [risk] may not have been the one assessing it in the first place.
In short, it’s vitally important you clearly understand all of the factors impacting the risk owner and their activities before passing judgement. And to be honest, a change in risk ownership presents an opportunity to get additional perspectives on the status of the risk (i.e., update the risk assessment information and possibly risk prioritization).
In spite of clear expectations though, things can still go awry, leading us to…
#2 – The ultimate remedy to a risk owner not fulfilling their obligations is accountability.
Now accountability is something many organizations struggle with, but without it, it will seem like you are always putting out fires instead of pursuing goals and objectives.
There’s a good chance that your organization has some sort of “performance management” process or system it uses to evaluate employees. This process or system should apply to executives as well to ensure they are living up to the expectations of their role.
In order to have accountability for risk owners, their responsibilities should be included in this performance management system to ensure they are being met. If the risk is not being adequately handled per the terms initially agreed upon, there should be consequences.
One more point on accountability. In the original article mentioned earlier, I explain that it’s best to assign the risk owner by position rather than an individual person. This makes accountability easier and ensures the risk will be continuously managed in the event the person moves on from the position.
#3 – Taking corrective action to ensure the risk is managed in accordance with plans
Before going further, I want to discuss possible on consequences (both good and bad) of a risk owner not meeting expectations as it’s a bit more than a simple task of “reassigning” the risk to someone else.
If this individual is not fulfilling obligations as a risk owner, it’s quite possible the assigned risk owner:
- Is not the right person to fill their particular job anyway (bad if it took forever to figure this out; good if discovered quickly) OR…
- Does not have enough resources to take the agreed up action(s) (e.g., needs additional/ specialized role if risk spans multiple departments or areas).
So while reassigning the risk owner is one way to handle this situation, another potential corrective action is to bring in someone else with knowledge and understanding of the risk. This person would also bring a different perspective or skillset to assist the risk owner. This individual can be a colleague within the organization who can challenge the risk owner to help them better understand the task they have been assigned.
As you can see, simply reassigning the risk owner isn’t necessarily the first (or only) option, and it shouldn’t be. Before going this route, it’s important to evaluate each possible avenue. Perhaps all that’s needed is a small tweak here or there to get things back on track.
Have any risks fallen through the cracks in your organization because the risk owner was not fulfilling their obligations?
I am always interested in hearing your thoughts on this or any other issue you are experiencing in your organization. Feel free to leave a comment below or join the conversation on LinkedIn.
And if you are experiencing issues around risk owners in your organization and are looking for a solution to this delicate problem, please don’t hesitate to contact me to discuss your specific situation today!
Featured image courtesy of Tima Miroshnichenko via Pexels.com