3 Steps to Ensuring Risk Owners Ultimately Fulfill Their Obligations

It’s all too common…we ask someone to help with something just to be disappointed later. It’s frustrating…believe me I know.

When it comes to managing risks and opportunities, we assign an “owner” to manage the day-to-day and ensure someone is responsible for the risk (and oversee the mitigation activities). As I discuss in this article on how to assign a risk owner, risks should only be handled by those who are closest and have the most expertise.

If an individual risk owner is not assigned, by default, the entire organization will own the risk and it will most likely fall through the cracks, thus leading to a host of negative consequences.

So, based on this quick summary and my previous article, it should be clear why assigning a risk owner is so important and what their job is.

But things don’t always work out as planned, which leads us to how you can take 3 simple steps to ensure that the designated risk owner does what they need to do…

#1 – The first step to ensuring a risk owner meets their obligations is to have clear expectations.

One best practice that virtually all thought leaders agree on is that ERM should only own risk(s) under a very narrow set of circumstances. After all, the job of the risk manager is to facilitate a process for identifying, assessing, monitoring a risk, and so on, not to actually “manage” the risk (despite the name “risk management”).

In that same vein, ERM’s responsibility is to clearly articulate what a risk owner’s responsibility is and why these activities are important to the organization. These expectations should also be communicated in a variety of ways; don’t just tell everyone in a meeting or on a call, but put it in writing as well. Visual aids like infographics or video tutorials can be really useful as well, especially considering most of us are visual learners.

With expectations clearly articulated to risk owners throughout the company, you now have something to benchmark performance against.

You have a decision around any risk and action plans developed for any mitigations. However, something may seem off; perhaps key risk indicators are flashing red.  If the mitigation plans are not being met, why not?

Sometimes there are valid reasons. In his book Prepare to Dare, Hans Læssøe explains it this way:

Organisations change over time, and hence the current “owner” of a particular uncertainty [risk] may not have been the one assessing it in the first place.

In short, it’s vitally important you clearly understand all of the factors impacting the risk owner and their activities before passing judgement. And to be honest, a change in risk ownership presents an opportunity to get additional perspectives on the status of the risk (i.e., update the risk assessment information and possibly risk prioritization).

In spite of clear expectations though, things can still go awry, leading us to…

#2 – The ultimate remedy to a risk owner not fulfilling their obligations is accountability. 

Now accountability is something many organizations struggle with, but without it, it will seem like you are always putting out fires instead of pursuing goals and objectives.

There’s a good chance that your organization has some sort of “performance management” process or system it uses to evaluate employees. This process or system should apply to executives as well to ensure they are living up to the expectations of their role.

In order to have accountability for risk owners, their responsibilities should be included in this performance management system to ensure they are being met. If the risk is not being adequately handled per the terms initially agreed upon, there should be consequences.

One more point on accountability. In the original article mentioned earlier, I explain that it’s best to assign the risk owner by position rather than an individual person. This makes accountability easier and ensures the risk will be continuously managed in the event the person moves on from the position.

#3 – Taking corrective action to ensure the risk is managed in accordance with plans

Before going further, I want to discuss possible on consequences (both good and bad) of a risk owner not meeting expectations as it’s a bit more than a simple task of “reassigning” the risk to someone else.

If this individual is not fulfilling obligations as a risk owner, it’s quite possible the assigned risk owner:

  • Is not the right person to fill their particular job anyway (bad if it took forever to figure this out; good if discovered quickly) OR…
  • Does not have enough resources to take the agreed up action(s) (e.g., needs additional/ specialized role if risk spans multiple departments or areas).

So while reassigning the risk owner is one way to handle this situation, another potential corrective action is to bring in someone else with knowledge and understanding of the risk. This person would also bring a different perspective or skillset to assist the risk owner. This individual can be a colleague within the organization who can challenge the risk owner to help them better understand the task they have been assigned.

As you can see, simply reassigning the risk owner isn’t necessarily the first (or only) option, and it shouldn’t be. Before going this route, it’s important to evaluate each possible avenue. Perhaps all that’s needed is a small tweak here or there to get things back on track.

Have any risks fallen through the cracks in your organization because the risk owner was not fulfilling their obligations?

I am always interested in hearing your thoughts on this or any other issue you are experiencing in your organization. Feel free to leave a comment below or join the conversation on LinkedIn.

And if you are experiencing issues around risk owners in your organization and are looking for a solution to this delicate problem, please don’t hesitate to contact me to discuss your specific situation today!

Featured image courtesy of Tima Miroshnichenko via Pexels.com

Posted in

Sign Up For Our Newsletter

Sign Up For Our Newsletter


Meet Carol

Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.

Most Recent Posts

The 12 Days of ERM Christmas

Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…

Read More

Don’t Let Goals and Initiatives Be Blindsided by External Events

As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…

Read More

Going the Distance: Ensuring Successful Execution of Strategic and Annual Initiatives

Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…

Read More

Avoid Rookie Mistakes and Protect your Internal Reputation

Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…

Read More

ERM at Thanksgiving – An Illustration of Risk Management in Action

On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…

Read More

Why Quantitative Risk Assessment is Not Just the Best But the Only Option – A Conversation

Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…

Read More

The Three Lines Model – 3 Reasons Why I Don’t Like It

Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…

Read More

5 Avenues for Expanding your ERM Knowledge

One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…

Read More

Storytelling and Risk Management – Developing Skills that Technology Cannot Replace

It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…

Read More

3 Phases to Creating and Launching an ERM Program Focused on Organizational Success

If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…

Read More