In a previous article on assigning a risk owner, I discuss how designating someone to be accountable for a risk is important for ensuring that it does not fall through the cracks and that an appropriate response is developed and acted upon in a timely manner.
The article provides a high-level overview of when a risk owner needs to be assigned, plus key considerations, challenges, and options of risk ownership. If you’re new to this particular topic, I strongly recommend checking it out…
The connotation of the word “owner” is that someone has complete control and responsibility over the item in question, be it a process, a risk, or something outside of your company altogether, like your home.
In the context of risk, ownership doesn’t necessarily mean that this person will handle everything.
Think about your home for a second…
While the deed names you and/or your spouse as the owner, that doesn’t mean you will handle every task to maintaining the property.
It’s just an inescapable fact of life that we can’t handle everything. When our home needed a new roof last year, my husband and I didn’t go buy some shingles and spend a weekend nailing them down.
Neither one of us possess the skill to do this effectively, much less efficiently. And besides, between our business and family obligations, when would we ever have the time?!
The same could be said for risk ownership in a company as well…
Hans Læssøe’s book Prepare to Dare has an informative section on risk ownership. Much of what he says in this section is familiar and in my original article above, but he mentioned something that resonated with me – what risk ownership is and what it isn’t. He explains…
However, he goes onto explain certain things the risk owner is not.
Initial impressions lend us to see the risk owner as being responsible for everything, and while they are the point person for ensuring the risk is handled in an appropriate manner, they will most certainly not be handling everything.
For example, a risk owner will not necessarily be responsible for determining the best response or mitigation strategy.
Hans uses data protection as an example…
Assigning this risk to a “data privacy officer” who is part of the legal team may be right call since there are a growing number of rules and regulations around this issue.
However, this person has a legal background, so they won’t necessarily know the best steps to take from a technical perspective to address risk(s) around data protection. Instead, IT specialists will be able to define the best response or mitigation. The privacy officer still has the responsibility for seeing this all to completion.
Another example is in the actual implementation of any responses or mitigations that get identified…
Certain risks, like credit related ones, will be “owned” by the CFO. As an executive, the CFO does not have the time to handle specific tasks for managing credit risks, so these items are delegated to relevant operational teams to carry out.
Practically speaking, an effective risk owner will need to work with relevant specialists and other parties within the company to develop and implement the appropriate mitigation for the risk they are charged with handling.
In the end though, the CFO is ultimately responsible for ensuring any mitigations are handled appropriately.
Like your home, you cannot expect that a risk owner will handle every aspect of the risk…that would be impossible and possibly dangerous if they tried.
Risk ownership is instead about being a point person who is ultimately accountable for ensuring a risk is handled properly. It’s best that this responsibility is only given to one person, because as Hans wryly puts it:
If two people are to share a responsibility of something that goes wrong, they have 1% each.”
How does your company handle the responsibilities of risk ownership?
To share your thoughts on this topic that is so fundamental to developing an effective ERM process, please don’t hesitate to leave a comment below or join the conversation on LinkedIn.
And if your company is struggling to develop an effective risk ownership process, click here to schedule a discovery call to discuss your specific situation today.
