Risk thought leader Chris Corless looks at the value of defining risk owners and whether or not it is crucial to the success of your risk program.
There is a fair bit of conversation lately on the value of defining risk owners and whether or not it is crucial to the success of your risk program. I still feel that it is important especially in the early stages of your maturity journey for two reasons.
First, it cements accountability for the risk with one individual (hopefully along with the opportunity) which reduces the potential for that risk to not be managed over time.
Secondly, it can be an important tool to ensure that the risk function is not owning risks; simply having visibility of who has been assigned risk ownership can assist with this.
To be successful at using the concept of risk ownership you need to think about and define what being a risk owner means in your organisation. Is the risk owner accountable should things go pear-shaped? Are they accountable for monitoring the risk? Both? Something else? I would highly recommend it be something more than a field on an excel worksheet.
Ultimately what matters is that you define it for your organisation and give it a try. Like any role, if it isn’t clearly defined it likely won’t be executed well. Make sure that your risk owners understand what is expected of them once they accept the role.
Finally, ensure that there is appropriate training to educate potential risk owners because as the organisation changes so do the people who are in roles that are also risk owners. The degree of churn and training will be organisation dependent.
One challenge I have seen using risk owners is the propensity to pile on all the risks onto the highest accountable person in the organisation. If the risks are related to the organisations objective then yes, the ultimate accountability is the with the top role.
But like most things, the top role in the organisation delegates accountability to others in the hierarchy because he/she simply can’t do everything. Same holds true for risk ownership - it can and should be delegated, hopefully in line with the delegation of objectives into the organisation.
This doesn’t mean that the more senior person isn’t still accountable. It’s just that they delegate the role and activities of a risk owner to people who have the time to perform them.
I refer to the senior person as the risk custodian – they are still very interested in the performance of the risk and likely will take a hit to their remuneration should it go very bad, but they are not the day to day risk owner.
Despite your best efforts though, you might end up caught in your organisational silos. I believe the best way to not operate in silos is by shining the bright light of radical transparency.
The best way to do this have a system that houses the risks and all of their detail accessible by all leaders (risk custodians) and risk owners. This way everyone can see who is accountable for what risks and you can have robust debates around appropriate owners.
More complex systems can also notify multiple users where problems begin to arise which might be of interest to leaders outside the direct risk custodian or risk owner. From my experience with this in place, you will greatly reduce the potential for silos and help ensure a no surprises approach to communicating changing risk; transparency is the key.
And one last comment on the concept of risk owners. If you are an organisation that has thousands of risks derived from a bottom-up approach, please don’t try to implement the concept of risk owner. You will overwhelm your organisation especially if you expect big things from those who are risk owners. Start off with your biggest risks, make sure they map to your objectives and your organisational design – start the concept with the critical few and when that’s working think about whether it’s necessary to add more.