Wouldn’t it be nice if a risk simply went away when the risk owner left the organization or changed roles?
Okay, now wake up from that dream…this doesn’t happen in real life.
As a previous article on assigning a risk owner explains, the ERM unit does not actually manage risks. Instead individual(s) who are close to or have extensive knowledge of the specific situation take ownership or responsibility for managing certain risks. Basically speaking, the role of the risk owner is to ensure someone in the organization is accountable for the risk and that resources are available for managing it.
But life isn’t static…
Just because someone has been assigned to monitor, manage, and report on a particular risk doesn’t mean it will always stay that way. Perhaps this person receives another job offer they can’t refuse, they move onto a different role within the organization, they retire, or they have to leave for personal reasons.
Whatever the reason for their departure, the risk will still be there for the organization.
Consequences for not replacing a risk owner can include:
- Compliance/fines – if the risk owner was responsible for complying with certain laws or professional standards or handling filings, the company could get in serious trouble with a regulator or professional standards organization.
- Safety/job injury – if the risk owner was responsible for implementing new protocols to keep workers and others safe, there could be a tragic accident if these important tasks fall through the cracks.
- Strategic implications – if the risk owner was managing a big initiative related to the strategic plan and making decisions based on projects’ inherent risks, the company could fall short of its goals. Also, long-term opportunities could leave with this person too, especially if their knowledge or idea is not documented.
As Douglas Hubbard points out in his book The Failure of Risk Management: Why It’s Broken and How to Fix It:
This of course is just a sampling of consequences. At best, if ERM is not proactively preparing for the departure (planned or otherwise) of a risk owner, you will be scrambling to fill the void this person leaves behind.
What can be done to avoid the negative consequences of a risk owner leaving or changing roles?
Life comes with all sorts of surprises…risk owners are no different.
Sometimes there can be time to prepare for this person’s departure, but sometimes there isn’t. If the risk owner was in a fatal accident or otherwise suddenly no longer able to fill their role, ERM will have to scramble to find a replacement and any specific knowledge about the risk will be lost too.
The best thing to do then is to prepare…to have a Plan B ready as soon as the risk owner assumes their responsibilities.
For example, the possibility of a sudden, unexpected departure is why in-depth conversations at regular intervals are so important, especially if the individual has extensive knowledge about the risk. As Julian Talbot explains in this article on uncertainty:
You must have a Plan B already in place (including any resources) before you press the “Go” button on Plan A. If you wait for Plan A to fail before you develop Plan B, you’re reacting [emphasis added] to a crisis.
One thing you will consistently hear me talk about is being proactive, not reactive. So whether it is about decision-making or managing individual risks to the organization, being proactive pays off in the long-run.
Therefore, in addition to knowledge transfer, below is a list of some other things to consider, preferably when you are in the process of assigning the risk owner:
1. Find a successor for the risk(s) this person will be managing. If the individual is responsible for multiple risks, it’s okay if they are broken up and assigned to multiple individuals. This could take the form of what’s called a “stretch assignment” for someone internally or an external consultant can be hired to help with the risk until you are able to find a permanent replacement.
2. If the risk owner sits on a committee or provides an advisory or decision-making role, your company will be missing a valuable perspective. For example, losing a long-time CFO or Controller with extensive knowledge about the company and general financial matters could be a huge setback, which is why regular, in-depth conversations are so important.
Also, if this individual is a senior executive, you will have to consider more than just any risks they may be responsible for, but also any decision-making or risk culture leadership they provide. What if the individual is a key supporter or sponsor of risk practices? Who will be the walking, talking example of embedding risk into daily practice?
3. Reevaluating the status of risks is something you and the risk owner should be doing regardless. In so doing, you may discover that the risk has been handled to the point that it doesn’t really need an owner anymore. Remember, not all risks will require an owner. In fact, trying to assign someone to manage every identified risk will be overwhelming and counterproductive.
In the end, preparation is key to avoiding scrambling when (not if) a risk owner leaves the organization or otherwise no longer able to fulfill this responsibility. Be proactive to ensure there is smooth and orderly transition and be a good example to others.
Has a risk owner unexpectedly left your organization? Did you have a Plan B in place or were you forced to scramble to find a replacement?
Check out my previous article to learn more about what you need for assigning a risk owner.
I am also interested in your thoughts and experiences on this important topic, so please feel free to leave a comment below or join the conversation on LinkedIn.
And if you are struggling to develop a game plan for when a risk owner leaves your organization, or you are in need of some outside help to ensure the risk(s) are still being taken care of, reach out to me to discuss your unique situation today.
Featured image courtesy of Andrea Piacquadia via Pexels.com