Falling in the middle of the risk management cycle (after developing risk appetite and tolerance and identifying, but before assessing and analyzing risks), the organization then must identify who will “own” or be responsible for a particular risk.
Although the exact definition of what a risk owner is will vary depending on the organization, it can generally be defined as a person or persons responsible for the day-to-day management of a risk. (I will talk later about when to assign a risk owner…)
Assigning an owner for these risks is important for a few reasons…
One, a designated risk owner ensures someone in the organization is accountable for the risk. If there is not one person or a group charged with managing a risk, then by default, the entire organization will own the risk, and therefore it is highly likely the risk will fall through the cracks (a/k/a nothing will be done). Having a risk owner is an important step toward ensuring that a response plan is developed and acted upon in a timely manner.
Two, risk ownership is one way for executives to not only hold individuals accountable for risks, but to show their support for ERM in general.
The third reason for appointing a risk owner is to ensure that the ERM function does not own risks.
It’s important to understand that ERM does not actually manage risks, which is a common misnomer. The role of ERM is to help facilitate a process for identifying, assessing, and analyzing risks, and to ensure that executives and other key players have the information they need to make risk-informed decisions.
The only exception to this rule is if the risk function is responsible for insurance, business continuity, or similar program. This situation applied to me when I was Director of ERM for a large Florida-based property insurance company…in this case, it was only natural for my area to be responsible for these risks. In fact, business continuity can very closely integrate with ERM, so it made perfect sense to have them under a single manager.
In what circumstance will the organization need to assign a risk owner?
Not every identified risk will require an owner. In fact, if your organization has thousands of risks identified through a bottoms-up approach, assigning a risk owner for each one will overwhelm you and your team and nothing will get done.
Instead, start with the most critical risks and then consider adding more once a workable, sustainable process is in place.
Iconic cosmetics brand Estee Lauder for example has 46 critical corporate risks where an owner has been assigned. These particular risks met several guidelines which exceeded their respective risk tolerance or could cross this threshold in the near future.
In short, a risk owner needs be assigned for risks that exceed tolerance levels that were set earlier in the risk management cycle. However, that doesn’t mean risks that are within tolerance levels should be ignored…accepted risks have to be monitored as well.
More specifically, the cumulative result of accepted risks and the inter-dependencies of risks have to be carefully considered as well. If Risk A occurs and could trigger Risk B, a risk owner should be appointed and action taken, especially if Risk B is considered critical and falls outside of tolerance levels should it occur.
You also don’t need me to tell you that things are always changing. Perhaps tolerance levels change down the road or the risk itself changes. Of course, this certainty that things change is why I’m a firm believer in having a maximum time limit for a review of both low and accepted risks to ensure nothing is being overlooked.
Risk Ownership: Key Considerations, Challenges, and Options
I could probably write an entire article or even an eBook on how an organization could go about assigning an owner for a particular risk. Before getting into different options though, there are a few key considerations and challenges I should discuss first.
- Ensure there are clear definitions on roles and responsibilities in place before proceeding any further…this is one of the first and most important considerations when it comes to choosing a risk owner. As explained by Chris Corless in this article in Strategic Risk, it’s important for everyone involved to have a clear understanding of expectations when someone accepts the role of risk owner.
- Properly train on risk owner responsibilities and how they need to manage and report the risk. Think about it this way – your organization wouldn’t roll out a new time management system and not train employees on how to use it, right? Risk ownership is no different…
- Maintain consistent language throughout the firm regarding risks. Frank Fronzo of Estee Lauder explains how the company has a dictionary of terms it uses to ensure everyone is speaking the same language and stays on the same page.
One of the most common challenges organizations face when assigning a risk owner is the tendency to give it to the highest accountable person in the organization. While this is okay for risks linked to the strategic plan, the fact is that executives and other leaders simply do not have the time to take many of these risks on. In situations like this, the individual may delegate the responsibilities of owning a particular risk to someone else with time to perform them.
In cases like this, the senior-level person becomes a risk “custodian,” meaning they still have an interest in the risk but do not fulfill the day-to-day responsibilities of an owner.
And as I mentioned earlier, risk ownership should extend down the organization chain for a couple of reasons. One reason is limited time on the part of executives and other leadership. Second to that, appointing a mid-level manager as a risk owner can play a huge part in cultivating a positive risk culture throughout the entire organization.
Another challenge many organizations face when assigning and managing risk owners is the tendency for risk management activities to fall back within organizational silos. If this type situation occurs, the case can be made that you’re not really practicing ENTERPRISE risk management.
(Click here to learn more about risk management that occurs within a singular business unit vs. a top-level, enterprise-wide process.)
To address this challenge or avoid it altogether, a risk information system should be used that contains details about all risks the organization is managing, who the owner(s) of a particular risk is, recent activities and more. This system should be accessible by all risk custodians and owners…
During a recent conversation, a fellow risk professional mentioned that his organization uses Archer, but other commonly known software tools organizations commonly use include Logic Manager, MetricStream, CURA, and Sword Active Risk. But there are plenty of other options out there, like Aviron Financial Solutions, Audit Comply, and Vose Software, to name a few…
When developing the process and choosing risk owners, company culture and the accountability structure of the organization will play a huge role…
Broadly speaking, risk ownership can be assigned to an individual or a designated risk committee.
Individual risk owner
If your organization has diverse functions and a weak collaborative culture, you will most certainly want to go with an individual risk owner. This individual (…and the risk custodian if applicable) will be the one person held accountable for the management of the risk they are charged with handling. I mentioned this in a way in the beginning of this article…having an individual risk owner is not only a way to hold someone accountable for a risk, it is also a way for executives to demonstrate how important they view ERM.
When assigning an individual to be the owner of a particular risk, it’s vitally important they have decision-making authority and the ability to allocate financial and human resources for the risks they are charged with managing.
Another point to consider when determining an individual risk owner is assigning accountability by position rather by name. (I personally really like this concept!) This is one key point of how Estee Lauder determines the proper owner. Assigning accountability this way ensures risks are continuously managed, even if the individual person moves on from their position.
One situation where an additional person may be involved with managing a risk but not be considered group or committee ownership is when a department is impacted by a risk but another department is better suited to manage the risk. In cases like this, co-ownership and coordination between the departments will be needed, but in the end, one person will still be responsible for monitoring and managing the risk.
For organizations with a strong group or collaborative culture, group ownership of risk(s) may be the way to go. This group can consist of individuals from across the enterprise, which of course can be a positive in that it brings together different perspectives. Specific action-items can be assigned based on responsibilities of individuals within the group.
However, one big drawback of group or committee ownership is that it is hard to hold the entire group accountable. Absent any strong oversight from a management-level risk committee, the group can easily end up pointing fingers when things go awry or otherwise sit around and talk about a risk without ever taking any action.
These management-level risk committees can benefit the organization in many ways, including building a positive risk culture. Click here to learn more about oversight…
As you can see, your organization’s culture is a key part of determining the best model for assigning risk owner(s).
A Word of Caution
Developing your organization’s risk ownership process will take time and require a bit of trial and error, and above all, patience. Long before any risk owners begin their work and report their activities into a software system and to executives, definitions on roles and responsibilities and a consistent language must be developed, plus training for everyone involved.
This, of course, is all in addition to other phases of the risk management process like identification, risk assessment, setting risk appetite and tolerance, and more. But risk ownership should be embedded throughout the process of managing risks; after all, the risk owner will be your main contact for a risk. And by all means, don’t overlook the relationship factor and how it can support ERM success.
If done properly though, having individuals throughout the organization “own” and therefore be responsible for certain risks will go a long way to building a long-term, value-driven ERM program.
Has your organization embarked on assigning risk owners? What roadblocks have you encountered and how did you work around them?
I’m interested to hear your thoughts and questions on this important, yet rarely discussed, topic within ERM. Please don’t hesitate to leave a comment below or join the conversation on LinkedIn.
And if you’re struggling with this part of the ERM process or simply need a little outside guidance on setting up a lasting process, please reach out to me via email or phone to discuss your organization’s needs today!