This post continues my “essence of ERM” series. The goal of this series is to address all manner of risk management topics in small sensible components. I’m writing this series to help make risk management a practical tool for organizations of all types.
This post is about risk ownership.
Many organizations try to implement risk management in a way that includes the idea that individuals own risks. Examples that I’ve seen include the CFO owning “Financial Statement Reporting Risk” or the Chief Counsel owning “Compliance Risk”.
This concept of risk ownership is based a weak foundation. People really don’t understand what it means to “own” a risk.
When you say that someone owns a risk, you’re really implying that the person owns an objective. The CFO owns the objective of issuing financial statements according to professional standards. The Chief Counsel owns the objective of reasonably complying with laws and regulations. From a purely psychological sense, most people are more comfortable with the concept of owning an objective rather than owning a risk. We know how to own and embrace an objective.
Another problem with the concept of risk ownership is that real risks, rather than broad generalities, are often obviously outside the control of an individual. That’s what makes them “risks”.
For example, if an organization is planning on expanding into a new service line the strategy may depend on hiring experienced staff – a reasonable assumption. The clear risk is that it may not be possible to hire enough experienced people with a required skill set. How does the concept of “ownership” fit in here? Someone owns the objective of expanding into the new service line. That person also owns the strategy that will attempt to deliver that goal by hiring experienced staff. The risk that there might not be experienced staff to hire is simply an inherent part of the strategy; it is one of the things that can go wrong with this strategy. If the risk materializes, the strategy may need to be revisited and modified to incorporate the new, more complete, set of facts.
Here’s another illustration. Using the prior example, another risk might be that the economy will decline over the next 2 years. That would clearly impact the strategy associated with moving into the new product line. But, this same risk would also impact other strategies – perhaps dozens of other strategies. It might impact a plant expansion strategy. It might impact a compensation strategy. So – who would “own” the risk of an economic decline?
The essence of risk ownership is that no one can own a risk. People can own objectives and strategies. Risks are the things that you are not controlling within your strategy. Don’t waste your time identifying (and often negotiating) ownership of broad, general risk categories. In the end, it’s simply not actionable. Instead, spend that effort identifying which strategies are dependent upon outside factors that either you cannot, or choose not to, control – like the ability to hire experienced staff or a continuing improvement in economic conditions. Then, put a system in place to to alert you when those uncontrolled risks are taking a turn for the worse. This allows you to quickly attend to the strategies that need to be revisited and reconsidered.
You can read more about my view of risk management (which I call Performance Risk Management) at Risk Leader (rskldr.com).