Who owns and is responsible for a risk?
There is a maxim that every risk should have a “risk owner”. Let’s examine that rule.
But first I want to share what Adrian Wright, CEO of 1GRC, wrote on one of my recent posts:
IMO one of the key tasks of the risk function – be it CRO or Business divisional, is to facilitate the dialog with the business needed to identify risk owners, assign clear responsibilities to them and instruct them on what they need to do to carry them out. Including any assessment and process around risk acceptance.
Where organizations get it wrong is in allowing ownership of all identified risks and remediation thereof to fall to some core risk function that is not within the business.
I totally agree with his last statement. The only risks the risk function owns are around the possibility that they are ineffective or make serious mistakes that lead managers to make poor decisions. For example, if they are tasked with using Monte Carlo to assess a situation and make errors in the process.
In a later comment, Adrian expanded on his point:
Norman, the thrust of my original comment was around assigning the ownership of risks to their appropriate (business) owners, rather than the subsequent risk methodology used. But as we are now talking about contrasting downside risks and potential business (risk) opportunities in order to maximize overall business performance; we are not in disagreement.
To paraphrase some of your own writings, you gave an example that the King IV code now talks about ‘the oversight of risk and opportunity management. And the tools and techniques traditionally used to manage potential harms (downside risks) might be used to manage the potential for gain (opportunities). From this current discussion, we can also add in business performance (as in not impacting it, and potentially enhancing it) through improved RM.
In fact, I was recently moved to produce a Venn diagram in an attempt to illustrate these interactions. It’s not exact, as in the real world the bubbles are not of equal sizes and there are bigger and more overlaps than the diagram can show, but I find it’s a useful start point for starting to get the business to understand the potential benefits that can be achieved.
I think Adrian has done some excellent work. His Venn diagram could lead to some interesting discussions.
However, I want to come back to the idea that every risk should have an owner.
XX
What I have said in the past is that whoever owns a performance objective should also own the management of the risks and opportunities that might affect its achievement.
XX
Take the example of the possibility that a cyber breach could result in the loss of customer personal data, intellectual property, business disruption and ransom payments, or damage to the organization’s reputation.
Who is affected?
Who should make the decisions about how much risk to accept, whether the current level of threat is acceptable, how much to invest in reducing the threat, and so on?
A breach could result in a failure to achieve several enterprise objectives, including:
- Revenue targets
- Customer satisfaction
- Organizational reputation
- Compliance with regulations and the expectations of the community
- Product competitive advantage (if competitors gain access to our IP)
Does the CISO “own” the risk? Does the head of Sales or Compliance?
XX
I could argue that the management team “owns” the risk, but that is not particularly helpful.
XX
Let’s take another example: the possibility that a customer could default on their account.
Who does that affect? It can affect several enterprise objectives, including:
- Revenue targets
- Cash flow (and the use of that cash for marketing initiatives or major projects)
- The company’s share price
Who “owns” the risk? Is it a useful concept?
XX
Here’s my suggestion.
Instead of defining an owner for every risk, determine who will make related decisions and who will take related actions, including monitoring.
These are not necessarily the same people!
In fact, identifying “action owners” instead of “risk owners” can lead to the sort of discussions among the various involved parties that can lead to taking the right level of the right risks.
XX
This is a new concept. What do you think?
Leave a reply to Norman Marks Cancel reply
Norman Marks on Governance, Risk Management, and Internal Audit 
Norman, you are absolutely right. Ownership must exist at the objective, outcome or action levels and accountability may be diverse and shared.
I have been around for a while but I have never seen a job posting for a “risk owner”, never seen a training course for risk owners, never had a recruiter call me looking for one, never seen a book aimed at or written by any risk owners and never seen a performance evaluation for a risk owner or a resume from a risk owner. Risk ownership (along with control and process ownership) are fictional concepts we have developed and do not exist in any meaningful way.
Defining risk ownership – big mistake. Who exactly owns an economic downturn? Or a change in regulation? And why waste time worrying about it? A better way is for individuals to take responsibility for the processes and strategies that they oversee. And within those strategies and processes are assumptions (e.g., the economy, regulation). It’s these types of assumptions that form the base for uncertainty. And, in the real world, dozens (hundreds?) of individual strategies and processes are based on similar economic assumptions (or regulatory, legal, staffing, retention, etc). So, hold people accountable for their specific assumptions (without trying to assign risk ownership) as well as their ability to monitor and adjust when those assumptions change. As you suggest, whoever collects the data (monitoring) is irrelevant. That just needs to be accurate and timely so that every process owner can see when their underlying assumptions fall out of tolerance and make rapid adjustments to their strategies and processes.
I’d come at the problem from a different angle. Who is responsible for the controls which mitigate the risks?
David, who decides whether the level of risk is acceptable? Who monitors to know where it is? I suggest “mitigate” is a bad word as it suggests that you always want to reduce it. Tell a salesperson you want to mitigate revenue risk and they will show you the door.
Norman… but I would talk about a revenue opportunity.
It’s both, right?
Norman, it is both. When I was in charge of Credit Control we had to balance the opportunity of sales against the risk of defaulting on payment.
Interesting concept and „fresh” insight, Mr. Marks; I will dare to challenge it.
A possible cons for the concept of determining those who will make related decisions and who will take related actions, instead of defining an owner for every risk, is that this will complicate the risk management (hereinafter, RM) process. In sense that besides the usual risk owners (as a category), now there will be also the actions owners (the 2nd category). As a practice, in the standard RM (or RM1, as Alexei Sidorenko would call it), the risk owners and the responsibles for deployment and implementation of response actions usually are the same persons.
Based on my experience I tend to say that the concept of risk „ownership” is a useful approach, also from the perspective that there should be available an „escape goat” to be held responsible by the Executive Management in the scenario of materialization of some high impact risk events. Though, for sure there are downsides and inherent limitation of risk ownership concept, for an instance who shall be the owner of „economic recession risk” or „political risk”? Well, you may assign the Government of respective country as the owners of these risks, but to what extent the respective company (impacted by these external risk) will be able to take advantage from this?
Here, in scenario of external risk events, I found particularly interesting your concept of determining who will make related decisions and who will take related actions, as there will be no added value of trying to assign the „ownership” of these risk events, out of control of respective company and triggered exclusively by external factors.
ISO 31000 defines it as a “person or entity with the accountability and authority to manage a risk”. To me, that sounds like the risk owner doesn’t necessarily “… make the decisions about how much risk to accept, whether the current level of threat is acceptable, how much to invest in reducing the threat, and so on?”
A single person is unlikely going to be accountable and has authority unless you go up very high in the hierarchy which makes it useless.
An entity might have accountability and authority but then that entity would end up “owning” pretty much all risks. That’s not meaningful either.
Your conclusion to separate decision-making from taking action is what actually happens on the ground. The role of “action owner” is more practical.
Norman I like your point of having an action owner, would add to it need for a performance management or monitoring owner. Person implementing might not always be the decision maker or policy setter. One other additional approach for consideration is looking at who is the owner of the business objective rather than individual risks. Also keep in mind deciding on owners is also dependent on the nature of the organizational structure that is applied, different approaches might be more appropriate for certain organizational structures. A single risk can also apply to or be linked across various lines or functions within the business, much like the cyber risk example discussed, joint decision making maybe required in these instances to determine risk actions or responses. You need someone to have a lens over all the owners identified to ensure silos or mismatches don’t develop, a good Risk Management function whilst not owning the risk should help facilitate this lens.
Well said, Mike
Tks for sharing norman. Lets take a scenario related to risk assessment and treatment. HR is collecting, processing, storing and using personal data of employees. This data has been classified by HR as confidential as per the criteria laid down in the information classification policy.
Question – who should classify the information ? is the role that is accountable to ensure that personal data not exposed to unauthorized party. In this case is the HR Head. So HR head is the data owner.
How will data owner ensure that there are appropriate controls are in place to protect data ? This is where data owner will request the custodian to do risk assessment , risk evaluation and recommend controls to be implemented to manage the risk.
Based on this scenario, the HR director is the risk owner and technical team analyze, proposed controls and implement after being authorized by the risk owner.
If the risk is across multiple business applications, then the owner should be next higher level or the chief risk officer and is some cases one of the head of business services.
Ram, would the CISO and CIO agree that HR is not the data owner? I don’t think it’s as simple as you suggest. The CRO should never be the risk owner as they neither make decisions nor operate related controls.
The term ‘Risk Owner’ is imo a placeholder tag for the responsibility that needs to be assigned to an accountable individual with the appropriate authority in order to become a ‘role’. The accountable Risk Owner is responsible for getting things done; not necessarily doing all the work themselves. Think of it as a Project Owner. They own the responsibility for delivering the final product to the business, but not necessarily acting as the project manager, developers, IT implementation, security consultant, etc. They will effectively ‘outsource’ all of these tasks to the appropriate parts of the project team or business functions who need to deal with them.
The accountable Risk Owner for a given asset, e.g. system, application, database, building, whatever; can and should be appointed before any risks are identified. They should also be someone close to, and knowledgeable about the asset(s) and their associated business uses and identified risks. Part of the role is to ensure that initial and recurring risk, impact, testing, and compliance assessments are carried out. These in turn will identify risks for which they then become responsible in terms of achieving acceptance, assignment, or mitigation.
There may be multiple types of Risk Owner for a given information asset. Apart from the security risks identified, there may also be a need to appoint specialist owners or custodians for other aspects such as Data Privacy, Legal Compliance, Technical Infrastructure, etc.
To address another point that somebody raised earlier regarding (the most appropriate) appointed Risk Owners being too senior, too busy, or distant to perform the role unaided. This often happens, so imo it is highly advisable to create Delegate Owner roles for every appointed Risk Owner, whereby the ownership authority can be delegated to somebody more hands-on to carry out as required, who keeps informed and involves the primary risk owner in any final decisions, sign off, etc.
It is probably a good idea to have an overall risk owner but to have sub action owners who support the overall action or objective as risks rarely exist in isolation. Risks can sometimes conflict and it is best that this conflict is identified so that a balanced decision is reached.
If I understand your final comment about action owner vs risk owner, I think we are aligned with what the starting point is accountability (ownership).
Too often people like to say someone else owns something they own. Business may push automated business process ownership to the information technology (IT) team because IT provides the automated tool that was defined by the business’ requirements. I found in a project I did it was important to differentiate the following when assigning accountability:
• Policy Owner – the executive owner who has the authority to create/change policy; therefore, owning the risks over the effectiveness of the policy
• Policy/Process Executor – the executive over the area that interacts with the business or customers to generate revenue/prevent loss; therefore, owning risks over efficiency of process execution.
• Data Owner – determined based on which area of the business benefits from gathering this data, such as, employees (HR), invoices (sales) or purchase orders (purchasing).
• Risk Manager – central point of contact for risk assessments – monitors effectiveness of risk assessment process. Monitors but does not own risks.
• Internal Auditor – provides assurance to management that processes operate efficiently and effectively to safeguard assets and comply with laws and regulations. Provides assurance related to risks but not a risk owner.
Well said, Judy