Accountability for Risk Management in your Organisation
Well hello, and welcome.
In this blog I want to talk about something I’m often asked in courses and that is about how do we actually get accountability for risk and risk management into position job descriptions? As we are starting to see a lot more of not only responsibility of risk management, but accountability as well.
Now, I have potentially a different perspective on this to others. I believe that you can be responsible for the management of a particular risk, as a risk owner. However, if as a risk owner, you have done everything in your power i.e. you have made sure that every current control is effective; you have made sure that every new treatment has been implemented and you have continuously communicated and consulted with your stakeholder community about that particular risk. If you have done all of those things, and the event still occurs, I do not believe that you can be held accountable. Because let’s face it, risk management does not eliminate risk. What risk management is about is reducing the level of risk down to a residual that’s within, if we can, our appetite as an organisation. But the reality is, no matter what you do, stuff still happens.
Now, of course if the risk owner has not done the assessment of the current controls, has not put in the treatments and made sure those treatments were done, are not communicating and consulting around a risk and that risk does occur, then absolutely they can be held accountable because they have not done everything in their power to stop it happening. So it’s a really fine line here. You can be accountable for certain aspects in terms of the management of the risk, but I do not believe you can be held accountable for the outcomes that occur, because as mentioned, stuff happens in an organisation.
In much the same way we talk about control ownership. Those who own controls within the organisation, they actually can be held accountable to make sure that that control is effective because that is completely within their sphere of influence.
Risk however, in which we’re talking potential events and their outcomes, is not within our complete sphere of influence. So therefore the outcomes still could occur. So let’s paint a particular scenario in which the risk owner has done everything in their power to reduce the risk as low as they can. They are continually monitoring and reviewing the situation, but this risk continues to bubble along, whether it is at the low level, medium level etc. and that event occurs. It is unfair and in fact completely wrong for then the board or CEO of the organisation to then be going out saying, “Well you were responsible or accountable for that risk occurring.” That is not correct, particularly if they can demonstrate they have done everything in their power.
So when you’re thinking about accountability into job descriptions around risk and risk management, they can be accountable for the management of the risk, but I do not believe they can be accountable for the outcomes if they have done everything around the management of the risk.
It might be one that you want to discuss in terms of your organisation and think about how you are going to do that.
That’s all I’ve got for this particular session, and as always, let’s be careful out there.