Accountability in Risk Management
In this session what I am going to talk about is accountability in risk management. Now we’ve previously talked about risk ownership but what I’m going to focus on today is purely on the accountability side and I’m going to break it down into three distinct ownership categories.
First and foremost the risk owner, then there’s the control owner and then there’s the treatment owner. So the risk owner, they are responsible for the oversight of the management, the day to day management of that particular risk. They are monitoring the control environment to make sure that it’s effective.
They are monitoring the environment to see if there are any changes to the risk. And they are monitoring the treatment owners to make sure that they are putting those treatments in within the time frames that are stated. Now, in terms of accountability can they be held accountable for the effective management of that risk? Well absolutely.
They have the accountability to do all those things that I’ve discussed. Then there’s the control owner. They are responsible for making sure that the control is effective, putting in place a program whereby they can measure the effectiveness, the key performance indicators against that particular control and they can be held accountable for that.
You can actually put the control ownership for that person into their position statements and their performance reviews.
Then there’s the treatment owner. Now the treatment owner is responsible for the implementation of the treatments that have been designed as part of the management for that risk, above and beyond the controls that are already in place. Now, they are accountable and responsible for making sure that the treatment is done within the allocated time frames and to the performance standard that is required. So yes, they can be held accountable for that as well.
Now here is the problem. What about the accountability for the risk owner if the event actually occurs? I’ve been quite privy to this because a number of people have come on my courses have said well I was a risk owner and I did everything humanely possible but the events still happened and I was held accountable for that.
Well here’s the thing, even if you do have all the controls in place and they are effective and even if you put additional treatments in and they are affected there is still a residual to that risk.
The only way you can get rid of that risk is avoiding the activity altogether. Now therein lies the rub, if that event does occur, is it because of the incompetence or negligence of the risk owner? Probably not. What we need to understand is that a risk has a chance of happening.
We have taken all the steps to control it but that chance, although it be lower, is still there. So a risk owner, if they’ve done everything In their power to make sure that that risk doesn’t occur and it still eventuates, management needs to get some more maturity about them to say okay we did everything we could, it still happened. And then we do our post event analysis which was the subject of another blog which you might want to go on and have a look at.
Remember, everything that happens is a system failure. There is no such thing as a one cause failure, it is a systemic issue and so how can the risk owner be held accountable for what occurs.
So responsibility yes, accountability for the management of the risk, yes. For the actual event if it happens, well if they’ve done everything humanely possible then please don’t look for an escape goat.
That’s all I’ve got for this particular topic, as always let’s be careful out there.