Ownership in Risk Management
Hello again. In this session, what I want to do about is something that people often ask me, risk ownership or more correctly, the different elements of ownership across the organisation as it relates to risk.
There are three distinctive types of ownership within the risk management program or within the risk management process itself. Obviously, we have the risk owner. The risk owner is the person who has the most knowledge about the particular risk. It might be within their remit in terms of their responsibilities but we need to make sure that the risk owner has the necessary level of authority to be able to spend resources and to be able to make sure he or she can task people to undertake the treatment strategies that might be directed towards that particular risk. Then, we have the control owner. As you would be aware, when we identify a risk, we look at what the risk title is or the event that can happen, what would cause it to occur, what its consequences would be and then we ask the fundamental question: What controls are currently in place and how effective are those controls?
Now, every single control within an organisation needs to have a control owner and that control owner is responsible for oversight of the control to make sure it is effective. They’re also responsible for the measurement or directing the measurement of the effectiveness of that control. They are responsible for updating and reviewing that particular control over time and they are also responsible for informing not only the risk owner but also the executive for very important controls where that control is starting to become less effective.
So, we have the risk owner who is responsible for the risk and we have the control owner and those in most cases will not be the same people. The third and final element of ownership is the treatment owner. The treatment owner is not necessarily going to be the risk owner or the control owner – in most cases they won’t be – but the treatment owner has the responsibility for undertaking the treatment plan or the treatment strategy that they have been directed to do.
We have these three levels: the risk owner, the control owner and the treatment owner. Each of them needs to know what the others are doing. There needs to be communication – constant communication – between the three owners. That is particularly the case for risks within the organisation where the consequences of failure are of the highest level. So if you do not have ownership assigned to your risks, you need to do that and it needs to be a single individual. It cannot be a commit or it cannot be all staff. That is not risk ownership. Control ownership once again needs to be allocated to a single individual and treatment strategies, like the other two, single individuals. If you do not or have not got that in your risk register, then you really need to do that because if there’s no ownership, nothing is going to happen. Remember, risks without owners will never be managed and neither will controls, and treatments without owners will never be done. That’s all I’ve got for this session. As always, let’s be careful out there.