Responsibility, accountability and authority
In this session I’m going to talk about responsibility, accountability and authority in a risk management framework.
Now, one of the things that I think we need to really recognise right from the get go is that risk owners, they are responsible for the overall management and coordination of the organisations response to that risk.
Now they need to coordinate the control owners the treatment owners and they need to be scanning the environment checking to see any of the triggers that they might have identified are actually happening.
They can be held accountable for the management for that overall risk, but the thing that cannot be held accountable for however is if the risk eventuates and they’ve done everything that they can.
See a risk, even if you’ve managed it there is a residual, and it can still occur so then hold somebody accountable when everything has been done to try to stop that event occurring well that’s just nonsense.
So yes, you could be held accountable for the overall management of the risk, but you shouldn’t be held accountable for the outcome if that event comes to pass.
Now we all talk about roles and responsibilities in our plans and so forth and that is important part of our risk framework, but do we go and check to make sure that the person who is given those roles and responsibilities has the necessary authority to be able to prosecute those particular roles and responsibilities.
What I mean by that, if you’re a treatment owner do you actually have the delegation to be able to spend the money required or coordinate other parts of the agency or organisation to ensure that the job gets done? For a risk owner, the same thing, do they have delegations? Do they have the ability or authority to actually go and talk to other parts of the organisation that might be outside of their particular stove pipe or their ‘cylinders of excellence’ as I call it?
Now by making sure that everybody in the organisation who has roles and responsibilities for the risk management function also has the necessary authority to prosecute. That will mean that your framework is going to be far more effective.
So I guess the challenge here is that to go back to your risk documentation and have a look at the roles and responsibilities that you’ve identified in those and actually check that the people that you’ve given the roles and responsibilities to have the authority to undertake them.
It’s not the fact that you don’t have roles and responsibilities that is going to render the risk management framework ineffective, it’s giving out those roles and responsibilities but not giving people the necessary level of authority to prosecute those responsibilities that’s going to make risk framework not as effective.
So once again, the challenge here is to go back and check your documentation and make sure that those people do have those authorities. And please, when a risk or an event occurs and it’s something you’ve managed and has been managed by the risk owner and everything humanely possible has been done; please don’t then seek a scapegoat.
Please don’t then blame the risk owner because a risk as a chance of happening. Even you’ve managed it and treated that risk it still has a chance of happening. So please don’t look for a scapegoat, please don’t hold those people accountable if they’ve done everything they can.
Well that’s all I’ve got for this session.
As always let’s be careful out there.