Risk Tip # 7 – Risk Ownership- let’s turn it on its head
For too long, risk ownership has been pushed down to the lower levels of organisations in the belief that ownership of the risks should reside with managers that own the specific functions.
On the surface, that may seem reasonable and appropriate, however, over the last few months I have taken a different view that may just turn risk ownership within organisations on its head. My model for risk ownership is all about raising the level of ownership to the highest levels of the organisation, where the authority for decisions relating to the risk actually resides.
There are two reasons for this view.
- Firstly, having ownership at the lower levels of the organisation leads to significant duplication and confusion; and
- Secondly, the ownership of the controls reducing the risk levels are owned at the higher levels of the organisation – so having ownership of the risks at levels lower than the level of control ownership makes no sense.
The same risk in multiple registers means the risk can’t be managed
I have recently been reviewing risk registers for a range of organisations and, in doing so, a number of patterns have emerged:
- All functional areas had their own risk register;
- The same risk, or variations of the same risk, were evident in each of the risk registers;
- All these similar risks were given different owners within each functional area;
- Each of the registers had their own unique treatment actions for the risk (a risk in itself); and
- There was no coordination of any of the actions in relation to the management of the risk.
Hypothetically, let’s use the example of a Council with the following structure:
In this example, we will focus on the Aged and Disability Services section within Social and Community Services. It’s structure is:
If we focus on the Council’s in-home meals program, it could have the following risks:
- Contaminated food delivered to in-home meals recipients
- Assault of in-home meal recipient by delivery driver
- Assault of a in-home meals delivery driver by a client
- Theft of in-home meals client property by delivery driver
- Vehicle accident during delivery
If we look at this list of risks, we can make a case that there are other sections of Community Support Programs that would have similar risks. We could also make a case that there are other parts of Council where staff members interact with the public and other parts of Council where staff operate vehicles. If we push ownership of the risks to the lower levels of Council, it is conceivable that the same/similar risks will appear in multiple risk registers. This will result in:
- The potential for different functional areas within the same organisation to either duplicate treatments being undertaken in other functional areas;
- The potential for assumptions to be made that controls/treatments are being undertaken in another part of the organisation; and/or
- The introduction of new treatments that result in additional risks or impact the risk level of an existing risk.
What needs to be recognised is that the causes and consequences are going to be the same no matter where they occur within Council. If we look at our Council’s in-home meals program example, we can see that these causes and consequences are likely to be the same for a similar risk in other functional areas of Council as shown below:
|Risk Name:||Assault of in-home meal recipient by delivery driver|
So, what does this mean?
Quite simply, it means that we can capture these risks as an Enterprise level risk, i.e. one that exists in multiple areas of the organisation. This means that we can now capture our risks as follows:
- Contaminated food served at Council location or to Council client
- Assault of in-home client by Council staff member, volunteer or contractor
- Assault of Council staff member, volunteer or contractor whilst conducting operations
- Theft of client property by Council staff member, volunteer or contractor
- Council staff member, volunteer or contractor involved in vehicle accident whilst conducting operations
There may be causes that are specific to certain functional areas and these can be notated in the risk register, which means that the functional area doesn’t require a separate risk and that means you have effectively reduced unnecessary duplicated risks.
That, in itself, is a good enough reason to adopt this approach, but, surprisingly, it is not the most compelling reason.
My biggest issue in relation to driving risk ownership to the lower levels of the organisation is the fact that the controls that are controlling the risk are owned, for the most part, at the corporate level. This means that those given responsibility for the ownership of the risk do not own any of the controls that are reducing the likelihood and/or the consequence of the risk and, more importantly, they have no visibility of the effectiveness of those controls.
If we go back to our: Assault of in-home meal recipient by delivery driver, risk:
|Risk Name:||Assault of in-home meal recipient by delivery driver|
If we then look at the controls associated with this risk, an interesting pattern begins to emerge
What we can see from this table is that the ownership of the controls associated with the risks rests with executives at the corporate levels of the organisation. So how can we push ownership down when the “owner” of the risk – in this case the Team Leader of the Council’s in-home meals program – has absolutely no visibility on the effectiveness of the controls and, in most organisations will not have the authority to even ask the question?
|Assault of in-home meal recipient by delivery driver|
|Lack of/ineffective background checking of staff at time of recruitment||Recruitment Policy includes requirement for background checking||HR Manager|
|Policy requiring personnel within Council working with children and/or vulnerable people to hold a current certificate||HR Manager|
|Certificate register||HR Manager|
|Lack of/ineffective training in conflict de-escalation||Conflict Resolution training for all personnel working with the public||HR Manager|
|Training register||HR Manager|
|Annual refresher training as part of mandatory induction program||HR Manager|
|Driver under the influence of drugs/alcohol||Substance Abuse Policy||HR Manager|
|Substance Testing Policy||HR Manager|
|Training for managers in recognising the signs of personnel under the influence||HR Manager|
|Lack of/ineffective supervision||Policy relating to visitation of clients by supervisors||Director Social and Community Services|
|Substance Testing Policy||Director Social and Community Services|
|Lack of/ineffective understanding of pre-existing conditions of client||Policy relating to health and wellbeing assessment of clients||Director Social and Community Services|
|Procedure relating to health and wellbeing assessment of clients||Director Social and Community Services|
|Register of health and wellbeing assessments||Director Social and Community Services|
This then leads me to my rule of thumb when it comes to risk ownership within an organisation: Ownership of the risk must be allocated at a level at or above the highest level of ownership of the controls controlling the risk.
In the case of the risk: assault of in-home client by Council staff member, volunteer or contractor – ownership could sit with either the Director of Corporate Services or the Director Social and Community Services. If there were other parts of Council outside of Social and Community Services where staff were entering client’s homes my call would be that the owner of the risk would be Director of Corporate Services.
If we take this approach within our organisations, we would achieve the following:
- Significant reduction in the number of risks;
- Improved coordination;
- Significant reduction in duplication;
- Ownership at the appropriate level of authority;
- A greater capacity to actually manage the risk.
In taking this approach, I have reduced risk register numbers by up to 97% and the number of risks within an organisation by an equivalent amount, but at the same time achieved a greater understanding of the risk profile for the organisation.
This approach may not satisfy the conventional wisdom surrounding risk management, but would you rather do risk management or manage risk?