I once worked for a company that had multiple programs to address concerns such as: process safety, occupational safety, loss prevention, emergency preparedness, and several others. All of these programs involved contending with risk to various degrees mostly independently from each other.
Over the years it became clear that their risk capabilities had not progressed as well as other aspects of their compliance programs. So a decision was made to improve the situation which resulted in the hiring of a risk manager.
The goal for this new manager was to establish a consistent risk framework to be used across each of the compliance programs. This outcome was mostly achieved but with an unintended consequence. Managers of the compliance programs along with asset owners now believed that they no longer needed to manage risk as the company had hired someone else to take care of it.
The ownership for risk started to migrate from where it once was to the new risk manager. Not all at first but over time the culture started to change and then the practice as it almost always does in these kinds of situations.
If this sounds familiar it might be because you have heard this story before connected with your initiatives. You may have heard the following:
I don’t have to manage quality; we have a department that does that.
I don’t have to manage security; we have someone who does that.
I don’t have to manage safety; we have a safety manager who does that.
We believe that by transferring responsibility we are also transferring risk.
Why does this happen?
Organizations that try to improve their compliance often start by breaking down silos consolidating effort into a centralized function. This almost always ends up with the ownership of risk being transferred along with the effort. The distinction between accountability and responsibility has been confused and it is here that lies the rub.
Those that are accountable for the objective should also be accountable for the risk. This is implied by ISO 3100 which defines risk as: the effects of uncertainty on objectives. The ownership for risk must remain closest to those that are answerable for the objective. Even when the objective is transferred to a third party the accountability for the objective is shared and so should the risk.
You can delegate responsibility for risk identification, analysis, treatment, and monitoring to others. However, if you own the objective you cannot delegate your ownership of risk. In essence, risk can never be transferred.
Who owns risk within your organization?
If you have a department or manager who takes care of risk and compliance then you most likely have fallen into the same trap that many others have.
If this is your situation then it may be time to make sure that those who are accountable for objectives remain accountable for risk.
The first step is to take ownership of all your obligations which is necessary before any accountability can be assigned.
