I’d like to consider for a moment the concept of risk ownership. ISO 31000 defines a risk owner as a “person or entity with the accountability and authority to manage a risk.” I’ve seen risk registers listing risk owners, but I don’t think I’ve ever met anybody who proudly proclaimed they were a risk owner.
I have never read a resume with a list of risks owned by a job applicant.
I have never seen a course at any level that offers training on how to be a risk owner.
I have never read a job description that specified risk ownership as a skill or duty.
I have never heard of anyone express interest in owning a risk.
And I have never attended a business meeting where people were asked to own a risk. Maybe I missed a few meetings or haven’t read some emails I should have, but the fact remains.
The notion of risk ownership to me is one of the many utterly silly concepts that populate the risk management profession. Risks aren’t capable of being owned.
What Do You Own Really?
You can—and should—manage risks—but the only reason for managing risks is to achieve objectives. The people who should manage risks are those responsible for business outcomes, accomplishing specific objectives, and adding and preserving business value.
Therefore, these responsibilities are what you should own.
Assigning ownership to risks just means that a business doesn’t understand, or perhaps doesn’t know, what its objectives are. Anyone who owns a risk but isn’t responsible for achieving a business objective is probably just getting in the way.
Risk management isn’t about risk—it’s about adding and preserving business value.
How does your organization manage risk? Have you seen the concept of risk ownership work effectively? If not, what does?