Who owns and is responsible for a risk?


There is a maxim that every risk should have a “risk owner”. Let’s examine that rule.

But first I want to share what Adrian Wright, CEO of 1GRC, wrote on one of my recent posts:

IMO one of the key tasks of the risk function – be it CRO or Business divisional, is to facilitate the dialog with the business needed to identify risk owners, assign clear responsibilities to them and instruct them on what they need to do to carry them out. Including any assessment and process around risk acceptance.

Where organizations get it wrong is in allowing ownership of all identified risks and remediation thereof to fall to some core risk function that is not within the business.

I totally agree with his last statement. The only risks the risk function owns are around the possibility that they are ineffective or make serious mistakes that lead managers to make poor decisions. For example, if they are tasked with using Monte Carlo to assess a situation and make errors in the process.

In a later comment, Adrian expanded on his point:

Norman, the thrust of my original comment was around assigning the ownership of risks to their appropriate (business) owners, rather than the subsequent risk methodology used. But as we are now talking about contrasting downside risks and potential business (risk) opportunities in order to…
