Do You Have the Right Risk Owners?
Risk Managers and Risk Owners Are Different
A common misconception in many organizations is that risk managers also own and manage risks. That’s not the case. In fact, if you ask a company to identify its risk owners, the answer that you get will give you a good idea about the maturity of its risk management framework and the presence (or lack of) a risk mindset throughout the organization.
Some of you may be thinking “If risk managers are not risk owners, then who are the risk owners?” The answer is operational management. An organization with mature risk management is one where operational managers are responsible for owning and managing risks. For example, an EHS manager would be responsible for occupational safety and health risks, an HR manager would be responsible for HR risks, a procurement manager would be responsible for supply chain risks, etc. Risk owners are responsible for the following:
- Identifying, assessing and mitigating risks.
- Implementing corrective actions.
- Implementing and evaluating controls.
Risk Owners Are Pieces of a Bigger Puzzle
The next question you may be asking is “If they’re not risk owners, then what do risk managers do exactly?” The answer can be found in the Three Lines of Defense model, which is explained in a position paper by the Institute of Internal Auditors and illustrated below:
The first line of defense owns and manages risks. Operational management is responsible for ongoing activities such as identifying, assessing and mitigating risks. The second line oversees risks. This is where risk managers are located. The second line of defense makes sure that the first line is doing its job. Risk managers make sure that operational managers are implementing effective risk management practices. They also assist risk owners with risk evaluation by taking into account the company’s risk appetite, and help risk owners report risk information. Finally, the third line of defense provides independent assurance. Internal audit assesses the effectiveness of the first and second lines in achieving risk management objectives, and the effectiveness of the risk management and internal control framework.
An Example with an EHS Manager and a Risk Manager
Let’s use an example to distinguish risk owners and risk managers. The rate of injuries at a company is higher than the industry average, therefore the company wants to reduce risks of incidents to prevent injuries. In this case, the EHS manager owns the risk. He is responsible for putting measures in place to mitigate the risk. For example, he may decide to implement a system to capture observations and near misses, in order to better identify workplace hazards. He would then implement corrective and preventive action plans to address the hazards and reduce risks of incidents.
For her part, the risk manager would make sure that the EHS manager is following best practices and internal procedures regarding the identification, classification, treatment, and documentation of risks. She would also help the EHS manager evaluate the level of EHS risks by taking into account the company’s risk appetite, i.e. the general level of risk that the company is willing to accept while pursuing its objectives. For example, if the company has aggressive productivity objectives, would these objectives be in conflict with the more important objective of mitigating risks of workplace incidents?
Software Improves Risk Management
For operational managers, it might be intimidating when they realize that they also own risks. Many don’t have formal risk management training. But risk management software can ease the burden by guiding users to properly identify risks and control measures. In addition, consistent terminology, processes and workflows get used across the organization through the common risk management system.
More importantly, risk management software strengthens the three lines of defense by increasing cooperation, breaking down barriers and eliminating silos. When the EHS manager enters risks and controls in the system, the risk manager sees the same information, and the internal auditor can assess the effectiveness of the risk management framework by leveraging the same information.
Finally, if the EHS manager uses EHS management software that is part of the same, integrated platform as the risk management software system, then risk information gets captured more accurately and automatically, which improves risk management and produces more productivity enhancements and time savings.