Job titles tell us more about employee roles and help us identify stakeholders. But job titles can also be misleading, especially in risk management. When you see a “Risk Manager”, or even a “Chief Risk Officer”, your instincts would rightly tell you that their roles have something to do with risk management. But if you go one step further and assume that a Risk Manager or CRO is also responsible for identifying and mitigating risks, you would be wrong.
Risk Managers and Risk Owners Are Different
A common misconception in many organizations is that risk managers also own and manage risks. That’s not the case. In fact, if you ask a company to identify its risk owners, the answer that you get will give you a good idea about the maturity of its risk management framework and the presence (or lack of) a risk mindset throughout the organization.
Some of you may be thinking “If risk managers are not risk owners, then who are the risk owners?” The answer is operational management. An organization with mature risk management is one where operational managers are responsible for owning and managing risks. For example, an EHS manager would be responsible for occupational safety and health risks, an HR manager would be responsible for HR risks, a procurement manager would be responsible for supply chain risks, etc. Risk owners are responsible for the following:
- Identifying, assessing and mitigating risks.
- Implementing corrective actions.
- Implementing and evaluating controls.
