Recent experience of helping new clients develop information asset based risk management processes has given me more insight into the area of who REALLY owns risks (and opportunities). Most of the work I have been doing is in the context of a risk process aligned with ISO27001 requirements, but some risk assessments had very specific requirements which meant they needed an approach specific to the organisation. In one case there was an Excel template with embedded instructions that referred to some worksheets and columns that weren’t in the template. No one had a definitive answer on what was actually required or could show me a fully completed working example – just got on with populating this with the client based on what it probably should contain.
The good news is that each of the risk assessments were seen as providing a useful way to highlight different levels of risks and opportunities to the business. Taking a step back, the first step before anything was started was to agree the risk management process/methodology and the ‘risk appetite’. The appetite varied and depended on the context of the organisation.
After doing the risk assessment – this required input from different business areas and asset ‘owners’ – there was a list of risks above the appetite value that needed to go into the Risk Treatment plan (RTP). A discussion took place on what to do with each one – treat, terminate, tolerate or transfer. It usually didn’t take too long to get agreement on what to do; in some cases, internal politics seemed to push the decision towards one option rather than another that would usually be selected in other organisations….but there is no right or wrong way to do this. It was never a difficult process to create a RTP that identified what needed to be done, who was responsible for taking any required actions and the target completion date.
At this point you would think there were owners for risks. It wasn’t that simple in some cases. Some organisations had discussions on getting risk ownership (aka accountability) embedded into business areas and wanted, for example, those related to HR to mainly be the responsibility of the head of that team. There were rigorous (or should that be heated?) discussions on which risks could be split out without compromising the aim of having clear accountability for owning and managing risks. The answers were based to a large extent on the culture of each organisation. For some, it was at a high level with Heads of Departments responsible for ‘types’ of risks such as HR or IT related, for others it was a job role responsible for one or more risks.
The key things are making sure there is clarity on the ownership of risks and opportunities and this is accepted by a) the person/team that needs to be accountable and b) by senior management who need to enforce sanctions if ownership isn’t being taken. The way you know if this is working is when the next risk assessment is done….if someone isn’t sure what they own, what the risk or opportunity means or the measures in place the manage/mitigate them then something is wrong.
If you are thinking about moving to a more formal risk assessment process and want someone objective to ask the question So tell me….who owns this risk? then get in touch.
t: +44 (0)7941 188462