A common issue that arises when implementing an enterprise risk management (ERM) framework is “who owns, is responsible for, is accountable for risks and controls?” Clear risk and control ownership is critical to ensure that all risks are being managed and none are falling through the cracks and the main risk control has an owner who is accountable for the control’s performance. Equally, it is important that we are not duplicating effort through multiple owners.
A regular situation is where a business department uses IT systems. When “systems” risks are raised, we commonly hear from the business department manager that they do not own that risk, it is owned by the IT department! Although there will not be one simple answer, what logical rules can we use to determine what the ownership and responsibility situation should ideally be?
A starting point is to consider the definition of risk in the ISO 31000 risk management standard. In that standard, risk is defined as “the effect of uncertainty on objectives”. The starting point should therefore be business objectives. (Read the article 6 Key Questions to Define Risk Management Controls)
Using an example of a Call Centre
One of the objectives of a call centre will be customer service. There will be little debate that this objective will be owned by the Head of the call centre. One of the risks that could impact the customer service objectives would be IT failure and specifically system outages where the call centre staff member cannot access the customer details when they call. As this risk impacts the objective, it should be owned by the same department as the objective, i.e. the call centre.
The first general rule should therefore be:
The risk should be owned by the same department that owns the impacted objective
This general rule does however become complicated when, for example, an IT system is owned by multiple business units and its failure will affect multiple units.
The general rule would mean that each business unit owns “IT failure” risk and if material, should be included in that business units risk registers and assessed. The practical problem is that we have substantially the same risk recorded and assessed in multiple business units. This may be valid, if for example, each business unit uses the system for different purposes and / or rates the risk differently due to it having different effects on each business unit’s objectives. If however, the risk is substantially the same in each business unit, it may make more practical sense to consolidate the risk in terms of identification, assessment and management back in the IT department. If this is done, it makes managing the risk easier. However, we have to be clear that:
This can be practically handled as follows:
In terms of control ownership, this should lie with whichever department is responsible for the performance of the control. Where a control has multiple owners, each owner must clearly understand what part of the control they are responsible for, otherwise responsibility will be lost between the cracks.
If you would like to know more about how Protecht can help you develop methodology and policy around your ERM framework and practically support the process with Protecht’s leading ERM software, please contact email@example.com
Author of 'A Short Guide to Operational Risk', David Tattam is an internationally recognised specialist in all facets of risk management, particularly at the enterprise level. His career includes many years working with PwC, as well as two Australian banks. His achievements include the creation of the Middle Office (Risk Management Department) for The Industrial Bank of Japan in Australia and the complete implementation of all Australian operations, systems, procedures and controls for Westdeutsche Landesbank (WestLB).
There are no related posts