Is the role of the risk owner foreseen in your organization? Most probably it is. Do you know what the responsibilities and the authority of a risk owner are? Of course, you do. Where are those described? Wait a second, it has to be somewhere in those documents…
Chances are that you won’t find a clear description of this role, though it might be the most important role in risk management. Strangely, even when you look in the standards and academic literature, you will be hard pressed to find a clear description of this role.
It shouldn’t therefore come as a surprise that risk management is not working the way it should if the role of its most prominent advocate is somehow vague. Most people believe they know what this role is all about, so there seems no need to clearly write this down. However, the same could be said for e.g. the role of ‘project manager’, but here we usually will find detailed, formal descriptions about authority, responsibilities etc. without any problem.
In my experience, most people have a wrong impression about the role of the risk owner. Somehow it seems to be a role nobody really wants to be in. Is he the one who is to blame when the risk materializes? Is he responsible for preventing it? Is he the one who has to find all the mitigation actions? Or the one to implement them – or at least to follow up on them? From what I have seen, I have got the impression that most of the time the answer to all of these questions is a ‘Yes’ or at least a ‘most probably’. Clearly, no one would like to fulfill this all-embracing role, so most of the time it sticks with the project manager. I mean, he is responsible for the project, so he should be responsible for all the risks – that means, he is the risk owner, isn’t he?
That argument might actually fall a little bit short: The risk owner should be the one who has the highest interest in the risk being correctly treated – and who has the right level of authority to treat the risk accordingly. This might not always be the project manager.
The first step in deciding who really the risk owner is should be to define (formally) what his authority and his responsibility are. One possible approach could be:
- Risk Owner
- Has the ‘ultimate’ authority to decide whether the risk can be taken or not
- Decides on the risk mitigation strategy (i.e. accept, treat, terminate)
- Grants resources / budget for mitigation actions
- Allocates and owns ‘risk reserves’
In addition, it is quite useful to define an additional role, the risk response owner:
- Risk Response Owner
- Implements Risk Management Strategy as defined by Risk Owner
- Defines concrete mitigation actions
- Close follow-up of risk status and reporting to Risk Owner
Of course these bullet points have to be much further detailed and adapted to the actual business context your company is working in. However, they should serve as a good starting point.