Who owns risk?

This question has been debated during much of my tenure in the risk management profession. Unfortunately, I often hear that the Risk Management department "owns "risk. In this article, I aim to tackle and dissect this misconception and suggest a tool to help clarify roles and responsibilities.

Misconceptions and impacts

Is it the title of the department? Is it because leaders want one single point of accountability (especially when something goes awry), or is it because risk management is erroneously confused with a compliance function?

To make sure I was not alone in my thoughts, I asked some of the Large Language Models (LLMs) to confirm if my thoughts were on track. Surprisingly, the results echoed my sentiments.

Unfortunately, misunderstanding roles concerning risk management can create confusion, but more importantly, holding an erroneous belief can impact an institution's finances and reputation. Viewing risk through a "one-dimensional" lens vs. enterprise-wide can lead to blind spots, increasing institutional risk exposure, and, in worst cases, leading to less informed decisions that can potentially derail an institution's mission.

This is why senior leadership, boards, and fiduciaries must understand their role and that the ultimate oversight of their institution's risk strategy falls within their realm. Boards and fiduciaries must be active participants and not sit on the sidelines. Board input and engagement are essential to guiding an organization's risk management strategy.

So who owns the risk?

The answer is "all of us". Risk management is too broad of a function to restrict it to one person or department. Assessing potential threats and opportunities, is an enterprise-wide responsibility that transcends institutional hierarchies and job functions.

For example, the Risk Management department cannot control or know all institutional risks. Believing that risk management responsibilities are a single role or a "department problem" is short-sighted. Regular conversations must be cross-functional, and be supported from the top down and across the institution. A conversation about risk management must also go beyond a once-a-year PowerPoint presentation to be effective. A risk management program requires enterprise-level accountability to be successful. As mentioned in my earlier posts, we are all risk managers, and this is a truth that must be embraced in higher education. Risk management must be proactive and viewed in the long term, not just the short-term.

So what can be done?

Leveraging a RACI matrix can be a helpful tool to manage risk. For those unfamiliar with the RACI matrix, it is often used in project management to define roles and responsibilities. A RACI outlines the roles of key stakeholders: Responsible, Accountable, Consulted, and Informed. (RACI). Using a RACI, institutions can better engage business units and increase accountability. The tool can help clarify roles, create transparency, and foster cross-functional collaboration, all key tenets of a risk management strategy.

For example, the Risk Management Department is Responsible" (R) for developing risk methodologies, conducting risk assessments, implementing risk reduction controls, and reporting.

For the Accountable role (A), senior leadership and boards are "Accountable" (A) for setting the risk appetite and the overall risk strategy. Boards and fiduciaries must understand that risk management is a part of their institution's strategy and mission, not peripheral but essential.

Other cross-functional leaders, such as Legal, may be involved in the "Consulted"(C) role, while other units, like Audit, should be "Informed" (I) about risks and mitigation efforts.

Bottom line

We are all Risk Managers. While the Risk Management department can facilitate and coordinate risk identification and build frameworks and processes, individual business units and leaders are also responsible for managing risks within their domains. Boards and fiduciaries support risk management from the "top-down" and set the fundamental governance strategy across the institution.

Managing risk is a shared responsibility.

Effective risk management requires collaborative ownership across the entire organization. So, why does this misconception still exist? Have something to add? Share your thoughts on LinkedIn.