Simply put, ownership should never be the issue; accountability is what drives results.
For some time now various corporate function heads, from internal audit, to legal, to finance, to planning and others have maintained they should own risk management. A good case can be made for each, but the culture of the company is the key driver that defines this decision.
While culture should drive such a decision, I suggest it's more important to subordinate ownership to the key strategic objectives necessary to succeed. Defining the mission, outlining those objectives and specifying key tactics is what should really matter. Accountability for related results is key.
I would be na´ve to ignore the impact of corporate politics and control. The control issue especially drives so much behavior in the corporate world, often to the point of dysfunction. Leveraging these facts provides a solution. All these leaders and others need a seat at the table. In fact, each function plays a crucial role in deploying a truly integrated approach to managing risk. So much failure in this space has been a function of not involving all the right functionaries.
Let's face it; most organizations today have had to find a way to leverage the matrixed reality of their corporate structures. These have become a common form of organization as a result of the realities of operating in an increasingly resource constrained environment. Dealing effectively with matrixed functions has become critical to succeeding in today's corporate environments.
The risk of pursuing the single ownership model is the risk of leaving key players on the sidelines. However, driving these strategies with all the key functionaries, while more complex and requiring much greater patience, will get you to a more effectively designed program and a greater likelihood that the output will be what is truly useful. That is where the rubber meets the road in any program.
So why not pull the right stakeholders together for this purpose. Who are they? They are: operations, who typically own so many of the key risks that need attention; compliance leaders, especially in heavily regulated organizations; process engineering leaders who can contribute to the efficiency of risk assessment designs; lawyers, whose counsel you must have to ensure you're operating in a safe zone relative to your litigation exposure; finance leaders, whose accountability for the money, is ultimately how risk impacts are valued and accounted for; controllers, if your organization like mine has a SOX or SOX-like commitment to get financial reporting risk assessment designed into other operational risk assessment methods; technology leaders, especially when you're business may be heavily dependent on IT infrastructure; and others too numerous to mention.
The point is, risk is everywhere and an aspect of most business decisions. That means many subject matter experts are critical to good risk decision making. So put aside the debate; move the focus from your personal aspirations for power and control and recognize the only way your program can succeed is through a truly cross functional representation of relevant expertise in each element of executing your plan.
CHRIS MANDEL is the enterprise risk manager for a leading financial institution and a former president of the Risk and Insurance Management Society.
May 1, 2009
Copyright 2009© LRP Publications