As risk managers, we spend a lot of time working out how to get things done.
After all, the risk assessment is just the start of the process. Once you’ve identified your risks and worked out how to address them, you need to get down to work: then the actual management part begins.
Determining ownership for many risks will be relatively straightforward and departments will often fight very hard to maintain ownership of risks that fall within their remit.
(This is why we also need good governance. Even though the subject matter experts (SMEs) are often best placed to manage the risks, there are other incentives and biases at play, so additional oversight helps keeps things on track.)
However, there are always some risks that are left behind.
- Sometimes the owner isn’t as clear cut.
- Sometimes, it’s because no-one wants to take on the really thorny, sensitive issues that might create your most significant risks.
- Sometimes people don’t feel as though they have the capacity.
This is the point where everyone in the risk committee will be shuffling their papers, avoiding eye contact, or having to drop off the call ‘because something urgent just came up.‘
Occasionally, someone will throw you a lifeline. A senior manager could push the risk to the appropriate, albeit unwilling, department, or someone might step up and take ownership.
Unfortunately, more often than not, you just have to accept that the music has stopped and you are left holding the parcel.
At this point, you have several options, including rage, tears, appeals to people’s better natures, and faking illness. However, these seldom work (believe me, I have tried or at least contemplated all of these).
Instead, I’ve now come to embrace the challenge and call to mind a phrase that someone taught me a few years back.
So even when it’s not your problem to unpick, it’s better just to grit your teeth, grab it with both hands and get to work. Otherwise, it’s not going to get done, and as the risk manager, the buck does stop with you.
Even though your job isn’t to manage every risk, it is to see that every risk is managed.
At least this way you know that someone (you) is going to take this seriously and address the risk thoroughly, which is better for you and the organization.
So when wondering who’s going to pick up that nasty little problem everyone’s pretending not to see, just think, “If not me, who? And if not now, when?”, grab it, and move on.