Who owns your risk management function?
For many companies this seemingly simple question is difficult to answer. For those lucky enough to have an enterprise risk management function, the answer would seem obvious, but for others this is a key challenge. Once the question of corporate governance is clarified, there is still the issue of operational delivery ownership. In many companies, the overall delivery of risk management is scattered across the entity.
Corporate and strategic risks may be centralised within the senior management and executives of the company, but tactical and operational risks may be delegated into the different business units where specific expertise of that particular product or service is required. Access Risk is often deemed to be a problem for the IT team, but should normally be owned by the business units.
With risk information being captured in different ways depending upon the different risks or teams managing them, there is a requirement for a risk repository and the associated data management and reporting processes alongside it. So who pays for that? In my experience, although the ownership may be a risk management team, the operational costs are still born by IT and support teams.
Regardless, there is likely to be a capital expenditure cost of implementation to be factored into the cost model for this. While it is an important point on the corporate governance agenda, it would have to work hard to stand up to an investment board against conflicting front-office proposals. Endorsement of the risk management solution would need to be advocated from all sides to gain approval, making it a far harder decision to influence.
As well as this, there are the operational risk management process activities to be considered, including the impact validation, assessments, reporting and response management; all of which take significant amounts of time and effort to realise.
With more solutions being made available as a cloud or managed service, there is a significant opportunity to change the way in which software is deployed. Rather than having to fight for capital investment, there are more opportunities to use operational budgets for technology solutions. This could significantly transform the business cost ownership of risk. If risk management teams were able to invest in a solution as a service through their own operational budgets, they may be able to avoid the costly capital investment processes and implementation efforts as well as simplifying the ownership model.
For those companies that do not have central risk teams or where there is no central sponsorship for a central risk management solution, operational budgets become an increasingly appropriate mechanism. Business teams can use their op-ex budgets to take control of key risk management activities, therefore applying the ownership of risk to the business units which require it.