Risk Ownership

Why “Everyone Owns Risk” Usually Means No One Does

Everyone owns risk” sounds inclusive. In practice, it often produces the opposite outcome: no clear accountability, slower decisions, and risks that drift until something breaks.

Risk management works when ownership is specific, visible, and linked to decision-making and action.

What “risk ownership” actually means

A risk owner isn’t the person who updates the risk register. The owner is the person accountable for ensuring the risk is managed within agreed tolerance, and for making (or escalating) decisions when it isn’t.

Put simply: the risk owner monitors the risk and acts when it changes.

Why risks end up with no owner

  • Ownership is assigned by role, not accountability (e.g., “IT owns supplier risk” while procurement controls the supplier relationship and contract).
  • The assigned owner lacks authority to influence the key risk drivers due to limited decision rights, budget, or control ownership.
  • Risk responses are passive (“review”, “monitor”, “consider”) rather than defined actions with accountable outcomes.
  • Risks aren’t clearly linked to objectives or services, weakening accountability for impact and performance outcomes.
  • Governance is unclear, including what must be escalated, when, and to whom.

Choosing the right risk owner

Use three tests. The right risk owner is the person who can:

  1. Influence the risk drivers: they can change the conditions that affect likelihood or impact.
  2. Approve or secure resources: they can fund mitigation, prioritise work, or obtain the capacity required.
  3. Accept or escalate the risk: they can formally accept exposure within tolerance, or escalate when it exceeds tolerance.

If you can’t answer “yes” to at least two of these, you probably don’t have the right owner.

Ownership vs actions: don’t confuse the two

It’s common (and sensible) for a risk owner to delegate actions, but not ownership.

  • Risk owner: accountable for the risk and decisions about how it’s managed.
  • Action owner: responsible for delivering a specific mitigation or control improvement.
  • Control owner: responsible for operating a control on an ongoing basis (where applicable).

When those roles blur, the register fills up but the risks don’t move.

What “good” accountability looks like

A well-owned risk has:

  • a named owner with decision rights
  • a clearly defined and understood objective or service at risk
  • measurable triggers or indicators that signal change
  • defined actions with owners and due dates
  • a clear tolerance boundary so you know when escalation is required
  • a review cadence that matches how quickly the risk can change.

A quick self-check for your organisation

Pick your top 10 risks and ask:

  • Can each risk be traced to a specific objective or service?
  • Is there a single, named risk owner for each?
  • Does the owner have authority to influence the key risk drivers?
  • Are actions written as deliverables (not “monitor/review”) with owners and due dates?
  • If the risk worsens tomorrow, is it clear what happens and who decides?

If any of those answers are “no”, you’re not alone, but you are exposed.

Download article

Share this post

Related posts