Skip to main content

Risk Owner

Short Description

A risk owner is the party that is the owner of the objective to which the risk is associated.

The owner of a risk that is associated with an objective must be the party that owns that objective, and vice versa, because ownership implies the authority (rights and duties) to realize the objective, which in turn implies the authority to manage the associated risks. Of course, as all owners are parties, a risk owner may mandate actors to execute the actions that are necessary to manage a risk, but that does not relieve the party from its ownership (and facing possibly associated consequences). In fact, the objective of mandating risk management activities may come with risks which are often overlooked.

Networked Risk Management (reference needed) exploits the fact that the owner of a risk and the owner of the associated objective are one and the same party, the fact that in human beings are often not aware of the risks they run, and the observation that important risks often manifest themselves in feelings of insecurity or anxiety/tension, abdominal pain, sleepless nights, or other types of physical discomfort (the degree of which can be seen as the associated risk level). Noticing that a person shows signals of physical discomfort can be used as a trigger for an activity, the result of which is that the associated objective is identified (and made explicit), so that it can be analyzed, evaluated and treated (see risk-management).

Purpose

Knowing who owns a risk is knowing who is accountable when something goes wrong. When the associated objective is also identified, the risk can subsequently be managed.

Formalization

In the context of the eSSIF-Lab framework (way of thinking), the definition can be explained by observing that there is an ownership relation between the party and the risk that is associated with any objective that it owns. Determining that such a relation exists can be verified by applying its definition, and observing that:

  • the party is a jurisdiction (as explained here),
  • both the party itself and the risk are known to that party and hence qualify as legal entities for that jurisdiction;
  • parties (un)consciously create, maintain and enforce rules (policies) for identifying, assessing and treating uncertainties in (the effects of) their objectives - which are the risks associated with such objectives, which is equivalent with saying that within their jurisdiction, the legal system (a) defines their rights and duties "to enjoy, dispose of and control" these risks, (b) enforces them - i.e. manage them, and (c) provides a means to settle disputes - i.e. determine which of the various ways to control or treat risks must be followed.