3 Risk ownership in a matrix business
As discussed previously, many businesses today operate a matrix structure. Put simply, this means that the typical employee has two reporting lines: one to the business unit in which they work and another into the function to which they belong.
Businesses that operate in such a fashion need to design their risk systems carefully to avoid duplication of effort or, potentially worse, a situation where no one feels accountable for managing a risk because it is always someone else’s job.
The typical approach to avoid these issues is as follows:
- Risks are owned by the part of the organisation that suffers the consequences (or gets the benefit) from the risk. This will typically be a business unit.
- This does, however, leave one remaining issue: how to deal with risks that occur from the same root cause (e.g. failure of a common IT system) that impacts more than one business unit?
- Here functions can play a key role. By aggregating the impact of the common root cause across multiple business units, risks can be properly assessed and prioritised accordingly.
- Functions have a role in breaking down silos. As discussed earlier the company management team often see across multiple business units and as such are well placed to identify hidden risks (often risks identified by one business unit but not by another), setting standards for managing certain types of risks (e.g. safety and compliance risks) and sharing best practice.