Sharing Risk while avoiding a Blame Game


Responsibility and Accountability in Risk Governance

My previous post highlighted governance issues associated with multiple parties sharing certain risk management responsibilities around the disembarkation of passengers from the Ruby Princess, at a time when COVID-19 infections were on the rise. The importance of establishing shared understandings about the risk perspectives of affected and involved parties was highlighted, along with enhanced coordination and communication.

In this further reflection on the theme of ‘boundaries, borders and bridges‘ (referenced in the previous post), the issues of third party risk for non-profit organisations are in focus.

Third Party Risk

Third party risk relates to hazards arising from your relationships with contractors, service providers, and joint venture partners. Some part of their risk inventory intersects with yours (crosses your boundary), and as illustrated in the header image above, this means people in each organisation share certain responsibilities. Comment on the RACI ‘bridge‘ which spans the shared responsibility space appears below.

When engaging contractors or tendering for services, risk is a central concern of the selection process, and associated due diligence activities. Service standards, including risk controls and escalation measures, will usually be documented in the contract or service agreement. For potentially serious and catastrophic risks, more care needs to be taken to align expectations of those performing key roles, as the ‘cracks’ and ‘gaps’ often occur in the grey zone where the two entities have overlapping responsibilities.

Project Managers have developed useful measures to manage risk in projects involving contributors from more than one organisation, or from multiple functional areas within a larger organisation. They use the RACI model of assigning responsibility and accountability, identifying who needs to be consulted before a decision or action is taken, and who needs to be informed afterwards. This model can also be usefully applied to any third party relationship in which the allocation of risk management roles and responsibilities needs to be clear.

The nature of each of the roles in the RACI model is outlined in the image below, and the distinctions between each must be well understood if finger pointing is to be avoided following an adverse incident. Distinguishing between responsibility and accountability is often an issue. We can see ample evidence of that in the NSW and Victorian COVID-19 inquiries.

The chart below illustrates how each of the four roles could be assigned to the steps and tasks involved in managing a shared risk, and includes some useful notes from the authors at simplilearn.com.

Advocacy Partners and Allies

Some partnerships will be subject to formal agreements, and in that sense the risks involved are similar to those shared with contractors and service providers, especially where they are acting in your name.

Others alliances are somewhat informal, especially where the focus of the relationship is an advocacy campaign. Agreeing to issue a joint media release, or to authorise use of your logo alongside others on a joint submission or poster, are not in the same league as going into business together to deliver a service to a target group of members or consumers. Understanding each other’s risk appetite and sensitivities is nevertheless important to such an alliance.

Often the key issues to be considered are the ‘no-go’ zones, on which there are known differences of opinion or policy. These will be avoided during the course of the campaign, and neither party will imply the agreement or support of the other, when in fact they hold different views. The emphasis is on areas of agreement, not difference. A breach of this commitment would not only damage the campaign, but would probably inhibit any future alliance.

Federated risk

The coordination of risk management within a federated structure (still used by many associations) has some similarity to third party shared risk governance. As there are also other issues involved however, I will reserve comment on these for a future post.

See also:

Leave a Reply