The Process Ownership Conundrum
By Evan Stos
As I work with clients to implement various business processes in Onspring, I often encounter questions of “ownership.” I realize that ownership in itself is a fairly broad term, so allow me to elaborate: The “ownership conundrum” can exist at both the macro and micro level.
The most common macro-level examples are as follows:
- Who will own the relationship with Onspring? Essentially, who are our internal Onspring “champions”?
- Who will serve as our Onspring system admin(s)?
Now, I lead with the macro-level ownership conundrum because organizations are usually pretty quick to suss this out. In the case of the first bullet above, replace the words “pretty quick” with “very quick.” Management often steps forward to champion the Onspring platform because, when the value of the tool is demonstrated to the wider organization, they are normally the first to be recognized…and who doesn’t desire positive recognition for the work they’re doing?
As for the second bullet, I’ve seen situations where the individuals who have been named the internal system admins are ready and raring to go. I’ve also seen situations where the appointed person is more of a deer in headlights. “System admin? Me? In this tool I know nothing about? I can’t own this…what if this doesn’t go smoothly?!” This is where I typically play more of a counselor than a consultant, assuring them that we have a wide variety of training and services offerings, along with admin functionality that’s intuitive for non-technical people.
The micro-level example list is even more concise:
- Who owns specific pieces of content within Onspring, such as a “Risk Owner” for a particular record in the Risk Register or a “Policy Owner” for a specific company policy record?
When our customers are establishing ERM and Policy Management programs within Onspring, the question of “who owns these risks/policies/controls?” comes up time and time again. Unfortunately, unlike the macro-level items, finding the right people to own process-level or content-level items can be quite challenging. In many ways, it reminds me of trying to catch my 2-year-old son when he knows it’s bedtime. People aren’t usually champing at the bit to own these types of items.
The bottom line is this: Ownership can be a scary thing to your internal stakeholders, especially when it comes to risks and controls. Essentially, you’re telling someone to own something that can be directly tied to a potential organizational threat. I understand the consternation involved. It’s only human nature to avoid things that could potentially make us look unfavorable.
However, the advice I offer to those nervous about being a newly minted risk/policy/control owner is this: Yes, you own something that, if not properly followed/tested/remediated/etc. could pose a problem to your organization. But rather than view that as a negative, view it instead as an opportunity. You can take the appropriate steps to ensure that:
- Your company’s exposure to the risk(s) you own decreases year over year due to effective mitigation strategies
- The control(s) you own are well-designed and properly tested on a timely basis
- The policy you own contains the most up-to-date language and scope and is reviewed and modified as your organization evolves over time
By taking those steps and constructing the right types of reporting—for example, a trending line chart that shows how your control has been tested and deemed effective for several years or that your risk has gone from very likely, to likely, to not very likely to occur—a very clear case can be made regarding the net positives you’re providing to your organization. And this can only lead to…you guessed it…favorable recognition!