Risk Owner

A Risk Owner is the single named individual accountable for a particular risk on a risk register. The role is not to eliminate the risk — many risks cannot be eliminated — but to ensure the risk is actively managed: monitored for changes in probability or impact, mitigated where possible through agreed actions, escalated when circumstances change materially, and reported through the governance cycle with accurate status. A risk without a named owner is, in practice, a risk that no-one is managing.

Risk ownership has specific requirements to be meaningful. The owner must have sufficient seniority and authority to take or authorise the mitigation actions within their scope. A risk owned by a junior team member who cannot influence the mitigation is nominally owned but practically orphaned. The owner must also be close enough to the risk to detect changes early — typically someone with day-to-day visibility of the relevant area rather than a senior figure who sees risk only at monthly review.

Common risk-ownership failures on UK infrastructure programmes include: collective ownership ("the delivery team" rather than a named individual), ownership by people who have since left the project, ownership by people who cannot authorise the mitigation budget required, and ownership at the wrong level (too senior to notice changes, or too junior to act). A well-run risk register is audited for these conditions on every update cycle, with ownership reassigned where the current allocation is not working in practice.