Who owns the risk when the next major fraud happens in your organisation, the ransomware message appears on every screen, a customer record is leaked, a regulator asks difficult questions, or a whistleblower reveals a scheme that has been running for three years, who owns the risk? Most organisations instinctively point to the Head of Risk. That answer is precisely the problem.
The most dangerous risk in modern organisations is the belief that risk belongs to somebody else. I learned this lesson during an investigation involving a mid-sized company in Kenya some time in 2015. The company had a Risk Manager, policies, committees, quarterly reports, and colourful risk heat maps displayed during management meetings, yet it lost hundreds of millions of shillings through a fraud scheme that unfolded in plain sight. The strange thing was that nobody believed risk management was their responsibility. Everyone assumed somebody else was watching.
The court would later care less about the existence of policies and more about whether people actually followed them. That distincition is critical. Lawyers, Judges and Investigators understand it but many executives do not. A policy is like a lock on a door and the court wants to know whether anyone actually locked the door. That is where our story begins.
The company that had risk reports but not a risk culture
Picture the scene, a slightly overweight finance manager sat comfortably in his office. A tall operations supervisor managed field activities, a young IT administrator monitored systems, and a confident procurement officer approved suppliers. All competent people, experienced, hardworking and yet collectively they created the perfect environment for a control failure.
Nobody intended to commit fraud. Instead, they created something more dangerous. They normalised risk, small exceptions became routine, minor policy breaches became accepted practice, and controls became administrative inconveniences. Soon nobody could distinguish between operational efficiency and control circumvention. That is exactly how most major losses begin, not with criminal genius but with organisational convenience.
Four lessons executives often miss
- Fraud rarely begins with theft but with tolerance of exceptions.
- Cyber incidents rarely begin with hackers. They usually begin with ignored warnings.
- Compliance failures rarely begin with bad people but with unclear accountability.
- Risk failures rarely originate in the Risk Department. They originate in everyday business decisions.
Imagine your organisation lost internet connectivity tomorrow morning. Ask every department to write down who would be responsible. Now compare the answers. The confusion you discover is your first risk assessment.
The invisible chain nobody investigated
During the investigation, something interesting emerged. The finance manager believed procurement performed supplier verification, procurement believed finance validated supplier legitimacy, IT believed finance reviewed transaction patterns, Finance believed internal audit would identify anomalies, and Internal audit believed management owned operational controls. Everyone had delegated responsibility, nobody had accepted ownership.
As investigators, we often call this the accountability vacuum. It is one of the most reliable predictors of organisational failure. Think about a road accident. The court does not simply ask who was driving. The court reconstructs the entire chain. Who maintained the vehicle? Who authorised its use? Who ignored warning signs? Who knew something was wrong? Who should have acted? The same principle applies in governance. Risk travels through chains of decisions, and losses occur when nobody examines the chain.
Four lessons from the accountability vacuum
- Risk ownership cannot be delegated completely.
- Every critical process requires a named owner.
- Controls without accountability are decorations.
- Risk registers become meaningless if managers never discuss them.
Activity
- Draw one critical business process.
- Use a flip chart.
- Identify every handoff point.
- Mark where assumptions replace evidence.
Those points represent future incidents waiting to happen.
The cyber lesson nobody saw coming
The company’s fraud investigation eventually uncovered a cybersecurity weakness. A seemingly harmless shared password had existed for years. Several employees knew it, nobody documented its use, reviewed access logs, or challenged the arrangement.
One day a suspicious transaction occurred. The organisation wanted to know who performed it, nobody could prove anything. The digital evidence was contaminated before the investigation even started. This is where digital forensics becomes important. Courts love evidence that is reliable, preserved, and attributable. Courts dislike speculation.
A shared password destroys attribution. Once multiple people use one account, proving who performed an action becomes extremely difficult. That is a detail many organisations overlook. The incident itself may be recoverable but the evidence may not.
Four digital risk realities
- Convenience often defeats security.
- Shared accounts destroy accountability.
- Logs become critical evidence after incidents occur.
- Evidence preservation starts before investigations begin.
Why risk training changes everything
Many organisations train people on procedures. Very few train people on judgement. That difference matters. During interviews, the tall operations supervisor made a revealing statement. I thought somebody else was checking. That sentence explained the entire failure.
Risk culture training teaches people to think differently. Instead of asking, “Is this my job?” People begin asking, “What could go wrong?” Instead of asking, “Who approved this?” People begin asking, “What evidence supports this?” That shift appears small. It transforms organisations. The best risk cultures create thousands of human sensors. Employees become active participants in protection rather than passive observers.
Outcomes of effective risk culture training
- Employees recognise warning signs earlier.
- Managers escalate concerns faster.
- Teams challenge unusual activity constructively.
- Accountability becomes part of daily operations.
Why spreadsheets cannot win this battle
Now let us address an uncomfortable truth. Most organisations still manage risk using spreadsheets, emails, and disconnected reports. That approach worked twenty years ago but it struggles today. Modern organisations generate too much complexity. Too many systems, too many regulations, stakeholders, and threats.
Risk information becomes fragmented. A procurement issue sits in one spreadsheet, a cyber issue sits in another, an audit finding sits in a PDF, and a whistleblower report sits in an email. Nobody sees the complete picture. This is precisely why technology matters, not because technology eliminates risk, but because technology democratizes risk management.
How MelaGRC changes the conversation
One of the strongest lessons from investigations is that visibility changes behaviour. When risks become visible, ownership improves. When ownership improves, accountability strengthens, and when accountability strengthens, losses decline.
MelaGRC addresses a challenge that many organisations face. It moves risk management from a specialised function into a shared organisational capability. The board can see strategic risks, executives can monitor emerging threats, department heads can track action plans, employees can report incidents, internal audit can validate controls, and compliance teams can monitor obligations. Instead of risk flowing upward once a quarter, information flows continuously. That is a fundamental shift.
Strategic advantages of risk automation
- Risk ownership becomes transparent.
- Action plans become trackable.
- Incidents become visible earlier.
- Leadership gains a real-time view of organisational exposure.
Ask each executive to list their top five risks and then compare the lists. Now imagine a platform that consolidates all those perspectives into one view and tracks accountability automatically. That is the future of governance.
The lesson the court always teaches
After every incident, people search for the person responsible. The more important question is whether the organisation created conditions that made failure inevitable. That is where risk culture becomes decisive. The strongest organisations are not those with the most policies but those where people instinctively identify threats, escalate concerns, preserve evidence, challenge assumptions, and take ownership.
Risk is no longer a department, a quarterly report or a compliance exercise, Risk is now a daily behaviour. In a world of cyber threats, fraud schemes, regulatory scrutiny, artificial intelligence, insider risks, and digital transformation, every employee has become a risk manager whether they realise it or not.
The organisations that thrive in the next decade will not necessarily have the biggest budgets or the most sophisticated systems, they will have something far more valuable. A culture where everyone understands that risk belongs to all of us, and technology platforms such as MelaGRC ensure that responsibility is visible, measurable, and impossible to ignore. That is not merely good governance, it is becoming a competitive advantage.
