Risk isn’t Owned by a Department
Risk is often treated like it belongs to one person, one department, or one document. In reality, risk moves.
It moves from planning into scheduling. From scheduling into cost. From cost into pressure. From pressure into decisions. From decisions into people, performance, safety, quality, and reputation.
That is why organizations get exposed even when they technically have a process. The issue is not always that there was no risk assessment. The issue is that the risk assessment did not connect to how the work was actually being managed.
A risk register that is not understood by the people making decisions is just a document. A policy that does not influence behavior is just a file. A control that is not checked under pressure is not really a control.
Good risk advisory looks at how the business actually operates. Who makes decisions? Who has authority? Where does information slow down? Where do assumptions get passed around without ownership? Where is the company relying on people to just know?
The real risk is often the gap between what the company believes is controlled and what is actually happening.