Author: Jeremy Gledhill leads enterprise-wide risk, insurance, internal audit and resilience across the Citywide Group (Australia), operating as a trusted adviser to the Board, Audit and Risk Committee and Executive team. Jeremy is an enterprise risk and resilience leader with 20+ years’ experience across regulated, asset-intensive environments spanning manufacturing, infrastructure and public sector organisations. Recognised for advising Boards and Executives on enterprise risk posture, insurance exposure and assurance, and for embedding practical risk frameworks that strengthen governance and operational resilience.
Modern organisations continue to pursue the comforting illusion that every major risk can be assigned to a single accountable owner, and it is understandable why. Clear ownership supports governance, simplifies reporting, and creates the appearance of control. Boards, Regulators, and Executives all want to know who is accountable when something fails.
In complex systems, risk rarely behaves in a way that aligns neatly with organisational charts. Operational resilience failures, cyber incidents, project overruns, compliance breaches, and service disruptions are seldom caused by a single isolated decision. More often, they emerge from the interaction between teams, processes, technologies, vendors, incentives, and assumptions that individually appear reasonable but collectively create fragility.
This creates an uncomfortable tension for Risk leaders; traditional governance models are built around discrete ownership:
- One process owner.
- One accountable executive.
- One escalation pathway.
Yet the risks that matter most, increasingly sit in the spaces between these structures.
- The handover between operations and technology.
- The dependency between procurement and third-party vendors.
- The assumptions embedded between strategy and delivery.
- The trade-offs made locally that create unintended consequences systemically.
These are not failures of individual accountability; they are failures of interaction. As Risk Professionals, we need to evolve how we think about accountability in complex environments. Accountability still matter; clear decision rights, defined responsibilities, and escalation mechanisms remain essential. Without them, organisations drift into ambiguity and diffusion of responsibility, however, singular accountability alone is no longer sufficient.
A process can have an owner and still fail because its dependencies were poorly understood. A risk can appear “managed” while hidden vulnerabilities accumulate across interconnected functions. An executive can meet every governance obligation while the broader system becomes progressively less resilient. This is why mature risk management increasingly requires a shift from ownership-centric thinking to relationship-centric thinking.
The key question is no longer simply “Who owns this risk?”. Instead, It is “How do the interactions within this system create or amplify risk?”
That shift changes the role of risk functions significantly. Rather than only validating controls and accountability maps, risk leaders must also examine:
- Cross-functional dependencies.
- Friction points between teams.
- Misaligned incentives.
- Communication breakdowns.
- Concentrations of operational reliance.
- Areas where assumptions are not shared or tested.
This means risk management becomes less about static structures and more about understanding dynamic relationships. Importantly, this is not an argument against accountability. It is an argument against oversimplification.
When organisations force complex, interconnected risks into overly simplistic ownership models, two dangerous outcomes often emerge. Firstly, false certainty develops. Leaders assume that because a risk has an owner, it is adequately controlled. Secondly, invisible gaps form between functions where no one is explicitly accountable for how the system behaves as a whole.
The organisations that manage complexity best are not necessarily those with the most detailed governance frameworks. They are often the ones that recognise complexity honestly and build strong connective capability across the enterprise.
That requires relationships, not just reporting lines. It requires collaboration across boundaries, transparency around dependencies, and cultures where teams understand that resilience is collective. Because in complex systems, accountability is always shared — whether governance frameworks acknowledge it or not.