“Give Me a Break” — Keeping “Risk” Analysis Simple
Sometimes lawyers get a bad rap. We are always accused of making things more complicated in an attempt to protect our “guild” mentality. Sometimes the criticism sticks and sometimes it does not. It really depends on the issue and the specific concerns.
If you want to see self-promotion, confusion and complication in action, all you need to do is focus on the “risk management” or “enterprise risk management” industry. At the core of this so-called “expertise” is the ability to identify, prioritize and respond to organizational risks. As my old favorite sportscaster, Warner Wolf, used to say – “Come on, give me a break!”
Companies that create these so-called “risk experts” are wasting money, time and resources. This so-called ERM fad is nothing more than another way to complicate what should be a simple process. It also diverts corporate energy and corporate governance from focusing on the “real” issues, and tackling the tough inquiries which are needed for effective decision-making.
Corporate governance is difficult enough without over-complicating risk analysis. I have never – and I mean never – seen effective corporate governance which resulted directly from the work of a risk manager.
My model and suggested framework for effective risk management is based on two principles: simplicity and clear definitions of responsibility. Here is what I mean:
Identify and measuring risk should be the responsibility of the subject matter experts.
Chief compliance officer should identify and manage legal and policy compliance risks for the organization. It is the CCOs job to prioritize and manage those risks, supervise company actions to reduce these risks, and report to the Board and senior management on these risks.
Chief financial officer should identify and manage financial risks both internal and external which may impact the organization. The external financial risks include the overall economic climate in the relevant markets and potential new markets, the economic forecast and other relevant issues which impact the financial performance of the company. The internal financial risk relate to the ability of the company to sell its products and services, the costs of such operations, and the surrounding internal risks which exist in the company’s overall operations.
Chief information officer should identify and manage external and internal information security and operation issues which could impact the organization. The external information management issue should focus on cybersecurity and other unauthorized intrusions into the company’s information system.
The internal risks for information security and operation relate to internal actions which may cause a data breach, poor information system performance or non-compliance with data retention policies. In addition to these risks, the CIO needs to make sure the information system is operating efficiently as needed by the organization without any significant disruptions to information capabilities.
I am not so naive to think that this is all that is needed to manage risk or that there is no overlap in these risk management issues. My point is more illustrative and based on one guiding principle – every organization has a subject matter expert who should be responsible for identifying, prioritizing and managing relevant risks related to the specific function.
Companies need to adopt an important business principle – simplicity clarifies responsibility and enhances corporate governance. Company leaders who choose to avoid simplicity may be trying to escape responsibility, or to put it in more colloquial terms – “to pass the buck.”
Managing risk is everyones responsibility. It is a key component of creating an effective culture of compliance. If we try and make it only one person’s responsibility like Michael mentions we will be creating a single point of failure and most know that does not reduce your risk in anyway.
This is an ignorant rant. As an example of one of the many flaws in this article consider that the author talks about identifying enterprise risks and then, when he says who would do this, systematically ignores key risk types. Sure, he mentions IT, financial, and compliance/legal…what about key business risks that don’t fall in those buckets…strategy, competition, pricing, marketing, expense management, etc.
Thank you for your comment. While I am reluctant to share comments which use inflammatory language, I thought that sharing yours would hopefully focus on the substance of your comments. Unfortunately, I think you missed the point of my posting — everything you list in the potential “buckets” of information can easily be assigned to subject matter experts in the company. For example, a Chief Financial Officer would be able to address a number of your financial issues, a Chief Operating Officer, or Business Development Officer can easily handle many of the other issues. The question and need for simplicity is straightforward — someone within the company has to take ownership of a specific issue. That can easily be accomplished by assigning these matters to the subject matter expert. The creation of a “risk manager” is an impossible task, with little benefit, other than creating more bureaucracy and a person who can be blamed if something is missed by someone who should be held accountable. Rather than reacting with knee-jerk responses wrapped around inflammatory terms such as “ignorant” I would urge you to take a careful and focused look at current risk management practices and the need to streamline those practices to make them more effective. Obviously, given the recent financial miscalculations by numerous companies in the last 30 years, something is not being done right and so far risk managers have done very little to counter that trend.