“Give Me a Break” — Keeping “Risk” Analysis Simple
Sometimes lawyers get a bad rap. We are always accused of making things more complicated in an attempt to protect our “guild” mentality. Sometimes the criticism sticks and sometimes it does not. It really depends on the issue and the specific concerns.
If you want to see self-promotion, confusion and complication in action, all you need to do is focus on the “risk management” or “enterprise risk management” industry. At the core of this so-called “expertise” is the ability to identify, prioritize and respond to organizational risks. As my old favorite sportscaster, Warner Wolf, used to say – “Come on, give me a break!”
Companies that create these so-called “risk experts” are wasting money, time and resources. This so-called ERM fad is nothing more than another way to complicate what should be a simple process. It also diverts corporate energy and corporate governance from focusing on the “real” issues, and tackling the tough inquiries which are needed for effective decision-making.
Corporate governance is difficult enough without over-complicating risk analysis. I have never – and I mean never – seen effective corporate governance which resulted directly from the work of a risk manager.
Identify and measuring risk should be the responsibility of the subject matter experts.
Chief compliance officer should identify and manage legal and policy compliance risks for the organization. It is the CCOs job to prioritize and manage those risks, supervise company actions to reduce these risks, and report to the Board and senior management on these risks.
Chief financial officer should identify and manage financial risks both internal and external which may impact the organization. The external financial risks include the overall economic climate in the relevant markets and potential new markets, the economic forecast and other relevant issues which impact the financial performance of the company. The internal financial risk relate to the ability of the company to sell its products and services, the costs of such operations, and the surrounding internal risks which exist in the company’s overall operations.
Chief information officer should identify and manage external and internal information security and operation issues which could impact the organization. The external information management issue should focus on cybersecurity and other unauthorized intrusions into the company’s information system.
The internal risks for information security and operation relate to internal actions which may cause a data breach, poor information system performance or non-compliance with data retention policies. In addition to these risks, the CIO needs to make sure the information system is operating efficiently as needed by the organization without any significant disruptions to information capabilities.
I am not so naive to think that this is all that is needed to manage risk or that there is no overlap in these risk management issues. My point is more illustrative and based on one guiding principle – every organization has a subject matter expert who should be responsible for identifying, prioritizing and managing relevant risks related to the specific function.
Companies need to adopt an important business principle – simplicity clarifies responsibility and enhances corporate governance. Company leaders who choose to avoid simplicity may be trying to escape responsibility, or to put it in more colloquial terms – “to pass the buck.”