“Give Me A Break” — Keeping “Risk” Analysis Simple


warner wolfSometimes lawyers get a bad rap.  We are always accused of making things more complicated in an attempt to protect our “guild” mentality.  Sometimes the criticism sticks and sometimes it does not.  It really depends on the issue and the specific concerns.

If you want to see self-promotion, confusion and complication in action, all you need to do is focus on the “risk management” or “enterprise risk management” industry.  At the core of this so-called “expertise” is the ability to identify, prioritize and respond to organizational risks.  As my old favorite sportscaster, Warner Wolf, used to say – “Come on, give me a break!”

Companies that create these so-called “risk experts” are wasting money, time and resources.  This so-called ERM fad is nothing more than another way to complicate what should be a simple process.  It also diverts corporate energy and corporate governance from focusing on the “real” issues, and tackling the tough inquiries which are needed for effective decision-making.

Corporate governance is difficult enough without over-complicating risk analysis.  I have never – and I mean never – seen effective corporate governance which resulted directly from the work of a risk manager.

My model and suggested framework for effective risk management is based on two principles: simplicity and clear definitions of responsibility.  Here is what I mean:bigrisk

Identify and measuring risk should be the responsibility of the subject matter experts.

Chief compliance officer should identify and manage legal and policy compliance risks for the organization.  It is the CCOs job to prioritize and manage those risks, supervise company actions to reduce these risks,  and report to the Board and senior management on these risks.

Chief financial officer should identify and manage financial risks both internal and external which may impact the organization.  The external financial risks include the overall economic climate in the relevant markets and potential new markets, the economic forecast and other relevant issues which impact the financial performance of the company.  The internal financial risk relate to the ability of the company to sell its products and services, the costs of such operations, and the surrounding internal risks which exist in the company’s overall operations.

Chief information officer should identify and manage external and internal information security and operation issues which could impact the organization.  The external information management issue should focus on cybersecurity and other unauthorized intrusions into the company’s information system.

The internal risks for information security and operation relate to internal actions which may cause a data breach, poor information system performance or non-compliance with data retention policies.  In addition to these risks, the CIO needs to make sure the information system is operating efficiently as needed by the organization without any significant disruptions to information capabilities.

aggressive enforcementI am not so naive to think that this is all that is needed to manage risk or that there is no overlap in these risk management issues.  My point is more illustrative and based on one guiding principle – every organization has a subject matter expert who should be responsible for identifying, prioritizing and managing relevant risks related to the specific function.

Companies need to adopt an important business principle – simplicity clarifies responsibility and enhances corporate governance.  Company leaders who choose to avoid simplicity may be trying to escape responsibility, or to put it in more colloquial terms – “to pass the buck.”

Written by:

Published In:

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Michael Volkov, The Volkov Law Group | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.