“Give Me A Break” — Keeping “Risk” Analysis Simple


warner wolfSometimes lawyers get a bad rap.  We are always accused of making things more complicated in an attempt to protect our “guild” mentality.  Sometimes the criticism sticks and sometimes it does not.  It really depends on the issue and the specific concerns.

If you want to see self-promotion, confusion and complication in action, all you need to do is focus on the “risk management” or “enterprise risk management” industry.  At the core of this so-called “expertise” is the ability to identify, prioritize and respond to organizational risks.  As my old favorite sportscaster, Warner Wolf, used to say – “Come on, give me a break!”

Companies that create these so-called “risk experts” are wasting money, time and resources.  This so-called ERM fad is nothing more than another way to complicate what should be a simple process.  It also diverts corporate energy and corporate governance from focusing on the “real” issues, and tackling the tough inquiries which are needed for effective decision-making.

Corporate governance is difficult enough without over-complicating risk analysis.  I have never – and I mean never – seen effective corporate governance which resulted directly from the work of a risk manager.

My model and suggested framework for effective risk management is based on two principles: simplicity and clear definitions of responsibility.  Here is what I mean:bigrisk

Identify and measuring risk should be the responsibility of the subject matter experts.

Chief compliance officer should identify and manage legal and policy compliance risks for the organization.  It is the CCOs job to prioritize and manage those risks, supervise company actions to reduce these risks,  and report to the Board and senior management on these risks.

Chief financial officer should identify and manage financial risks both internal and external which may impact the organization.  The external financial risks include the overall economic climate in the relevant markets and potential new markets, the economic forecast and other relevant issues which impact the financial performance of the company.  The internal financial risk relate to the ability of the company to sell its products and services, the costs of such operations, and the surrounding internal risks which exist in the company’s overall operations.

Chief information officer should identify and manage external and internal information security and operation issues which could impact the organization.  The external information management issue should focus on cybersecurity and other unauthorized intrusions into the company’s information system.

The internal risks for information security and operation relate to internal actions which may cause a data breach, poor information system performance or non-compliance with data retention policies.  In addition to these risks, the CIO needs to make sure the information system is operating efficiently as needed by the organization without any significant disruptions to information capabilities.

aggressive enforcementI am not so naive to think that this is all that is needed to manage risk or that there is no overlap in these risk management issues.  My point is more illustrative and based on one guiding principle – every organization has a subject matter expert who should be responsible for identifying, prioritizing and managing relevant risks related to the specific function.

Companies need to adopt an important business principle – simplicity clarifies responsibility and enhances corporate governance.  Company leaders who choose to avoid simplicity may be trying to escape responsibility, or to put it in more colloquial terms – “to pass the buck.”

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Michael Volkov, The Volkov Law Group | Attorney Advertising

Written by:


The Volkov Law Group on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.