A previous note offered a quarterly executive risk review as a simple and pragmatic way to start a risk management program. A risk review fits naturally into the agenda of the quarterly business review, and it lays a good foundation from which to evolve a risk management program of whatever sophistication and at whatever pace is desired.
The first
thing that will come out of the risk review is, “What do we do now to manage
our top risks?” A future note will
explore the four general methods of treating risk. But first we’ll look at the pros and cons of willful
ignorance.
There may be a strong
inclination to turn a blind eye to some risks.
You may feel that there are some things you do not want to “know” – in
quotes because of course you are
aware, but you do not want evidence to be created that could come back to haunt
you. Somebody could find that document
and require you to address the risk, or worse accuse you of negligence, because
there is evidence that you knew of a risk, or should have known, and did
nothing about it.
Management can take a willful-ignorance approach. But let’s look at the balance sheet.
There are a few points on the plus side. The executive may have plausible
deniability for a time, and gain some time to address many other pressing
issues first. She or he may even get
away with doing nothing indefinitely. In
a fledgling enterprise, the executive may calculate that it is more important
to establish that the business is viable than to manage certain risks. If there is no business, risk doesn’t matter.
There are more
points on the minus side. The trend in
the investment, risk management, and regulatory environments is toward less
patience with ignorance of risk. All risk
management frameworks require regular executive review of risk. It is an important part of corporate
governance. Big customers and regulators
will demand a risk management program. Investors
too want to understand their risk before committing funds to your enterprise,
and cyber risk is now prominent in everybody’s awareness. Especially bankers!
Furthermore, it may
not make good management sense to ignore a risk. Most risks do not get better with time, and
some can blow up to jeopardize the very existence of the company. Imagine a breach of confidential data just
when you are trying to sign that first marquee customer. Finally, there is value in being able to
sleep at night, and knowing what your problems are is better than worrying
about what they may be.
Turning a
willful blind eye to a risk -- “rejecting” it -- is not the same as knowingly accepting a
risk, which may be the best way to treat it.
It is management’s decision whether to treat or reject a risk, but
rejecting is not a winning strategy in the long run.
No comments:
Post a Comment