Thursday, February 2, 2017

Ignorance of the Risk Is No Excuse


A previous note offered a quarterly executive risk review as a simple and pragmatic way to start a risk management program.  A risk review fits naturally into the agenda of the quarterly business review, and it lays a good foundation from which to evolve a risk management program of whatever sophistication and at whatever pace is desired.


The first thing that will come out of the risk review is, “What do we do now to manage our top risks?”  A future note will explore the four general methods of treating risk.  But first we’ll look at the pros and cons of willful ignorance.

There may be a strong inclination to turn a blind eye to some risks.  You may feel that there are some things you do not want to “know” – in quotes because of course you are aware, but you do not want evidence to be created that could come back to haunt you.  Somebody could find that document and require you to address the risk, or worse accuse you of negligence, because there is evidence that you knew of a risk, or should have known, and did nothing about it. 

Management can take a willful-ignorance approach.  But let’s look at the balance sheet. 


There are a few points on the plus side. The executive may have plausible deniability for a time, and gain some time to address many other pressing issues first.  She or he may even get away with doing nothing indefinitely.  In a fledgling enterprise, the executive may calculate that it is more important to establish that the business is viable than to manage certain risks.  If there is no business, risk doesn’t matter.

There are more points on the minus side.  The trend in the investment, risk management, and regulatory environments is toward less patience with ignorance of risk.  All risk management frameworks require regular executive review of risk.  It is an important part of corporate governance.  Big customers and regulators will demand a risk management program.  Investors too want to understand their risk before committing funds to your enterprise, and cyber risk is now prominent in everybody’s awareness.  Especially bankers!

Furthermore, it may not make good management sense to ignore a risk.  Most risks do not get better with time, and some can blow up to jeopardize the very existence of the company.  Imagine a breach of confidential data just when you are trying to sign that first marquee customer.  Finally, there is value in being able to sleep at night, and knowing what your problems are is better than worrying about what they may be.

Turning a willful blind eye to a risk -- “rejecting” it -- is not the same as knowingly accepting a risk, which may be the best way to treat it.  It is management’s decision whether to treat or reject a risk, but rejecting is not a winning strategy in the long run.

No comments:

Post a Comment