The boundaries between risk management and compliance have eroded over the past decade, to the detriment of both functions.
The definition of risk should be expanded to include opportunities and uncertainties, not just hazards.
The perception of risk is dependent on one’s organizational responsibilities, and the convergence of those perceptions is the central focus of the management of risk.
Over the past decade the line between risk management and compliance has been blurred to the point where, in many organizations, it is impossible to determine if they are not one and the same. In part, this confusion between the two functions was initiated and then exacerbated by the passage of the Sarbanes–Oxley Act of 2002 and the implementation of Basel II. Both of these events consumed a great deal of resources, and many consulting firms labeled these efforts “risk management.” They are, in fact, compliance requirements designed to protect stakeholders and, in the latter case, ensure the viability of the financial system. They are not designed for, and nor can their implementation achieve, the management of risk in individual companies or financial institutions.
This confusion between compliance and risk management has led to a defensive posture in dealing with the uncertainties of the competitive business environment. Risk has been confined to the analysis of what could go wrong rather than what needs to go right. Risk management organizations have become the arbiters of what constitutes risk and have assumed an adversarial relationship with business managers, particularly in capital allocation exercises. Failures and scandals are met with calls for more regulation, the implementation of regulations becomes the province of risk management organizations, and the execution of strategy (arguably the area in most need of risk management) becomes further separated from any kind of disciplined analysis.
- Page 1 of 6
- Next section An Expanded Definition of Risk