Primary navigation:

QFINANCE Quick Links
QFINANCE Reference

Home > Operations Management Best Practice > Risk Management: Beyond Compliance

Operations Management Best Practice

Risk Management: Beyond Compliance

by Bill Sharon

Executive Summary

  • The boundaries between risk management and compliance have eroded over the past decade, to the detriment of both functions.

  • The definition of risk should be expanded to include opportunities and uncertainties, not just hazards.

  • The context for assessing operational risk is business strategy.

  • The role of risk managers needs to expand so that they become coordinators of the risk information that is readily available in operational and business units.

  • The perception of risk is dependent on one’s organizational responsibilities, and the convergence of those perceptions is the central focus of the management of risk.


Over the past decade the line between risk management and compliance has been blurred to the point where, in many organizations, it is impossible to determine if they are not one and the same. In part, this confusion between the two functions was initiated and then exacerbated by the passage of the Sarbanes–Oxley Act of 2002 and the implementation of Basel II. Both of these events consumed a great deal of resources, and many consulting firms labeled these efforts “risk management.” They are, in fact, compliance requirements designed to protect stakeholders and, in the latter case, ensure the viability of the financial system. They are not designed for, and nor can their implementation achieve, the management of risk in individual companies or financial institutions.

This confusion between compliance and risk management has led to a defensive posture in dealing with the uncertainties of the competitive business environment. Risk has been confined to the analysis of what could go wrong rather than what needs to go right. Risk management organizations have become the arbiters of what constitutes risk and have assumed an adversarial relationship with business managers, particularly in capital allocation exercises. Failures and scandals are met with calls for more regulation, the implementation of regulations becomes the province of risk management organizations, and the execution of strategy (arguably the area in most need of risk management) becomes further separated from any kind of disciplined analysis.

An Expanded Definition of Risk

As Peter Bernstein tells us in his book Against the Gods: The Remarkable Story of Risk, the word risk comes from the old Italian risicare, which means “to dare.” Daring is the driving idea behind business, the idea that a product or a service can achieve excellence and value in the marketplace. Strategy necessarily incorporates risk from the perspective of those actions which are required for its success.

In 1996 Robert G. Eccles, a former Harvard Business School professor, and Lee Puschaver, a partner at Price Waterhouse (now PricewaterhouseCoopers), developed the concept of the “business risk continuum.” They argued that organizations that were successful in managing risk were those that focused on uncertainties and opportunities as much as they did on hazards. The context for evaluating risk in this manner is business strategy. This idea—that the definition of risk should be expanded to include those actions that an organization needed to embrace to achieve its goals—was revolutionary and codified what some companies were already beginning to initiate. Unfortunately, the narrow view of risk has prevailed for the past decade, and Eccles’ and Puschaver’s work has essentially been ignored.

The overwhelming emphasis of most risk organizations today is on the hazard end of the scale., Enron, and now subprime, along with the increased focus on terrorism, cataclysmic natural disasters, and the potential for pandemic diseases, have most complex organizations in a defensive posture. The problem with this approach is that risk driven from the hazard perspective is experienced as overhead in the operational disciplines and business units; it’s a cost of business, not an activity that enhances value or improves the possibility of success.

By expanding the definition of risk (or returning to its original meaning) companies can harness the inherent risk management abilities and information available throughout their organization and develop a predictive process to address mission-critical tasks. Understanding how risk is perceived and how people react to those perceptions is an essential step in managing the opportunities and uncertainties inherent in implementing a business strategy.

Organizational Roles and the Perception of Risk

Daniel Kahneman and Amos Tversky, the authors of “Prospect Theory,” conducted a variety of experiments on the perception of risk and the responses that people had to identical information presented in different contexts. Among their conclusions they determined that:

  1. emotion always overrides logic in the decision-making process,

  2. people suffer from cognitive dysfunction in making decisions because they never have enough information,

  3. people are not risk-averse, they are loss-averse.

While these conclusions may be unsettling to those involved in quantitative risk analysis, all three are useful assumptions around which to build a proactive risk management process. Emotion is at the core of any business—the desire to produce the best product, offer the best service, and compete in the marketplace comes from passion, not analytics. Managing risk is about managing emotion, not eliminating it.

From an organizational perspective, the perception of risk is colored by one’s responsibilities. In the operational environment, technologists see opportunities in deploying software and hardware. HR professionals define success as the attraction and retention of high-performance employees. In the business units, opportunities require risks to be taken in order to capture market share or evolve a product line to the next level. Often these business leaders are unaware of the operational capabilities and capacities on which they must rely to achieve their goals. Operational managers often lack clarity on the business models they support. Individually, these perceptions of risk tell only part of the story and require the balance of all of the organizational perceptions in order for the cognitive dissonance to be managed and mitigated.

In this context, risk managers become coordinators of business intelligence rather than arbiters of what is and is not a risk. The management of risk is a communication process that is central to the success of the enterprise rather than an overhead process that compliance so often becomes. Participation in risk management is equivalent to participating in the development of business strategy. The desire not to lose (rather than the misguided view of being averse to “daring”) is the underlying motivation for the process.

Back to Table of contents

Further reading


  • Bernstein, Peter L. Against the Gods, The Remarkable Story of Risk. New York: Wiley, 1996.


  • Kloman, Felix. “Risk management and Monty Python, Part 2.” Risk Management Reports 32:12 (2005).


  • Puschaver, Lee, and Robert G. Eccles. “In Pursuit of the upside: The new opportunity in risk management.” Leading Thinking on Issues of Risk, PricewaterhouseCoopers, 1998.


Back to top

Share this page

  • Facebook
  • Twitter
  • LinkedIn
  • Bookmark and Share