The risk manager slumped behind his desk. It had been a long day, troubleshooting the latest emergency. He was tired. We both were.

He was coming to terms—everyone was—with the fact that there would be no bonuses this year.

Bonuses were tied to the firm achieving its earnings targets, and this year was shaping up as another miss—the third year in a row.

Then he blurted it out:

“This ‘one for all and all for one’ business has mostly been about losing money together.”

I had been saying the same thing for months, but the words were his own. He finally understood what I meant … and he accepted it.

I am going to ask you a question. It is a question every risk manager should ask.

Answering the question will do more than help you succeed as a risk manager. Fundamentally, it will define what success means for you.

We’ve all been told that risk management is about how companies take risk, but there is a problem.

Companies don’t take risk. People do.

This is a conclusion of my journal article Defining Risk (2004). It is a short read. If you haven’t read it, you should.

In a nutshell, it points out that risk is more than uncertainty. To be at risk, you also must have a reason to care about an outcome.

If a man is perched precariously at the top of a cliff, he is at risk because he cares whether or not he falls. If a rock is perched precariously at the top of a cliff, it is not at risk because it doesn’t care whether or not it falls. The rock is incapable of caring.

A company is a legal construct. Like the rock, it is incapable of caring about anything. It is incapable of taking risk.

So companies don’t take risk. Instead, they are conduits through which people take risk.

Through companies, shareowners take investment risk. Employees take career risk. Board members take reputational risk. Customers take the risk that products they depend on might be unavailable or hazardous. Society takes a host of residual risks.

Many of these risks conflict: Increasing risk for one group can reduce risk for another.

This is why it is misleading to speak of managing a company’s risk. You have to delve deeper and ask the question—here it is:

Whose risk are you managing?

This isn’t some abstract theoretical question. It’s practical.

Think back to the beginning of this article and the risk manager slumped at his desk:

One for all and all for one.

His company was a pleasure to work at. Employees genuinely cared about and looked out for each other. Decisions were made communally. A handful of senior employees drove the process, but everyone signed on to the decisions. There was never conflict or disagreement.

And no one was accountable. When a decision proved disastrous, everyone circled the wagons. No one was blamed.

Everyone cared a little about each decision that was made. But with no one’s career or reputation on the line, no one cared a lot. This ensured a mediocre decision making process—and disappointing earnings.

The firm had a risk management mission statement, but it was irrelevant. Actions speak louder than words. Based on how it operated, the firm’s risk management was driven by a corporate culture of minimizing career risk for employees. Ultimately this cost those employees their bonuses. Investors also suffered. Decreasing career risk for employees had increased investment risk for them.

No one planned it this way. It is just behavior that evolved over years. It wasn’t until the risk manager stopped and thought about it that he realized there was a problem.

This is just one example of one firm. Every firm has its own unique culture and challenges. Whatever challenges your firm faces, start with the question: Whose risk are you managing?