The risk manager slumped behind his desk. It had been a long day, troubleshooting the latest emergency. He was tired. We both were.

He was coming to terms—everyone was—with the fact that there would be no bonuses this year.

Bonuses were tied to the firm achieving its earnings targets, and this year was shaping up as another miss—the third year in a row.

Then he blurted it out:

“This ‘one for all and all for one’ business has mostly been about losing money together.”

I had been saying the same thing for months, but the words were his own. He finally understood what I meant … and he accepted it.

I am going to ask you a question. It is a question every risk manager should ask.

Answering the question will do more than help you suceed as a risk manager. Fundamentally, it will define what success means for you.

We’ve all been told that risk management is about how companies take risk, but there is a problem.

Companies don’t take risk. People do.

This a conclusion of my celebrated journal article Defining Risk (2004). It is a short read. If you haven’t read it, you should.

In a nutshell, it points out that risk is more than uncertainty. To be at risk, you also must have a reason to care about an outcome.

If a man is perched precariously at the top of a cliff, he is at risk because he cares whether or not he falls. If a rock is perched precariously at the top of a cliff, it is not at risk because it doesn’t care whether or not it falls. The rock is incapable of caring.

A company is a legal construct. Like the rock, it is incapable of caring about anything. It is incapable of taking risk.

So companies don’t take risk. Instead, they are conduits through which people take risk.

Through companies, shareowners take investment risk. Employees take career risk. Board members take reputational risk. Customers take the risk that prodcts they depend on might be unavailable, overpriced, inferior or hazardous. Society takes a host of residual risks.

Many of these risks conflict: Increasing risk for one group can reduce risk for another.

This is why it is misleading to speak of managing a company’s risk. You have to delve deeper and ask the question—here it is:

Whose risk are you managing?

This isn’t some abstract theoretical question. It’s practical.

Think back to the beginning of this article and the risk manager slumped at his desk:

One for all and all for one.

His company was a pleasure to work at. Employees genuinely cared about and looked out for each other. Decisions were made communally. A handful of senior employees drove the process, but everyone signed on to the decisions. There was never conflict or disagreement.

And no one was accountable. When a decision proved disasterous, everyone circled the wagons. No one was blamed.

Everyone cared a little about each decision that was made. But with no one’s career or reputtion on the line, no one cared a lot. This ensured a mediocre decision making process—and disapointing earnings.

The firm had a risk manaement mission statement, but it was irelevant. Actions speak louder than words. Based on how it operated, the firm’s risk management was driven by a corporate culture of minimizing career risk for employees. Ultimatly this cost those employees their bonuses. But all along, investors had also suffered. Decreasing career risk for employees had increased investment risk for them.

No one planned it this way. It is just behavior that evolved over years. It wasn’t until the risk manager stopped and thought about it that he realized there was a problem.

Here are symptoms you can watch for.

  • Companies focused on managing reputation risk of senior management tend to lack transparency. Information flows poorly up or down the organization.
  • Companies focused on managing career risk of employees tend to promote collective decision making and avoid individual accountable.

These are the sort of symptoms I watch for when visiting a client. You should watch for them at your firm—and ask yourself the question:

Whose risk are we managing?