Yet another position has been given us by my good friend, Jim DeLoach.
In an article at the end of 2015, he suggested that we should have five lines of defense, not the three that most people talk about.
But his five are different from
the five that King IV talks about.
Jim starts, and it just makes sense, with
culture as the first line. That is followed by business-unit managers and process owners, independent risk and compliance functions, internal audit, and finally the board and top management.
I could make a strong argument that
decision-makers should be included as a sixth line after culture and before business-unit managers, as that would make it clear that risk is the responsibility of
everybody, not just management and the board.
But the greater argument is the idea, as I have said so many times before that my fingers are getting hoarse, is that managing risk is not about defense. I prefer "offense."
Let's stop talking about either managing or mitigating risk. Risk is not always bad, and you need to pursue or (if you prefer) accept some level of risk in order to achieve your objectives.
Let's start talking, instead, about
taking risk — the right level of the right risks.
Do that as part of making intelligent and informed decisions.
If we are always focused on avoiding banana skins and open manholes, we will never succeed.
In fact, one of the greatest risks lies in not taking sufficient risk — being risk averse.
Can we change our language?
Can we change our mind-set — and our risk-averse culture?
I welcome your thoughts.