Often I ask business leaders “Who manages risk for your business?”

The one answer I never hear is “The CEO”.

Frequently, I am told that “risk management” is assigned to one of the functional executives: Finance, Legal, insurance.

As an investor, Board Member, supplier, or customer, you should be scared that the CEO is not managing risk. OK….in fairness…this is probably more about language and understanding what I mean by “risk management”. Still, you should be scared.

Chief Executives make decisions impacting the entire firm. Its their job. Routinely, these decisions are made based on imperfect information, assumptions, and biases. Sidebar, I am OK with CEOs relying on their biases. They were hired because they had demonstrated those biases were aligned to the needs of the firm. The key is to acknowledge this and be able to recognize when those biases are misaligned. Yes, CEOs can be wrong.

Making decisions based on imperfect information, assumptions, and biases is the definition of risk management. When, in the future, those decisions are proven correct – the CEO is rewarded. When they are wrong, the CEO is held responsible. Mark Zuckerberg testifying before congress.

If a CEO’s entire job is managing risk, why do they point to another person as being responsible for risk management? Optimistically, this reflects that they have assigned accountability to the executive to ensure effective risk management processes that support CEO decision making: An Enterprise Risk Management Program. This is not what we find but rather we find that “risk management” processes are narrowly defined, often in silos, and assigned as secondary responsibilities. Scary!

When a business assigns “Risk Management” to any specific executive, effectively they are declaring that risks in the scope of that executive are more important. For example, if the CFO is responsible for risk, then the firm is saying that financial risks are more important. Again, be scared.

Enlightened firms recognize this and have created a Chief Risk Officer position. True, many did so to appease regulators (financial institutions) but not all. Assuming that the role is properly defined, a chief risk officer has the capacity to understand risks across the firm without the bias of a functional area (i.e. finance) and can to develop processes and mindsets that compliment the CEO’s and enhance decision making.

So, before you do business ask, “Who is responsible for managing risk?”