“If you risk nothing, then you risk everything.”

—Geena Davis

“Risk comes from not knowing what you're doing.”

—Warren Buffett

When I was first introduced to the concept of “risk” a couple of decades ago, I was told by my mentor that risk management is an art, craft, and science rolled into one. Over the years I have come to appreciate the nuance and the wisdom of that statement. It is an art because you are to visualize something that is not very apparent. It is a craft because you should have the skill to separate the chaff from the grain and find the risks without getting lost in the noise of uncertainty. It is a science, since the measurement needs to be objective.

If the discussion is on financial risk that a firm takes, it is appropriate to say risk and value are two sides of the same coin. Risk is an inherent part of any enterprise and an important contributor to value creation. Organizations take calculated risks to optimize returns. Eliminating risk is not an option if organizations wish to stay in business. It is important to start with the right perspective that risk taking is necessary for achieving the primary objective of any business: value creation. This is where compliance risk differs from the financial risks that firms take. Keeping the compliance risk to its lowest is the key to both value creation and value sustenance. To do away with it completely is not realistic, but keeping it to its lowest is. On the ...