Management and Risk — 10-Volume Series
Risk is not danger itself but the effect of uncertainty on objectives (ISO 31000). Seen through this lens, material review is not censorship but a second-line risk-reduction function that cuts off, at the earliest point, the chain by which a deviation spreads into governance and capital. Across ten volumes, the value of review is retranslated into management's own vocabulary — appetite, the three lines of defense, and incentive design.
01
Defining Risk — Uncertainty and Exposure
ISO 31000 defines risk as "the effect of uncertainty on objectives." It is measured not by danger itself but by distance from the objective — the first place where the vocabulary of management and the vocabulary of review diverge.
Available →
02
Why Firms Take Risk — The Source of Return
A firm that takes no risk falls below its cost of capital and shrinks. Return arises as the price of bearing uncertainty. The Itō Review put this relationship into words as the gap between ROE and the cost of capital.
Available →
03
Risk Appetite and Tolerance — The Line the Board Draws
How much to take is decided by the board, not the front line. Approving risk appetite (the amount actively pursued) and tolerance (the acceptable range of variation) connects to the board's duty under Article 362 of the Companies Act.
Available →
04
The Full Picture of ERM — COSO and ISO 31000
Viewing risk in isolation department by department is the traditional approach; viewing it enterprise-wide and integrated with strategy is ERM. COSO ERM (5 components, 20 principles) and ISO 31000 (principles, framework, process) are its two governing standards.
Available →
05
The Three Lines of Defense Revisited — Separation of Roles and Independence
Defense is layered across the front line (first), control functions (second), and internal audit (third). The 2020 revision of the Three Lines Model shifted emphasis from "lines of defense" to "collaboration of roles." Where the review function sits changes what it means.
Available →
06
Measurable and Unmeasurable Risk — VaR and Tail Risk
Risk that can be quantified is easy to manage; risk that cannot is easy to overlook. VaR measures the loss ceiling in normal times but misses extreme events in the tail. Much of compliance risk belongs to the latter.
Available →
07
What Makes Compliance Risk Distinct — Low Frequency, High Damage, Reputational Harm
Market risk moves visibly day by day; compliance risk looks like zero most of the time, then tilts the whole company when it surfaces. It differs from other risks in its low reversibility and in the damage it does to reputation — an asset hard to restore.
Available →
08
The Risk Incentives Create — Compensation Design and Runaway Behavior
People optimize for the metric they are measured by. Pay tied to short-term sales increases the behavior that maximizes short-term sales — the temptation to deviate. Risk does not only arrive from outside; compensation design manufactures it from within.
Available →
09
The Chain of Crisis — How a Deviation Spreads into Governance and Capital
A single deviation does not end as a deviation. Discovery → regulatory response → media coverage → loss of trust → rising share-price and capital costs → management accountability: the chain runs on. A failure of risk management finally lands as a problem of governance and capital.
Available →
10
Material Review Seen Through Risk Management — Ex-ante Reduction and the Node of Three Layers
Material review is an ex-ante reduction device placed at the very top of the risk chain. It stands at the node where appetite (the board), the three lines (control functions), and incentives and governance (the whole company) meet. Every thread of this series converges here.
Available →