FinanceInsurance

Centralised vs Decentralised Risk Management?

RISK-ACADEMY (Alex Sidorenko)
RISK-ACADEMY (Alex Sidorenko)Jun 6, 2026

Why It Matters

Aligning risk analysis with the appropriate decision‑making level improves agility and protects value, giving firms a competitive edge while reducing costly oversight failures.

Key Takeaways

  • Centralized vs decentralized risk is false dichotomy; choose per risk type.
  • Aggregate risks like credit, market, FX need central oversight and tools.
  • Operational risks require embedded analysis within business units, not top‑down scores.
  • Small central function should coordinate only truly enterprise‑wide risk mitigation.
  • Decision‑makers need real‑time, unit‑level risk insight, not delayed color‑coding.

Summary

The video argues that framing risk management as a choice between centralized and decentralized structures is misleading. Instead, the appropriate model depends on the nature of each risk, and mature organizations adopt a hybrid approach.

Risks that can be quantified and hedged—such as credit, market and foreign‑exchange exposure—benefit from aggregation and a central oversight function that provides methodology and reporting. Conversely, operational risks like supplier fragility, regulatory changes, project delays or environmental compliance require granular, unit‑level analysis that cannot be reduced to a single corporate score.

The speaker cites examples: aggregate credit exposure and currency positions demand portfolio‑level mitigation, while water‑pollution legislation or a single supplier’s financial health must be examined in detail. He recommends a small central risk office to handle true enterprise‑wide risks and to equip business units, procurement, finance and project teams with embedded risk‑analysis capabilities.

Adopting this hybrid model aligns risk insight with the decision‑maker’s locus, speeds response, and satisfies auditors without sacrificing detail. Companies that continue to force all risks into a monolithic ERM framework risk obscuring critical information and making sub‑optimal decisions.

Original Description

The framing of centralised versus decentralised is actually the wrong question. It implies you have to pick one. The reality is that different types of risk require fundamentally different approaches, and forcing everything into one model is where most organisations go wrong. That's why ERM is such a naïve and artificial concept.
The more mature an organisation is in risk management, the more different kinds of risk management it has. Enterprise-wide uniformity is not a sign of sophistication. It is a sign that someone sold you a framework that ignores how risk or decision making actually works.
Some risks genuinely need to be managed at the aggregate level. Credit risk, market risk, foreign exchange exposure — these have markets and instruments specifically designed for aggregate management. You need to understand your total credit exposure, your overall currency position, your portfolio-level concentration. Aggregating those makes complete sense. The mitigation is designed at that level.
But other risks have no meaningful aggregate mitigation. Water pollution legislation, a specific supplier's financial fragility, a regulatory change in one jurisdiction, project delay, supply chain interruptions — these require deep investigation at the individual level. Aggregating them into a corporate risk score destroys the very information you need to manage them. None of that survives aggregation.
The practical implication is straightforward. Build a small central function that handles genuinely aggregate risks, provides tools and methodology, coordinates across units, and satisfies the auditors. Then embed risk analysis capability directly into the business units — procurement, operations, finance, project management — where the actual decisions are made every day. Not as a reporting line. As a capability that lives inside those processes.
The test is always the same: who is making the decision this risk affects? That person needs the analysis. If they are in a business unit, the analysis needs to be there too — not summarised, not filtered, not translated into a colour code by a central team three weeks later.

Comments

Want to join the conversation?

Loading comments...