InsuranceFinance

Should Risks Be Managed at Corporate or Business Unit Level?

RISK-ACADEMY (Alex Sidorenko)
RISK-ACADEMY (Alex Sidorenko)Mar 20, 2026

Why It Matters

Aligning risk analysis with the people who make decisions improves mitigation effectiveness and prevents costly, disconnected compliance exercises, boosting overall organizational agility.

Key Takeaways

  • Risk analysis must sit where decisions are made
  • Centralized risk units often go unused by decision makers
  • Business units should own risks tied to their specific actions
  • Corporate provides tools, training, and cross‑enterprise risk coordination
  • Enterprise‑wide risks like currency or reputation stay at corporate level

Summary

The video tackles a fundamental governance question: should risk management reside in a corporate center or within individual business units? The speaker argues that the answer hinges on where the decisions that generate the risk are taken, insisting that risk analysis must be as close as possible to the decision‑maker.

A two‑layer model is presented as the practical solution. Business‑unit leaders own and assess uncertainties directly linked to contracts, budgets, and projects, while the corporate function supplies standardized tools, methodologies, training, and coordinates truly enterprise‑wide exposures such as currency fluctuations, regulatory shifts, and reputational threats.

Key quotes underscore the point: “Risk management should live as close as possible to the decisions it is supposed to inform,” and “The worst outcome is a compliance‑focused corporate risk function that produces quarterly heat maps while business units make consequential decisions every day without ever thinking about uncertainty.” These lines illustrate the disconnect that renders centralized registers ineffective.

The implication for organizations is clear: redesign risk governance so that ownership follows decision authority. Doing so drives faster, more relevant risk insight, reduces bureaucratic overhead, and aligns accountability, ultimately strengthening resilience and strategic execution.

Original Description

Should risks be managed at corporate or business unit level?
The honest answer is: it depends entirely on where the decisions are being made.
Risk management should live as close as possible to the decisions it is supposed to inform. If a business unit leader is the one approving contracts, allocating budgets, and launching projects, then risk analysis needs to happen right there, at the business unit level, before those decisions are made. Not later, not in a separate corporate report, not in agenda item seven of a board meeting.
Here is where many companies go wrong. They centralize risk management into a corporate function, hire a Chief Risk Officer, build a beautiful risk register, and then wonder why nobody uses it. The reason is simple. The people managing the risks are not the people making the decisions. And the people making the decisions feel no ownership over risks they did not identify themselves.
So what actually works? Think of it as a two-layer system. Business units own and manage the uncertainties connected to their specific decisions and activities. The corporate center provides tools, methodology, training, and a light coordination function. It also handles the risks that genuinely cut across the whole organization, things like currency exposure, regulatory changes, or group-level reputational threats that no single business unit can manage alone.
The key question to ask is this: who makes the decision that this risk affects? That person or team should own the risk analysis. If corporate finance approves the capital budget, corporate needs to see the uncertainty ranges. If a regional manager approves a supplier contract, that manager needs the risk analysis, not a distant corporate team that will see a summary three months later.
The worst outcome is a compliance-focused corporate risk function that produces quarterly heat maps while business units make consequential decisions every day without ever thinking about uncertainty. That is risk management as theater, not risk management as value.
Delete Post

Comments

Want to join the conversation?

Loading comments...