The Threat of Risks


By Adam Turteltaub

I just participated in our annual program with the FBI, and as always it was an informative, enjoyable and inspiring event.  Each time I leave more impressed with the FBI and its work than before, and even more glad that we can offer this program with them each year.

As I was listening to the sessions, I noticed a key difference in semantics.  As I think one of the speakers even pointed out, we in business talk about “risks” but in law enforcement they talk about “threats”.

I started wondering whether it would be better if we in compliance started speaking about threats as well.

Now, I know business loves to talk about risks and risk management.   And there is certainly an argument to be made for using the same language as the rest of the business community.  But I wonder if, by using the same words, it invites treating compliance failures as just another risk to be managed, like currency fluctuations and whether a new product will help or hurt the bottom line.  It implies that we can just buy some insurance, or decide it’s okay to just roll the dice and see what happens.

That, at least to me, sells the dangers of non-compliance more than a bit short.  A major compliance failure is not just a risk (and some would argue in any large organization with thousands of employees it’s an inevitability), it is also a threat to the bottom line and the business for a long time.

As importantly, speaking about threats sounds a bit more attention-getting than simply talking about risks.  It could help raise concerns among the business unit, and as a result, makes the value of compliance seem significantly greater.

I don’t want this to sound like I’m only interested in making us sound more important.  I’m not.  But if we help businesses realize that a compliance failure is not a risk that we can take but a serious threat we must respond to, it may get more people to pay attention and stop threatening the success of the business.

What do you think?


  1. Adam, I heartily disagree and am disappointed to read here such a semantically confused and confusing post on the terminology of risk.
    This shows that the Compliance Profession is in dire need to catch up in its understanding of what risk management is.
    Of course there is a very true point in your post, too: organizations still haven’t got risk management right, either. Risk management is about well-informed decision making to achieve business objectives, keeping in mind “what might happen” (=risks; or the effect of uncertainty on objectives).

    The point is not that compliance is “just another risk” to be managed. Just because you call it a “threat”doesn’t mean it will be managed more or less well, as we can see from the entire cyber area: full of threats still not managed effectively.

    “The limits of my language mean the limits of my world.” (Ludwig Wittgenstein) Unless we get the confusion in terminology resolved, how are we ever going to make well-informed decisions and manage risks effectively?

    • Michael:

      First, thanks for taking the time to write in and to disagree so politely. There’s not enough of that online today.

      My point, which I might have made better, is that by talking about compliance in the same language with which business addresses other risks we invite a treatment of a compliance failure as if it were something that could be managed like any other risk.
      Or, to borrow the quote you cite, when we borrow the language of risk we limit our thinking to the consequences of all the other business risks and allow people to think that a violation of law is an option, just as expanding the business into a new geography is.

      Paying a bribe should not be considered as just another risk to the business. Being a part of an illegal cartel is not just another risk to be managed.

      However, as long as we talk about them the way we talk about so many other risks, we invite business people to consider violating the law as just another business decision.

      That creates a grave threat to the business.

  2. I’ve seen the term “catastrophic risk” applied to EH&S and compliance/legal risk to differentiate it from business risk. It helps to avoid confusion when discussing the spectrum of risk and having a risk–adjusted mindset

  3. I like the suggestion. It makes a lot of sense to me. However business may not appreciate unfortunately this terminology… It may take time when more and more officers use this term …

    Btw not all risks are of criminal nature. In such situation calling them threats as FBI does not make much sense.

    But generally, great thought. Speaking same language may help ethical companies to communicat to law enforcement authorities more clearly and effectively.

Comments are closed.