Risk Relationships: Rethinking Ownership Across the Enterprise

Nick Gallo sits down with veteran risk leader Gerry Zack—former SEC and HCA executive and founder of Risk Trek—to dismantle a quietly broken idea: that risk lives in one place and belongs to one owner. Zack argues that risks exist in chains, where the driver of a compliance risk is frequently someone else's risk entirely, and that mapping those relationships back to their point of origin transforms how compliance professionals collaborate, influence, and position themselves. The conversation moves from the technical mechanics of risk chains and drivers through the very human work of persuasion, vulnerability, and relationship-building, and closes on a practical reframe of risk appetite—turning vague platitudes into risk scales that actually drive behavior. Throughout, Zack and Gallo make the case for compliance to claim a new identity: a specialized, forward-looking risk function that sees around the corner rather than driving in the rearview mirror.\

This session interrogates the prevailing paradigm of discrete, individually-assigned risk ownership and advances an alternative model grounded in risk interconnectedness. Drawing on decades of practitioner experience across regulated industries, the discussion posits that compliance risks rarely exist in isolation; rather, they sit within a "chain of risks" in which the antecedent drivers, preventive and detective controls, and downstream consequences of any single risk frequently constitute independent risks owned by other functions—human resources, strategy, finance, and operations among them. Using Foreign Corrupt Practices Act exposure as an illustrative case, the speakers demonstrate how decomposing a single compliance risk surfaces a network of related exposures, thereby reframing dependency-based requests for assistance into reciprocal, collaboration-based partnerships. The analysis extends to the affective and interpersonal dimensions of this approach, identifying organizational siloing and individual risk-aversion to vulnerability as primary impediments, and proposing curiosity, inquisitive framing, and relationship cultivation as countervailing competencies.

Key Takeaways

Risk Originates Outside Compliance—and Compliance Often Finds Out Last

• Risks rarely begin in the compliance function; they emerge in IT, sales, operations, or HR, and compliance is frequently the last department to become aware of them.

• This structural reality means compliance is typically positioned somewhere in the middle or toward the end of a risk's lifecycle rather than at its source.

• Recognizing where a risk actually originates is the necessary first step to managing it effectively rather than merely reacting to it once it surfaces.

Risk Is Embedded in Strategy, Not Opposed to It

• Risk carries an unfair reputation as something purely negative to be avoided, when in reality it is an inherent and necessary element of any strategy.

• Just as crossing the street carries risk that we accept in exchange for getting somewhere, every strategic objective carries embedded risk that should be acknowledged rather than suppressed.

• Reframing the conversation around "what needs to go right to achieve our goals" often surfaces the same exposures as asking "what could go wrong," but does so in a way leaders find more engaging.

Risks Exist in Chains, Not in Isolation

• The central concept of the session is that any given risk is connected to a series of preceding and following risks rather than existing as a standalone event.

• A compliance risk has drivers that lead into it and consequences that flow out of it, and each of those is frequently a distinct risk owned or managed by a different party.

• Understanding this chain gives a far clearer picture of where a risk truly sits and who must be involved in managing it.

Drivers and Controls Are Frequently Someone Else's Risk

• When assessing a risk like bribery, practitioners already identify drivers, preventive controls, detective controls, and impacts—and each of these factors is often an independent risk for another function.

• Perverse incentives and unrealistic goals that drive bribery are simultaneously an HR and culture risk, while a competitive environment is a strategy risk owned by the executive team.

• Even a control mechanism like a shell company is itself a fraud or financial risk, meaning the elements of one risk assessment double as the risk inventories of other departments.

Reframing Dependency Into Collaboration Changes Your Position

• Compliance professionals routinely approach other departments by asking for help managing "my risk," which casts them as dependent supplicants.

• The risk relationship model flips this dynamic: when the driver of your risk is actually a risk to the other department, you can say "your risk relates to my risk, and managing them together helps us both."

• This reframing transforms a one-sided request into a reciprocal partnership and elevates the compliance professional into a more strategic organizational position.

Risk Ownership Is Better Understood as a Team Sport With a Quarterback

• While the term "risk ownership" is imperfect, abandoning it entirely risks paralysis, since management by committee with no chair tends to produce inaction.

• The more accurate framing treats risk as a team of distinct components requiring a team to manage, with an identified lead who coordinates rather than shoulders everything alone.

• Reclassifying the people you need from "those who must help you" into "collaborators who share the exposure" makes the necessary cooperation both more honest and more achievable.

You Don't Need to Be a Risk Expert to Manage Risk Well

• A common misconception holds that sophisticated enterprise risk management expertise is a prerequisite for participating in risk management, but the essential competencies are narrower.

• Department heads simply need to understand their principal risks, what they can do about them, and how to keep those risks manageable—without ever invoking technical jargon like drivers, impact, or risk appetite.

• Embedding a risk-management orientation directly into job descriptions from the outset is one of the most effective and overlooked ways to distribute this capability.

Effective Risk Management Demands Vulnerability and Persuasion

• Approaching risk relationally requires compliance officers to be vulnerable, because acknowledging that others' risks affect them also means admitting that their risk affects others.

• This creates discomfort, since it is far easier to simply ask for help than to disclose one's own exposures and invite scrutiny of how they are being managed.

• Success therefore depends heavily on interpersonal skill, smart framing that conveys shared purpose, and a willingness to have awkward conversations that begin building relationships before any risk discussion takes place.

Compliance Should Adopt the Identity of a Risk Futurist

• The most valuable people in any function are those who can anticipate what is coming, and compliance professionals often possess exactly the conscientiousness and detail-orientation needed to spot holes in plans and see around the curve.

• Rather than driving in the rearview mirror, compliance should position itself as a forward-looking risk function that anticipates exposures arising from new markets, control gaps, or industry-wide patterns.

• This anticipatory instinct is built not through prophecy but through curiosity—gathering contextual data through conversations and research, much as a skilled salesperson forecasts a slow quarter.

Risk Appetite Must Be Made Granular, Strategic, and Action-Driving

• Enterprise-level risk appetite statements are typically lofty platitudes that resemble vision statements and drive no actual behavior, much like a stated value of "integrity" that changes nothing.

• Appetite becomes meaningful only when discussed at the specific risk level—distinguishing tolerance for expense-report fraud from tolerance for FCPA violations—and when those distinctions are baked into customized risk scales.

• A score of "three" should reflect genuine risk appetite and connect to strategic goals, so that the threshold triggering further mitigation actually means something rather than being an arbitrary number assigned by people who never discussed appetite at all.

Closing

The throughline of this conversation is a single, liberating shift in perspective: risk is not a collection of isolated Legos scattered on the floor but something that circulates through the entire organism of the organization. Once compliance professionals trace risks back to their drivers and forward to their consequences, they discover that most exposures are shared, that collaboration is reciprocal rather than dependent, and that their own function is uniquely positioned to see connections others miss. The work is as human as it is technical—requiring vulnerability, curiosity, persuasion, and relationship-building—and it culminates in making abstractions like risk appetite concrete enough to drive real decisions. Jerry Zack's parting advice distills the entire framework into one starting move: identify the drivers of the risks you face, because doing so reveals whose risks they truly are, opens the door to the relationships that make management possible, and sets compliance on the path from reactive afterthought to anticipatory, enterprise-elevating risk function.