The risk of getting nothing done

Please feel free to contact me anytime to share your thoughts. +1 612.357.1544 (Cell), +1 952.567.6215 (Direct), Gerry.zack@corporatecompliance.org.

Not to be confused with the risk of doing nothing, the risk of getting nothing done comes from what I sometimes call “over mitigation.” I can recall several times during my years as an outside advisor when a CEO, CFO, or other senior management team member told me to design internal controls that would eliminate the risk of a particular fraud or compliance risk. My standard response was always something along the lines of “No problem, now let’s start planning to close down your organization.” I would then explain how assurance that a risk is eliminated is very rarely feasible without exiting the activity that creates the risk in the first place. The perfect control(s) that eliminate a risk rarely exist without major disruption to operations.

This document is only available to members. Please log in or become a member.


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field