Risk management too often is perilously fragmented and insufficiently funded. Managing the overall risk equation is assuredly a CEO-level and management team obligation. But the design and execution of effective strategies to identify and moderate risk is, of necessity, complex and typically spread among numerous organizational silos.
The core mission or activities of an enterprise more readily attract investment and executive attention. Obtaining the tools, budgets and focus adequately to protect people, critical intellectual property, brand and other assets is too often not viewed as a first-tier priority. At least until something bad happens.