Most companies consider their primary risk management tools to be compliance programs, internal controls, and internal and external audits. While reducing the incidence of ethical, reporting, and compliance violations is important, such a narrow focus prevents the risk-management function from helping their companies manage a much larger and ever-widening universe of risks.