Enterprise Risk Management

The Operating Risk No One Owns in a Value Creation Plan

PE-backed CFOs are forced to own the number. But the risks that can break the number often have no owner.

By Eric Kennedy · Tue Jun 30 2026 · 6 min read

The Operating Risk No One Owns in a Value Creation Plan
TL;DR

Portfolio companies usually assign clear owners to cash, close, reporting, compliance, and covenants. But the operating risks most likely to derail the value-creation plan (customer concentration, key-person dependency, integration execution, pricing power) often sit between the CFO, sponsor, and operator with no named owner. That gap usually forms in the first 100 days. KRG helps CFOs find those gaps, assign ownership, and build board-ready reporting before a sponsor, lender, or buyer finds the weakness first.

A first-100-days timeline showing each finance priority given an owner while the operating risk ownership lane runs empty with no owner assigned.
This is for you if:

A new CFO at a PE-backed company inherits a clock. The hold is finite, the debt is real, and every target in the value-creation plan is attached to someone's return. Most of what lands on the desk in the first hundred days is financial: tighten the close, stand up sponsor reporting, get a 13-week cash forecast running, and audit the value-creation plan itself.

Then there is the part that tends to fall through.

The risks that could actually knock the plan off course, a customer worth a quarter of revenue, a founder-CEO who holds every key relationship, an add-on integration that looked clean on paper, rarely have a named owner. Everyone can describe them. No one is accountable for the response. In enterprise risk terms that is the most ordinary failure there is, and in a portfolio company it is where things get expensive, because a leveraged, time-boxed hold has no slack to absorb a surprise.

My perspective comes from sixteen years across corporate finance, enterprise risk, internal audit, and P&L ownership, including running an enterprise risk program where I rebuilt the assessment process and owning a three billion dollar P&L. The view from a corporate seat is not identical to a sponsor's, but the underlying pattern is the same: risk ownership works when it is tied to operating decisions, a reporting cadence, and executive accountability. In private equity, that discipline matters even more, because the hold period, leverage, and sponsor scrutiny leave less room for surprise.

The first hundred days crowd out the risks that matter

In a private equity portfolio company, the first hundred days are the highest-leverage window of the entire hold, and almost none of that window goes to risk ownership. The mandate is speed and control. In Accordion's 2025 playbook on the CFO's first hundred days, the early priorities are stabilizing cash, auditing the value-creation plan, and closing reporting holes, with exit readiness expected from day one rather than month eighteen.

Nowhere on that list is "assign owners to the operating risks that could break the plan." It is not that anyone decides those risks do not matter. It is that cash and reporting carry deadlines and risk ownership does not. So it waits.

The pressure on the person who would have to own it is not abstract. Accordion reports that sponsors retain only about a quarter of incumbent portfolio-company CFOs, with three out of four replaced, usually within eighteen months. Seventy-four percent of sponsors say their portfolio CFOs are underperforming. A finance chief under that kind of scrutiny has very little room for a risk that has not surprised anyone yet.

Three in four incumbent portfolio company CFOs are replaced within 18 months, and 74 percent of sponsors say their CFOs are underperforming.

Compliance risk has owners. Operating risk often doesn't.

Walk into a private equity portfolio company and ask who owns each compliance and financial risk. Financial reporting accuracy is the controller. SOC 2 and IT security sit with the head of IT or a fractional CISO. Covenant compliance is the CFO. Employment and HR exposure belong to HR and counsel. You get a clear answer every time.

Now ask who owns customer concentration. Or key-person dependency. Or execution risk on the last integration. Or pricing power as input costs move. The answer is usually a pause. These risks live in the sponsor's head and the CFO's, which is another way of saying they live nowhere on paper, with no owner, no timeline, and no reporting line.

Compliance and financial risks have clear owners while operating risks usually do not

The reason is structural, not careless. Compliance risk comes with a forcing function: an auditor, a regulator, or a framework that pushes ownership onto a named person. Operating risk arrives with none of that. No one sends a deadline for "make sure the company is not dependent on one customer." So unless someone deliberately assigns it, it stays unowned. Closing that gap, making sure the risks that matter most have an owner even when nothing external is forcing the issue, is the practical version of enterprise risk management: making sure material risks have owners, signals, a cadence, and a path to the board.

Why the gap bites harder in private equity

A corporate parent can usually absorb a surprise over a few years. A private equity hold has less room on every dimension, which is why portfolio company risk management cannot just be a smaller copy of the enterprise version.

Leverage means a thinner margin for error when something breaks. A finite hold means a risk that materializes in year four has no time to recover before exit. Sponsor scrutiny means the board will ask about the exposure, usually at the least convenient moment. And exit diligence means an unowned risk does not stay hidden: a buyer's quality-of-earnings and operating teams go looking, and what was an internal blind spot becomes a line item in the discount.

None of that requires the risk to be exotic. It rarely is. It is the obvious risk everyone could name and no one was accountable for.

What good looks like: a risk ownership map

Closing the gap does not require an enterprise risk department or a software purchase. It requires one artifact: a short map of the operating risks that could move the plan, each with an owner, a signal you would watch to see it coming, a review cadence, and a reporting line.

A risk ownership map assigning each operating risk a single owner, a signal to watch, a review cadence, and a reporting line: customer concentration to the head of sales, key-person dependency to the CEO, integration execution to the CFO, and pricing power to the commercial lead.

The discipline is not the template. It is the act of assigning. The moment a risk has a name next to it, the behavior around it changes. Someone watches the signal, someone reports it, and the board hears about it on a schedule instead of by surprise. That is the entire mechanism. Most portfolio companies do not need more risk analysis. They need the handful of risks that actually matter to have an owner. That is what turns risk from a boardroom conversation into an operating discipline.

If you want a structured way to find those gaps before a sponsor or a buyer does, that is what an ERM diagnostic is built for: a short, focused review of where ownership, cadence, and reporting are missing, and what to do about each one.

Find the operating risks no one owns before your sponsor asks.

KRG helps PE-backed CFOs pressure-test value-creation risk ownership, find the gaps in cadence and reporting, and build a practical map of who owns what before the board, lender, or buyer asks the hard version of the question.

In the review, we pressure-test one value-creation priority and find where ownership, cadence, or board reporting is missing.

Book a 30-minute risk ownership review{.cta-primary} Take the 3-minute scorecard{.cta-secondary}

Frequently Asked Questions

What is a value creation plan in private equity?

A value creation plan is the set of initiatives a sponsor and management team use to grow a portfolio company's value over the hold period, covering levers like margin expansion, cash conversion, add-on acquisitions, and operational improvements. It is the operating blueprint the investment thesis depends on.

Who is responsible for risk management in a PE portfolio company?

Compliance and financial risks usually have clear owners: the controller, the head of IT, the CFO, and counsel. The operating risks that could derail the value-creation plan often have no single owner, which is the gap most portfolio companies need to close.

What is the difference between compliance risk and operating risk?

Compliance risk comes with an external forcing function, an auditor, a regulator, or a framework, that pushes ownership onto someone. Operating risk, like customer concentration or key-person dependency, arrives with no such trigger, so it stays unowned unless someone deliberately assigns it.

Does a PE portfolio company need a formal enterprise risk management program?

Most do not need an enterprise risk department or software. They need one artifact: a short map assigning the operating risks that could move the plan to named owners, with a review cadence and a reporting line.

When should a portfolio company formalize risk ownership?

Ideally inside the first hundred days, alongside the value-creation-plan audit, before cash and reporting demands crowd it out and before an unowned risk surfaces in board reporting or exit diligence.