Risk management is a C-suite issue