What executives should know, but often don’t, about risk management
Last year, I wrote a piece for CFO.com that was entitled “How to manage risk management: it has to be part of a CFO’s everyday thinking“. The unedited (and longer) version is shown below – with the original title.
What CFOs should know, but often don’t, about risk management
Boards and CEOs often look to the CFO as their advisor and leader on risk and control. So what should CFOs know about risk management?
First, they should realize that although some have considered this a ‘compliance chore’, companies with effective risk management are better equipped to deliver optimized, reliable and sustained performance over the long term. Why? Because they are prepared for what might happen – not only to mitigate the effect of adverse situations or events, but to seize and take full advantage of opportunities. They are more agile and able to adjust as business conditions change. What I call ‘risk intelligent management’ allows executives and boards to manage with their eyes wide open.
As explained in COSO’s Enterprise Risk Management – Integrated Framework, “Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management provides a framework for management to effectively deal with uncertainty and associated risk and opportunity and thereby enhance its capacity to build value.” Their ERM Framework also states, succinctly, that “enterprise risk management helps an entity get to where it wants to go and avoid pitfalls and surprises along the way.”
Risk management is not just about managing financial risks (such as risks relating to currency movements, or changes in the price of commodities). It’s not just about managing the risk of failing to comply with laws and regulations. It’s not just about the risk of errors in the financial statements. It’s also not just about operational and strategic risks, such as the failure of a sole supplier or the appearance of disruptive technology. It’s about managing the potential effects of uncertainty throughout your business operations. In other words, it’s all of the above. Whenever executives and the boards discuss strategies, they should be considering risk. Whenever a manager makes a decision, she should be thinking about the risks and doing something about them.
But the state of risk management practices is poor. Boards are worried and are asking the executive team to improve risk management processes and practices. A recent study by KPMG (discussed here) reported that “66 percent of the respondents [to their survey] indicate that their Board is unable to leverage the risk information it receives to improve strategy.”
Deloitte has advice to the CFO, most recently in “The Risk Intelligent CFO, Converting risk into opportunity”. The Chartered Accountants of Canada also has useful guidance in “Risk Management: What Boards Should Expect from CFOs”.
I particularly like and recommend the principles in the global ISO standard 31000:2009 “Risk management — Principles and guidelines”. They include:
- Risk management creates and protects value.
- Risk management is an integral part of organizational processes.
- Risk management is part of decision-making.
- Risk management explicitly addresses uncertainty.
- Risk management is based on the best available information.
- Risk management is dynamic, iterative, and responsive to change.
Some companies have implemented risk management using periodic, typically quarterly, assessments of their more significant risks. Often, they hold facilitated workshops with managers and executives to agree on the top risks that merit attention. But is that making risk management “part of decision-making”? Has risk management become “an integral part of organizational processes”? Does this make the organization sufficiently nimble to handle potential adverse events that arise with little notice, or seize opportunities to take advantage of a competitor’s inability to support market demand?
CFOs should understand that risk is not something that can be managed once each quarter, or what I call “on Fridays”. Risks appear and have to be addressed as the business is run – integrated into routine decision-making, strategy-setting, and performance management. Relying only on quarterly reviews of a few risks is like driving down the highway at 60mph and looking up at the traffic around and ahead of you every 15 minutes. While there is value in a detailed periodic review, risks don’t change at set intervals and it is essential to look where you are driving at all times.
The bottom line is that effective risk management processes and practices are necessary if you want not only to avoid the hard lessons that companies like BP and Siemens have learned in the last years, but also to optimize performance and achievement of goals and strategies.
A CFO should ask whether his executive team and the Board understand this. He can help with leadership to provide training and to ensure risk management is given the attention and priority it needs for the organization to be successful.
Questions for you
- Do you agree with the principles in the article?
- Do you believe periodic risk management is acceptable?
- How current and therefore how effective is your risk understanding?