Home > Risk > What executives should know, but often don’t, about risk management

What executives should know, but often don’t, about risk management

Last year, I wrote a piece for CFO.com that was entitled “How to manage risk management: it has to be part of a CFO’s everyday thinking“. The unedited (and longer) version is shown below – with the original title.

What CFOs should know, but often don’t, about risk management

Boards and CEOs often look to the CFO as their advisor and leader on risk and control. So what should CFOs know about risk management?

First, they should realize that although some have considered this a ‘compliance chore’, companies with effective risk management are better equipped to deliver optimized, reliable and sustained performance over the long term. Why? Because they are prepared for what might happen – not only to mitigate the effect of adverse situations or events, but to seize and take full advantage of opportunities. They are more agile and able to adjust as business conditions change. What I call ‘risk intelligent management’ allows executives and boards to manage with their eyes wide open.

As explained in COSO’s Enterprise Risk Management – Integrated Framework, “Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management provides a framework for management to effectively deal with uncertainty and associated risk and opportunity and thereby enhance its capacity to build value.” Their ERM Framework also states, succinctly, that “enterprise risk management helps an entity get to where it wants to go and avoid pitfalls and surprises along the way.”

Risk management is not just about managing financial risks (such as risks relating to currency movements, or changes in the price of commodities). It’s not just about managing the risk of failing to comply with laws and regulations. It’s not just about the risk of errors in the financial statements. It’s also not just about operational and strategic risks, such as the failure of a sole supplier or the appearance of disruptive technology. It’s about managing the potential effects of uncertainty throughout your business operations. In other words, it’s all of the above. Whenever executives and the boards discuss strategies, they should be considering risk. Whenever a manager makes a decision, she should be thinking about the risks and doing something about them.

But the state of risk management practices is poor. Boards are worried and are asking the executive team to improve risk management processes and practices. A recent study by KPMG (discussed here) reported that “66 percent of the respondents [to their survey] indicate that their Board is unable to leverage the risk information it receives to improve strategy.”

Deloitte has advice to the CFO, most recently in “The Risk Intelligent CFO, Converting risk into opportunity”.    The Chartered Accountants of Canada also has useful guidance in “Risk Management: What Boards Should Expect from CFOs”.

I particularly like and recommend the principles in the global ISO standard 31000:2009 “Risk management — Principles and guidelines”. They include:

  • Risk management creates and protects value.
  • Risk management is an integral part of organizational processes.
  • Risk management is part of decision-making.
  • Risk management explicitly addresses uncertainty.
  • Risk management is based on the best available information.
  • Risk management is dynamic, iterative, and responsive to change.

Some companies have implemented risk management using periodic, typically quarterly, assessments of their more significant risks. Often, they hold facilitated workshops with managers and executives to agree on the top risks that merit attention. But is that making risk management “part of decision-making”? Has risk management become “an integral part of organizational processes”? Does this make the organization sufficiently nimble to handle potential adverse events that arise with little notice, or seize opportunities to take advantage of a competitor’s inability to support market demand?

CFOs should understand that risk is not something that can be managed once each quarter, or what I call “on Fridays”. Risks appear and have to be addressed as the business is run – integrated into routine decision-making, strategy-setting, and performance management. Relying only on quarterly reviews of a few risks is like driving down the highway at 60mph and looking up at the traffic around and ahead of you every 15 minutes. While there is value in a detailed periodic review, risks don’t change at set intervals and it is essential to look where you are driving at all times.

The bottom line is that effective risk management processes and practices are necessary if you want not only to avoid the hard lessons that companies like BP and Siemens have learned in the last years, but also to optimize performance and achievement of goals and strategies.

A CFO should ask whether his executive team and the Board understand this. He can help with leadership to provide training and to ensure risk management is given the attention and priority it needs for the organization to be successful.

Questions for you

  1. Do you agree with the principles in the article?
  2. Do you believe periodic risk management is acceptable?
  3. How current and therefore how effective is your risk understanding?



  1. March 3, 2012 at 11:56 AM

    The real problem is not financial bias or the wrong person in the organisation (CFO) managing risk. It is a problem with management per se. Management in reality is both incentives and rewarded for dealing with ‘issues’. i.e. tangible ‘doing’ day to day. Even the work management derives etymologically from the latin ‘manu’ – hand, hence it is a ‘doing activity’.

    The issue is far more that managers only really deal with risk when they become issues or highly proximate risks, because of scarce time or other resource. Until we, globally, reconceptualise management as a risk management activity (at least at senior levels of organisations) then I’m afraid risk management (if it’s lucky) will always be a Friday afternoon task.

  2. Buddy Rojek, CPA
    March 3, 2012 at 9:19 PM

    I agree with your article. As an ex Arthur Andersen Auditor, the biggest issue facing firms is the hiring of incompetent staff. One of the fundamental rules we learnt was to “survey” the IQ of the staff processing and monitoring. Most companies accept that you will have a few “misses” if you have cheaper staff. But it is like a type of self insurance. The losses are offset by cost savings.

    I gave up Audit when I realised most people don’t have a perfectionist work ethic, and I though there is more to Finance than checking and reporting. A Cabinet Maker’s, Mechanic’s, Painter’s poor work is easy to see, but it is less transparent in accounting.

    And I agree with the surveys saying the Board does not use the material presented. Most people on Boards are “Grand Visionaries” who forget about details. They have the mindset of Winston Churchill.

    March 4, 2012 at 7:41 AM

    I think that you have the nuts and bolts here Norman and so that is good. Two concerns however. First- many CFOs are in denial. They do not know what they do not know. That is a problem because many think that they indeed understand this area quite well when in fact they do not. The second is assuming that they are in the know and do realize what is needed. How do they need to proceed appropriately to put in place what it is you are suggesting? What should their thinking be?

  4. Ck6
    March 4, 2012 at 9:39 AM

    1.Do you agree with the principles in the article?
    2.Do you believe periodic risk management is acceptable?
    No. Risk management is a continuous process that has to be reviewed withing a stratified
    3.How current and therefore how effective is your risk understanding?
    Very current and very effective.

  5. March 4, 2012 at 10:52 AM

    I totally agree with the principles in the article.

    My main concern is where the focus and responsibility lie, currently this tends to be with the Audit Committee. I believe there should be a separate risk committee with reports, like the audit committee directly to the Board.

    Risk looks forward to the unknown and Audit looks backwards at the facts. They need to be managed differently.

  6. Tripu Sudan Sapra
    March 4, 2012 at 11:05 PM

    Entrepreneurial Risk is a continuing threat and need addressing instantly. Therefore, periodical approaches of Risk Review are not the proper safe guards. Rather an ongoing vlgil is required through sensitisation of humanwares, softwares assisting the completion of process. Awarenees of risk and generating risk mitigates is a state of mind and is achievable thropugh Risk Management tools & foresight atitude. Nonetheless, the Risk Management is directly related to bottomline and CFO need t9 be live wire for all the time.
    The article in question is very interesting awakening.

  7. yekeen
    March 4, 2012 at 11:57 PM

    The principles are quite educative on ERM. Risk Management is a process and therefore strategies put in place to avert or miinmise risks should be reviewed continously.

  8. March 7, 2012 at 12:34 PM

    Hi Norman – great post , and we agree, companies with effective risk management are better equipped to deliver optimized, reliable and sustained performance over the long term. I work for Symantec, and we have found through our customers that CISOs communicating risk to the entire board room –including the CEO and CFO is key to better visibility in the organization, and often leads to more budget dollars for managing risks in the organization. Periodic risk management is not acceptable for an organization – risk management should be an ongoing exercise with the CISO involving fellow executives in decision making.

  9. Debashis Gupta
    March 19, 2012 at 11:54 PM

    Regret the late comment.
    1. Yes, I agree with the principles.

    2. While ideal is continuous focus on risks, management bandwidth is an issue. In organizations (esp. those outside ‘enlightened sphere’ of North America & Europe), it’s hard enough to get managements to understand the need for structured risk management. It’s doubly hard when the proposal is for operating management to have a constant focus on risk management (in its structured form, while intuitive risk management, sometimes not totally effective, is part of work anyways). In such situations, one approach may be to adopt the risk continuum or ladder approach and first focus on instilling an appreciation of the need of structured risk management itself. Moving to the Risk Managed or even Risk Enabled state may be a decision based on current realities and maturity.

    3. At a personal level, it’s becoming increasingly difficult to keep ‘current’ on risk understanding, what with ever new standards and concepts (like risk velocity or clockspeed) emerging all the time. However, one view is that the discipline of risk management in an organization doesn’t exist in a vacuum, and there may be nothing gained in ‘keeping your gun polished’ all the time without the context for ERM being present. So it may be better to focus energies on putting in place ERM structure (even if rudimentary and basic at first) rather than, possibly, confusing stakeholders with new-fangled concepts all the time.

    My 2 cents.


  1. April 16, 2012 at 7:33 AM
  2. May 28, 2012 at 4:40 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: