Home > COSO, GRC, Risk > CFOs can use risk management to create a competitive advantage

CFOs can use risk management to create a competitive advantage

A recent article in CFO, How Risk Management Can Spawn Competitive Advantage, is on the right track.

However, its advice for CFOs is (in my opinion) short-sighted. It barely scratches the surface.

Its theme is that as long as your risk management program is better than your competitors’, you have a competitive advantage. That is correct, as far as it goes.

Certainly, “In the kingdom of the blind, the one-eyed man is king” (Erasmus).

But, is having one eye open and working sufficient when the enterprise is driving at high speed with risks around every corner, with competitors lurking beside you to potentially cut you off from your way ahead, or when you may be able to use a high-speed lane if you can only move into the lane to your left?


A smart CFO is not satisfied with being able to outrun the competitors he can see. He wants to achieve and then maintain a lead.

He wants a risk management program that helps every decision-maker make more intelligent and informed decisions.

Such a capability provides the board and the executive management team with the confidence to drive at speed along the congested highway of our world. They have confidence that when faced with the need to make decisions at speed, managers will take the desired level of the desired risks.

I welcome your comments.

  1. June 1, 2015 at 3:09 AM

    You raise an interesting point, Norman. The article you reference focusses on risks as ‘adverse conditions’, which is the common view. Your comments rightly focus on insight for more informed decisions for management, not just about ‘bad things’ but about opportunity also.

    However, the word ‘risk’ is defined as ‘a situation involving exposure to danger’. Boards and executive management understandably want a healthy focus on opportunity and positive outcome as well as risk. Perhaps we need a new term for ‘risk management’ that more properly encompasses both risk and performance opportunity. It is probably not reasonable for us to try and redefine language that already serves a purpose. If we had a comprehensive term, organisations could choose whether they want to have a systematic approach to either one or both lenses of insight, risk and/or performance.

    Any offers on a new term for ‘risk management’?

    Best regards


    • Norman Marks
      June 1, 2015 at 6:20 AM

      Dan, thanks for the comment.

      Risk management has different definitions, whether you are using common English parlance (when it is only adverse consequences), COSO (when it relates to both negative and positive, although the work ‘risk’ is only negative), or ISO 31000 (when ‘risk’ refers to the effect of uncertainty on objectives – positive or negative). For example, COSO says: “Enterprise risk management enables management to effectively deal with uncertainty and
      associated risk and opportunity, enhancing the capacity to build value.”

      Language changes over time, so we are not handcuffed by common parlance. I prefer to consider risk management in the ISO way.

  2. June 1, 2015 at 6:29 AM

    Fair point about multiple definitions. The challenge is that the stakeholders (Boards and executive management) assume the dictionary meaning, and why not?

    As long as the meaning is ambiguous, the discipline will also be perceived as such and fail to achieve its potential.

    The same problem has beset other business disciplines as they matured . . .

    • Norman Marks
      June 1, 2015 at 6:48 AM

      Dan, that is a fair point. We can all contribute to solving the problem, especially those who write about risk management and/or consult to boards, by explaining that risk management is about understanding what may lie between us and our objective, then acting to optimize outcomes.

  3. June 1, 2015 at 7:21 AM

    It seems to me that we are bending over backwards to paint a positive context around risk management because our psyche does not like to dwell on the negative side of things. When we search for an opportunity our search criteria is upside potential, not “let’s find some juicy risk to take on.” I prefer the concept that we should remain mindful of the risks (negative) related to our pursuit if opportunities. I say we leave risk management in the domain of defense & protection. And, to think that the ultimate risk management responsibility rests with CFOs – well that sends chills up my spine.

  4. Gregory Sosbee
    June 1, 2015 at 3:06 PM

    Norman, I have advocated this same issue since 1998. However the appropriate audience is the CEO and the Board, not the CFO as Finance is only one input point in the risk management matrix. A successful Enterprise Risk Management program will not guarantee a dominant industry competitive advantage, but an unfocused risk management program will guarantee a follower rather than a leader.

  5. DavidJ
    June 1, 2015 at 7:28 PM

    Norman and respondents,

    Thank you for such a thought-provoking article and discussion.

    I subscribe to the view (ISO 31000) that risk is the “effect of uncertainty on objectives”; and that it can be:
    – positive when it facilitates the delivery or enhances the value of an objective
    – negative when it inhibits delivery or reduces value.

    Experience in a range of positions from evaluation engineer, developer, consultant, manager business consulting services, and CEO makes it clear (to me) that ‘significant risk’ is a matter for the Board/CEO down to whichever manager or responsible person is best placed to manage and resolve the impact of a particular risk.

    It may be that the CFO has the independence to be the logical ‘C-level” executive to take responsibility for organisational risk, however (not a criticism) many CFOs are naturally, by training, and through experience ‘risk-averse’. Where a company can afford the position and reporting (matrix) chain, I would suggest that a Chief RIsk Officer (CRO) is a valuable addition to the senior management team. That officer should be comfortable adapting and guiding the organisation’s risk-appetite from ‘risk-averse’, ‘risk-cautious’, risk-open’, ‘risk hungry’ to fit the particular risk in the context of potential outcomes and company risk-attitude.

    As all of our organisation’s activities involve risk to some extent, I tend to reserve ‘risk-averse’ for safety-related objectives and normally operate in the ‘risk-cautious’ to ‘risk-open’ part of the risk spectrum. That said, in one particular case where the commercial viability of a business unit was threatened during a project, it was necessary to move from ‘risk-open’ to risk-hungry’ to achieve success – failure would have resulted in the bankruptcy of the unit.

    When operating in a business development role, I look at the customer’s requirements (often expressed in a somewhat inflexible tender/RFT) and operating environment and tailor the proposal to reflect an optimum solution where possible. This means respecting the customer’s risk-appetite and managing controls to ensure that a higher level of supplier risk does not impact upon the customer. This has resulted in some significant business wins in which our bid was far from being the lowest – in one case nearly twice the nearest tender.

    I look forward to your responses here and via email to davidjwalker00 @ bigpond.com or via linkedin.com/in/davidjwalker01.


  6. Gabriela Siderakis
    June 16, 2015 at 4:27 PM

    Norman and colleagues,
    thanks for the high level of discussion ….. It is a pleasure for me.

    I think risk management adds value to senior management, because we are able to be consistent with businesses opportunities. In my professional experience I could perceive the risks, make money and save time.


  1. June 1, 2015 at 8:42 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: