Resolving the CFO’s dilemma: Nobody likes talking about risk, but nobody wants to be caught out either.

14th January 2014

No business wants to be continually focused on risk, but after almost a decade of uninterrupted economic uncertainty and market volatility, organizations are beginning to accept the new reality that just standing still year-over-year can create even greater risk.  So organizations can either succumb to the risk environment or they can learn to live with risk and turn it to competitive advantage. Smart CFOs know they can no longer brush risk under the carpet – but as Gary Simon, Managing editor of FSN explains they have no option but to confront and manage risk. 

 

 

 

Introduction:

 

Historically, risk management has not received the attention it deserves.  It has negative connotations, and few CFOs want to engross themselves in a management activity that is seemingly unproductive. 

“Risk Management is painful – not a natural act for humans to perform1.”

No business wants to be continually focused on risk, but after almost a decade of uninterrupted economic uncertainty and market volatility, organizations are beginning to accept the new reality that just standing still year-over-year can create even greater risk.  So organizations can either succumb to the risk environment or they can learn to live with risk and turn it to competitive advantage. Smart CFOs know they can no longer brush risk under the carpet – they have no option but to confront and manage risk.

Bob Moritz, Senior Partner, PwC US puts it like this; “Resilient organizations now accept uncertainty as the new normal and, as such, they place as much importance on their power to respond as they have in the past on their power to control or predict with confidence.”2

How have we coped with risk?

The answer appears to be not very well. A 2013 survey of risk management practices3 in the financial services industry identifies that, on average, thirty eight percent of large companies do not have an enterprise risk management program in place.  This implies that risk is often managed haphazardly, for example, by function, perhaps not at all, or just on a reactive basis.  The same survey highlights the need to upgrade operational risk management at many institutions..

Understandably, to many busy executives it appears that the types of risks to which companies are exposed are growing, as well as their severity.  But in the face of this growing list of risks companies seem ill prepared.  Many are still formulating their risk management methodology, risk structures, measurement capabilities, organizational responsibilities, systems and processes.  As a result, risk management is patchy and frequently operates in organizational silos.

A joint survey by Deloitte and Forbes4 in 2012 makes the point more forcibly.  Fewer than 25% of respondents indicated that most risks are continuously monitored in their companies. Even in the areas that are considered to be most volatile, namely financial and strategic risk, relatively few companies use technology to continuously monitor risks. Instead, more than two-thirds say they only periodically monitor risk across the organization.

So there appears to be a glaring mismatch between what management and shareholders expect of risk management and what companies are actually able to deliver.  The good news is that companies are starting to become aware of the gap.  According to the 2012 survey4, a full 91 percent of the respondents say that their companies plan to reorganize and reprioritize their approaches to risk management in some form in the coming three years.

Organizational improvements are needed

Many of the impediments to effective risk management are cultural or organizational in nature.  Foremost amongst these is that people are unaware of what they need to do concerning risk.  Indeed, ‘ownership’ of risk is one of the most vexed questions in the risk arena.  Should risk assessment and management reside in the business units or with ‘C’ level executives.  How far should risk management be decentralized, and what is the role of the risk specialists?  The lack of clarity around ownership of risk comes out highest in the list of challenges to effective risk management4.  So it is not surprising that businesses can so easily be caught off-guard.

“I think the biggest challenge we face is making sure that the concept of risk appetite is integrated into both our strategic and tactical planning sessions, and that the lines of business are working with their risk partners to ensure that plans, individually and collectively, fit within the bank’s overall risk appetite statement.” CRO, large global financial institution3

But organizations are beginning to appreciate that preparedness for uncertainty and most importantly, being able to respond constructively to risk, makes it necessary to elevate risk discussions to a more strategic level involving managers across business functions5.  But this requires enabling technology that provides managers with complete visibility of the risk landscape.  Yet the need for significant improvement in risk management technology and infrastructure is reported by many financial institutions. According to one survey, the leading concern regarding risk technology continues to be the quality and management of risk data, where 40 percent of respondents were extremely or very concerned about the capabilities at their institution, followed by roughly one-third who said the same about the ability of their risk technology to adapt to changing regulatory requirements and the lack of integration among risk systems3.

Infrastructure, systems and processes

It is easy to see how an organization’s resources can be quickly overwhelmed by risk and compliance initiatives, especially when a business has to contend with sector or geographic-specific regulations on top of ‘routine’ accounting standards, disclosure and filing requirements. And, as pointed out above, it’s a problem compounded by organizational diversity (who owns what risk), cost pressures, cultural impediments (few managers are rewarded for devoting time to risk) and the lack of an encompassing risk framework.

Modern SaaS-deployable solutions such as Cadency’s Compliance, overcome these limitations by enabling an organization to comprehensively define its risk ‘universe’, rationalize its controls, articulate its impact on the financial statements, provide visibility of the status of controls and neatly package audit evidence in binders.  No matter how diverse, all compliance initiatives are maintained in one shared environment so that the financial consequences of a control failure in any one of them is captured and visible to the CFO in real time. 

Responding to the new normal

So despite the difficulties of proactively managing risk, it is possible to stack the odds in favor of the organization by adopting best practice methodologies and by leveraging an appropriate blend of organizational structure, process and technology.  The ability for the finance function and other management stakeholders to view the status of controls and initiatives across the entire organization at any point in time alongside the financial accounts to which they relate ensures that risk can be discussed across all business functions.  From this vantage point, the CFO can resolve his dilemma. Risk is no longer uncomfortable.  It can be discussed openly and the whole ‘C’ suite can draw comfort that risk is properly managed, while leveraging this sound foundation for competitive advantage.

 

 

Bibliography

Note1 Gentry Lee, Chief Systems Engineer at Jet Propulsion Laboratories (JPL) reported in Harvard Business Review June 2012.

Note2 YouTube Video: “Risk resilience to resilient growth”, May 2013. http://www.youtube.com/watch?v=p-81qT8jMO8#t=171

Note3  Deloitte Global risk management survey, eighth edition “Setting a higher bar” 2013

Note4 Deloitte and Forbes Aftershock; Adjusting to the new world of risk management.

Note5 PwC 15th Annual Global CEO Survey 2012.

 

 

 

 

 

 

 

 

 

Disclaimer of Warranty/Limit of Liability

Whilst every attempt has been made to ensure that the information in this document is accurate and complete some typographical errors or technical inaccuracies may exist. This report is of a general nature and not intended to be specific to a particular set of circumstances. The publisher and author make no representations or warranties with respect to the accuracy or completeness of the contents of this white paper and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose.  No warranty may be created or extended by sales representatives, or written sales materials.  The advice and strategies contained herein may not be suitable for your situation.  You should consult with a professional where appropriate. FSN Publishing Limited and the author shall not be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

OTHER NEWS

SECTORS

CATEGORIES