Bart Le Blanc is certainly reassured by the fact that risk management has “always been an integral part” of the company where he works. Urenco, a privately held joint venture with German, Dutch and British owners, is one of a handful of uranium-enrichment companies that supply fuel for nuclear reactors. Its centrifuge technology in the wrong hands could be used to enrich uranium used in nuclear weapons. For obvious reasons, Urenco’s plants — three in Europe and one under construction in the US — are heavily regulated, requiring a permanently “proactive risk management mindset” to keep safeguards in place, says Le Blanc, Urenco’s CFO.
Yet the finance chief isn’t one to rest easy. The company is growing fast, with its global market share rising from around 15% five years ago to nearly 25% today. As a result, Urenco’s supply chain is being exposed to numerous new operational, as well as financial and strategic, risks. And with Urenco’s executive team drawing up major investment plans to propel the company’s growth even further, those risks are set to multiply.
The challenge isn’t lost on the CFO. Urenco’s executive team is “very much aware” that selling its growth plans — with $2 billion in investments over the next two years — to the board and investors requires “a different and a more proactive risk approach for not only this investment project, but also across the business,” Le Blanc says.
But what approach should that be? Le Blanc isn’t the only CFO searching for the answer. As a burgeoning profession in its own right, risk management has developed in leaps and bounds. But the discipline is not nearly as effective as many executives would like. “Risk management should be an inherent part of good management,” says Michael Power, director of the Centre for Analysis of Risk and Regulation at the London School of Economics. “But often it’s not.”
Consider, for example, the banking sector, where arguably the corporate world’s most sophisticated risk practitioners couldn’t prevent, let alone foresee, the current financial crisis. As a result, confidence in companies’ ability to identify and mitigate risks has been shaken, and stakeholders are looking for reassurance that they won’t be let down again. “What isn’t acceptable now is to roll forward old risk plans,” suggests Gerard Gallagher, head of business risk services at Ernst & Young. “Many are no longer valid.”
What’s more, the downturn has shown CFOs how rapidly the array of strategic, financial and operational risks can change, with devastating results. According to a recent survey by the Federation of European Risk Management Associations, nearly half of 555 executives polled said that their companies weren’t managing the full spectrum of risks. The survey also found a number of other shortcomings, ranging from a lack of clear policies or charter to weak centralised oversight. (See “Of Policies and Procedures” at the end of this article.)
So what has been holding the implementation of risk management back? One of the biggest restraints is complacency. Ever since Sarbanes-Oxley and the like came into force, risk management at many companies hasn’t gone beyond regulatory box-ticking — or as Jonathan Hayward, CEO of corporate governance consultancy Independent Audit, puts it, “the year-end Turnbull process,” referring to the UK’s risk-reporting regulation. “That makes my heart sink.”