Companies with high valuations typically market effectively, meet sales forecasts, and produce high-quality products. These actions often have a snowball effect. They attract more investors, customers, and media attention, ultimately bolstering business value.
What keeps these companies from crumbling, though, isn’t as simple as the above. Although marketing, sales, and products are all crucial building blocks of a high valuation, they aren’t sufficient by themselves. Unpleasant business surprises can impact one or all of these components, and unless those surprises are managed, the organization is at risk.
Risk management is the mortar holding together the three bricks of highly valued organizations. According to a study by academics Mark Farrell and Dr. Ronan Gallagher, organizations with mature enterprise risk management (ERM) programs, as defined by the RIMS Risk Maturity Model (RMM), have higher market values than those without. Specifically, they showed that corporations with effective ERM programs have a 25% market valuation premium.
Mature ERM programs help organizations understand their own structures and processes, and how they impact strategic goals like sales objectives and customer acquisition rates. Using an ERM program, a company can identify specific risks throughout its processes that can hinder goal achievement and ultimately decrease valuation.
A great example of this is looking at estimates for projected future cash flows and discount rates, two common considerations when valuing a business. Imagine two manufacturing companies. Company A habitually identifies and mitigates risks related to supply chain interruptions. Therefore, it is unlikely to find itself without the necessary raw materials. Company B, which is much less diligent about this process, is more likely to run into problems with its single supplier. Its projected cash flow, and therefore perceived value, will be diminished.
The critical element of success is having clearly identified goals and standard assessment criteria across departments — this is one of mature ERM programs’ most distinguishing factors. When every department performs its own analysis of risk within the same framework, two benefits are realized:
- Interdepartmental communication becomes easy and efficient. If each department is using the same standards and jargon, there is one unified, holistic understanding of the organization’s risk profile.
- Redundancy is eliminated. Certain risks have touchpoints across multiple departments. When two or more sectors are able to recognize shared risks, they avoid designing redundant mitigation activities.
The CFO’s Role
For many organizations, understanding the business value of an ERM program is an important hurdle of adoption. The most important aspects of ERM are associated with engagement. To be successful, a risk-based culture must cascade from executive management down to the front lines. Such a culture results from risk assessment aggregation, employee training, and the connection of risks to corresponding controls.
Since risk management can have such a significant impact on company valuation, CFOs are frequently responsible for their organization’s ERM program. It’s in the name – enterprise risk management. ERM is about unifying currently disparate parts of the organization – breaking down silos – and this can’t be accomplished until executive management adopts an enterprise-wide attitude.
Successful CFOs embed ERM into their teams’ daily, monthly, and quarterly routines. Touchpoints between departments first reveal the benefits of risk-based programs. Information-sharing enhances productivity because departments are no longer wasting time gathering duplicate data. CFOs can also facilitate the process by helping determine which departments spend the most time on tactical “check-the-box” activities. These are normally the areas that achieve quick wins from risk-based programs; they can easily leverage similar work being done in other departments. By starting with two to three specific departments matching this description, you’ll be able to easily tie new value to changes as the program develops.
As an example, consider internal controls over financial reporting. Any automated financial control depends on an underlying IT system. Most organizations have one group responsible for evaluating IT Sarbanes-Oxley compliance and another responsible for internal controls over financial reporting. Connecting IT and vendor management to a control dramatically reduces the amount of necessary testing. If the IT component of a control has not changed within the past year, there‘s no need for retesting.
Many organizations end up testing for SOX compliance too often because their IT group can’t determine what controls depend on certain parts of the IT infrastructure. The result is not only internally wasted resources but also needless expenses for external auditors.
By integrating governance activities with an ERM framework, you can uncover useful relationships between activities and their outcomes. For example, by applying such a framework to SOX compliance, you acquire information that can also be applied to business continuity, IT access-rights auditing, user-defined application management, Payment Card Industry compliance, and much more. The immediate result is a simplification of these other activities and short-term cost savings. As this information is connected to board strategy and performance management, goals become more achievable with virtually no time or cost commitment.
Once it becomes apparent to both executives and front-line employees that the current system can easily be improved upon, it becomes a matter of demonstrating value rather than diverging from the familiarity and comfort of the current process.
Ultimately, how a company manages risk will impact the external perception of the company’s worth. If a company improves risk practices and establishes a unified internal front across all departments and levels of the organization, it can create tremendous value for the enterprise.
Steven Minsky is the CEO of LogicManager and the author of the RIMS Risk Maturity Model for ERM.