Risk management is not just about managing financial risks, such as risks relating to currency movements or changes in the price of commodities. It’s not just about managing the risk of failing to comply with laws and regulations. It’s not just about the risk of errors in the financial statements. It’s also not just about operational and strategic risks, such as the potential failure of a sole supplier. It’s about managing the potential effects of uncertainty throughout your business operations. In other words, it’s all of the above. Whenever executives and the boards discuss strategies, they should be considering risk. Whenever managers make decisions, they should be thinking about the risks and doing something about them.
CFOs should understand that risk is not something that can be managed once each quarter, or just on Fridays. Risks appear and have to be addressed all the time. They need to be integrated into routine decision-making, strategy-setting, and performance management. Relying only on quarterly reviews of a few risks is like driving down the highway at 60 mph and looking up at the traffic around and ahead of you every 15 minutes. While there is value in a detailed, periodic review, risks don’t change at set intervals. It is essential to look where you are driving at all times.
Moreover, CFOs should not view risk management as a compliance chore. Companies with effective risk management are better equipped to deliver optimized, reliable, and sustained performance over the long term. They are prepared for what might happen — to not only mitigate the effect of adverse situations or events but also take full advantage of opportunities. For example, these companies are prepared for a natural disaster that disrupts the supply chain as well as for the opportunity created when a competitor that wasn’t prepared has product-quality issues.
What I call “risk intelligent management” (achieved when full advantage is taken of the potential of risk management) allows executives and boards to manage with their eyes wide open. They see around and ahead of them. They are fully aware of the potential risks and opportunities in their business environment and are prepared to act decisively. Those without risk intelligence have to study the situation and hold discussions with the management team, by which time the opportunity may have passed by.
COSO’s (the Committee of Sponsoring Organizations of the Treadway Commission) framework for enterprise risk management states succinctly that ERM “helps an entity get to where it wants to go and avoid pitfalls and surprises along the way.” But the state of risk-management practices is poor. Boards are worried and are asking the executive team to improve risk-management processes and practices. In a recent study of executives by KPMG, two-thirds indicated that “their board is unable to leverage the risk information it receives to improve strategy.”
I recommend CFOs take another look at the principles in the global ISO standard 31000:2009 on risk management. They include:
· Risk management creates and protects value.
· Risk management is an integral part of organizational processes.
· Risk management is part of decision-making.
· Risk management explicitly addresses uncertainty.
· Risk management is based on the best available information.
· Risk management is dynamic, iterative, and responsive to change.
Some companies have implemented risk management using periodic (typically quarterly) assessments of their more-significant risks. Often, they hold facilitated workshops with managers and executives to agree on the top risks that merit attention. But are these reviews making risk management “part of decision-making,” as COSO suggests? Has risk management become “an integral part of organizational processes”? Does this practice make the organization sufficiently nimble to handle situations that arise with little notice or quickly take advantage of a competitor’s inability to support market demand?
CFOs have the opportunity, if not the responsibility, to recognize where immature risk management limits the ability of the company to manage potential adverse events and seize opportunities. As corporate leaders, CFOs can help the executive management team recognize and realize the value of risk management when it is given executive support, resources, and made a part of how the organization works.
Risk management, in the words of COSO, “helps an entity get to where it wants to go.” Even CFOs who do not have organizational responsibility for risk management should ask these questions:
· Is our risk-management program mature? Is the consideration and management of risk part of how we make decisions at all levels of the organization?
· Are we prepared both to handle potential negative events and seize opportunities?
· How often are we surprised when we shouldn’t be?
· Do the executive leadership team and the board have the risk information they need to set and then modify corporate strategies?
· What actions are we going to take? When?
Norman Marks CPA is a vice president with SAP and a long-term internal audit and risk-management practitioner. He has been honored for his thought leadership by the Institute of Risk Management (honorary fellow) and the Open Compliance and Ethics Group (fellow). He regularly blogs and provides updates on Twitter at normanmarks.