Risk comes from not knowing what you're doing. - Warren Buffett
One of the pillars of a CFO's responsibilities is risk management. From overall financial compliance to the IT department, a fractional or full-time CFO is the first line of defense in establishing and maintaining adequate risk management and mitigation for today's organizations.
The threats may come in many forms - from lack of internal controls to cybersecurity in a privately held business or social enterprise. The CFO is charged with understanding and mitigating the risks that your organization faces.
Why are CFO's Involved in Risk Management?
Between the fast pace of change due to digital innovations and the expanding regulatory environment, the types and number of business risks that can impact a company's strategy have ballooned over the past decade. CFOs, given their expanded role in establishing and executing strategy, have become well positioned to help ensure that an enterprise's risks are identified, assessed, managed, and integrated into the corporate strategy.
Risk management is a role that has seen significant growth among CFOs. In 2012, CFO Magazine surveyed financial executives, 72 percent of whom claimed that their organizations had increased the amount of resources devoted to risk management over the past two years. According to Deloitte's second-quarter 2018 CFO Signals report, over half (55 percent) of CFOs surveyed said that they are responsible for their company's enterprise risk management. Many also noted that risk-related areas are among those most likely to be added under their umbrella over the next three years.
Areas of Risk for Any Organization
Risk management traces its origins to the financial services sector, so it's understandable that many equate it primarily in terms of financial risks. Keeping a company's bottom line secure should be a goal, but it's not the only one that matters. In fact, just as many if not more companies are harmed by operational risks as they are by interest rate hikes or violent swings in the stock market. That being said, here are the main areas of risk that just about any business faces today.
- Financial Risk. In business many actions, or even a failure to act, come down to money. Some of the types of financial risks that an organization faces include:
- Compliance risk. A company's requirements will vary depending on whether it is publicly-traded or privately-held. However, every business must file timely state and federal tax returns. Failing to issue timely financial statements and tax returns can place a company in jeopardy with regulators and shareholders. This responsibility falls on the CFO and their financial team.
- Debt risk. Few companies run without some level of debt, and debt risk exists in several forms. First, lenders often include restrictive covenants in loan agreements. Failure to comply may result in penalties or the loan called in by the bank. Second, a business could face higher debt payments on loans if financing terms dictate a variable interest rate and rates continue to increase.
- Liquidity risk. One of the primary reasons that U.S. businesses fail is cash flow issues. The CFO should be continually examining the company's cash flow situation and forecasts to prevent being caught with a surprise shortage.
- M&A risk. There are risks associated with growth through mergers and acquisitions as well. The CFO should not only assess the risk of any M&A activity but also carefully review contracts to ensure a smooth transition.
- Operational Risk. As stated above, getting a handle on financial risk is only one element in effective enterprise risk management. If your organization sells products or services (most do), it will have a variety of operations that must be evaluated and managed for their risk potential.
Some of the operational risks that should be evaluated, managed, and mitigated include:
- Process risks. From the way that a company operates to its strategic planning choices, risk should be identified and assessed at every turn. For example, there may be more risk involved in keeping a certain manufacturing process in-house than outsourcing it. With the help of those most familiar with these processes, the CFO can be involved in managing and mitigating these risks.
- Compliance risks. Depending on your industry, there are likely some rules to follow and consequences for failure to stay between the lines. No company wants to be known for selling unsafe products, polluting the local waterways, or failing to treat its employees fairly. When it comes to risk management, the CFO must understand all regulations applicable to the organization and have plans in place for compliance.
- Personnel risks. A company's workforce presents a wide range of risks that must be carefully managed. When the economy is struggling, the company may be forced to lay off staff, and when it is booming, employees might leave for better opportunities. There are a myriad of issues to address such as salaries, benefits, safety, workplace discrimination, and education and training. From a risk perspective, the CFO may be involved in many of these discussions and decisions.
- Supply chain risks. Most companies use trusted suppliers to help operate their business, and this involves a certain degree of risk. Examples include potential data breaches, the financial condition of a supplier, labor risk, and quality issues. These are diverse risks that can be difficult to prioritize, which is why a CFO should collaborate with the company's logistics professionals in making decisions.
- IT Risk. This can be financial or operational, but it deserves its own bullet point for obvious reasons. As of November, there had been more than 3,600 data breaches in 2018, exposing roughly 3.6 billion records. The trend shows breaches getting larger each year, and these are public relations nightmares for companies. Some of the areas of IT risk that a company should manage include:
- Contract risks. Most companies today don't handle all IT functions in-house. Whether a company uses the cloud, contracts for services, or both, details matter. Not only should outsourced IT services and professionals be competent and secure, but the scope of what is to be delivered should be clearly defined in a contract. If something falls through the cracks, this responsibility will lie with the CFO and CTO, who should be working in tandem on these issues.
- Security risks. This concerns keeping the data of your clients, business partners, and employees safe, as well as the security of any business or trade secrets that could fall into the wrong hands. Again, this might involve contracts but will always require a strong attention to detail.
- Other Risk. There are other types of risks that are more peripheral, but that can be just as dangerous to your bottom line and reputation if not identified and managed. These include:
- Catastrophic risks. No matter where your business is located, it is likely exposed to some serious risks. These include environmental extremes (hurricanes, blizzards, flooding, and earthquakes), man made disasters (fires and hazardous waste spills), and violent acts (terrorism and robbery). While a company can insure to mitigate these risks, it should also have plans in place to prevent business interruption, losses, and minimize damage if an event occurs.
- Geopolitical risks. Every business today should have at least an inkling of what is going on geopolitically and understand how these events might impact their operations and bottom line results. For some companies tariffs, trade wars, and U.S. tensions with foreign powers are no joke. BlackRock Investment Institute has a proprietary geopolitical risk indicator, and this is currently at its highest level in over seven years.
How a CFO Manages and Mitigates Risk
While a CFO may be tasked with managing and mitigating risk, it should never exist in isolation from the rest of the organization. In other words, the most effective risk management programs are those that are entrenched throughout every department, becoming an integrated part of the company's routine management processes. This involves securing buy-in at all levels of the organization for maximum effectiveness.
- A CFO must first have a keen understanding of the scope of risks that the organization faces. This is done by identifying the risks and classifying them by risk type.
- The next step is to evaluate each of the risks, creating estimates of the probability of an occurrence for each as well as an assessment of risk impact.
- Finally, there should be processes created for periodic reporting (monthly, quarterly, annually) of risk exposures that can act as early warning signals for known risks and even help identify new ones.
Mitigation refers to a company's efforts to reduce the loss of property and life by lowering the impact of disasters. For mitigation to be most effective, a company's management must take action immediately - before the next event - to lower the financial and human consequences of a loss by analyzing, reducing, and insuring against risks.
The CFO will not only make sure that the appropriate response procedures are in place should a risk event occur, but also continue to assess various insurance coverages and financial reserves so that the company has the best strategic, financial, and operational response to any type of loss.
Today's business environment has become increasingly volatile and uncertain. Organizations must make deliberate choices that consider the risk-return trade-off instead of being simply reactive when a disaster occurs. Strategic risk management is an effort led by top management, including your company's CFO.
If you're not sure about how to get started with an effective risk management program, or whether you have these risks covered, call us today for a risk assessment.
About the Author:
Jeff Dunn is a senior finance and business professional with over 25 years of experience in accounting and finance in the media and technology industries. Jeff has been successful at balancing the need for strong financial controls with maintaining operational efficiency at companies in a variety of growth stages.
In addition to his excellent technical and strategic accounting skills, Jeff has strong international and M&A experience, plus experience in evaluation and implementation of financial systems.