The risk landscape is changing fast. Risks are multiplying at an alarming rate threatening to cause both financial and reputation ruin to the business. Because of this increasing risk complexity, there is a heightened focus on effective risk management.
Senior management and board members are consistently looking for a deeper understanding of the organization’s risk profile and how various risks to the business are managed.
Risk management is an enabler of higher level performance.
Without taking risks, organizations cannot grow and achieve strategic success. Risk is no longer something to only dread, minimize and avoid. Instead, leading organizations are using risk management activities to create value and help them improve their businesses.
It is therefore critical to ensure that efforts to mitigate the downside impact of risks are coordinated with efforts to manage risks that support business growth.
As a strategic thinker, the CFO should play an important role in helping other executives and the board get a deeper understanding of the organization’s key risks and risk management capabilities. He or she can help build an ERM framework that is entrenched in the organization’s management processes and functions.
A well-structured and coordinated ERM framework provides support and guidance on risk management activities, helps identify and manage enterprise risks holistically and makes risk consideration an inherent part of key decision-making processes. On the contrary, a siloed approach to managing risks exposes the business to significant risks and value erosion.
Unfortunately, in most organizations, risk management is a disjointed process. Multiple functions are managing one or more aspects of the company’s risk profile, and there is minimal coordination with each other. For instance, each function carries out its own risk assessment process using different risk terminologies, methodologies and reporting practices. Decision makers are overwhelmed with more than one versions of the truth.
The problem with this approach is that it often leads to confusion on the true meaning of risk, duplication of efforts, unnecessary bureaucracy and costs and poor risk decision-making processes.
When there is a common risk language across the enterprise better decisions are made, for example, concerning market entry, new products and acquisitions. This often leads to reduced earnings fluctuations and increased stakeholder confidence.
Build a clear picture of significant risks.
As the role of the CFO continues to evolve into a more business-partnering one, it is imperative that the finance organization is rightly equipped to proactively identify all the potential risks and defend their businesses. What are the key risks to the achievement of your business objectives? Do you have the required risk management capabilities to address this risk profile? Who is responsible for monitoring and reporting risk information to decision makers?
Thus, the CFO and his team need to consistently assess, improve and monitor the way the organization manages its evolving risk profile. The risk assessment process must provide actionable and real-time insights on inherent risks and link them to the organization’s objectives, initiatives and business processes.
A thorough risk assessment process helps identify and prioritize risks that require urgent monitoring and mitigation. It also allows for the testing of existing internal controls and identification of opportunities for improving controls and risk mitigation strategies.
On the other hand, insufficient risk management processes can lead to costly lawsuits, significant financial losses, massive reputational damage and fly-by-night financial reporting, which can raise fundamental questions about the business as whole, its management team and viability.
An effective continuous risk assessment and management system therefore requires the team given the responsibility to do so to develop thorough knowledge of the company’s strategic objectives, operations, products, services, risk history, internal environment and its external environment.
Some organizations are leveraging data analytics tools to access forward-looking data from a range of sources, generate insights about changing market conditions and behavioural changes, evaluate metrics and integrate this real-time information to build risk models and forecasts as well as comprehensive risk strategies.
Coordinate and align business processes.
Risk management activities should be a key element of normal business operations. For this to happen, there must be top management buy-in to the business case for embedding risk strategy into the day-to-day running of the business as well as enhancing risk management performance.
It is therefore important to receive clear communication, proper oversight and accountability from senior management and the board concerning risk and governance. This will ensure that a common risk framework and universe is embraced and implemented across the organization.
Maturity models and benchmarks of leading practices can be used to help management determine the existing state of their organization’s risk management capabilities and define the desired state.
As one of the organization’s senior executives, the CFO should play a leading role in defining risk management objectives and embedding risk principles into the business processes. They can leverage their analytical and communication skills to broadcast to the business the benefits of risk management and the disadvantages of inadequate risk management processes.
The CFO plays a critical role in establishing the organization’s risk appetite, determining how the business will measure risk and ensures risk taking is within the acceptable risk thresholds of the organization.
By regularly reporting risk information and coverage to business unit managers, a risk aware culture is embedded in everyday business practices, and this in turn will help business managers understand the implications of their decisions on business performance.
I welcome your thoughts and comments.
As the business and economic environment continue to change at alarming levels and become increasingly complex, the pressure on the finance organization to support the core business by strategically addressing volatility, uncertainty and risk is also intensifying.
This fast changing environment is making it extremely difficult for organizations to forecast business performance with a greater degree of uncertainty. What was once considered extraordinary is now the ordinary and the previously unthinkable is now reality. In this environment, organizations need to become more flexible and adaptable, as opposed to being reactive. Traditional planning cycles, such as the static annual budget, are no longer ideal for this dynamic economy.
Despite widespread evidence indicating this rapid change, many organizations are still relying on the annual budgeting process for planning purposes. They still have not mastered the fact that the annual budget gives a false view of a stable future. By the time the annual budgeting process is over, the majority of the assumptions used to prepare the budget are outdated. Also, when preparing their budgets, many organizations make use of historical performance as the baseline for predicting future performance. Again, they are failing to realize that past performance cannot be used to mirror future performance.
Most budgets prepared by companies have a financial focus, normally adding a percentage to last year’s numbers. They lack specific consideration of the forces driving the business and value creation. There is a broken link between the organization’s strategy, planning, resource allocation and performance reporting processes.
With the current volatility, uncertainty and complexity in the business environment, companies need to adapt agile and new ways of planning. Working together with the other business teams, the finance organization can drive this process and lead its success. Taking advantage of the function’s analytical and risk management skills, finance executives can use scenario planning to help decision makers identify and understand possible future events and their impact on strategy execution and business performance.
Using scenarios will help the organization to manage its business model, industrial and environmental uncertainties. Instead of taking a static view of the future and basing key decisions on gut feel, scenario planning helps business leaders understand their business environment (any significant emerging threats and opportunities), identify the critical drivers of value and correlate their impact on performance, both operationally and strategically.
When conducting a scenario planning exercise, organizations must:
- Define the purpose and scope of the exercise.
- Examine the internal and external environment for emerging trends and issues.
- Identify possible realistic future scenarios and evaluate their impact on the business.
- Formulate strategic and operational responses to each scenario.
- Monitor performance related triggers and regularly challenge assumptions
Regardless of your business’s industry sector, scenario planning is useful for getting different views of the future that reflect volatility, uncertainty, and complexity thereby helping you identify gaps in your organization’s ability to respond to threats and opportunities. Once you have identified the blind spots and gaps in your company’s response capabilities, you can then start building a dynamic risk management framework and gain knowledge of the risks you have direct control of or influence and those that you do not have.
Scenario planning is not about predicting the future accurately. Instead, it is about understanding the environments in which your business operates, discovering new insights, and increasing adaptability to changes in these environments. By constantly taking uncertainty into account when making decisions and also encouraging alternative thinking, you will be able test and evaluate the robustness of your company’s strategies against a range of possible futures. This in turn will assist you broaden your perspective and develop robust response plans.
Critical to note is that scenario planning is a continuous process rather than a once-off exercise and must be incorporated into processes for managing the business on an ongoing basis. The macro-economic environment is constantly changing and as such, an ongoing review of the drivers of performance and trigger points is necessary.
You need to constantly ask questions on the social, technological, economic, environmental, political and legal influencing factors and indicators.
Examples of questions that you might ask include:
- If you are an automaker, what is the impact of autonomous and electrical vehicles on our current business model? Are self-driving cars the future and how should we respond?
- If you are consumer company, how would the organization respond to growing emerging markets and the rise of the middle class workers?
- How would the organization respond to unexpected loss of a major contract that has sustained the company for a long time to a competitor?
- What are the short-term and long-term implications of a major product recall on our market position, reputation and the organization’s ability to meet performance targets?
- What is the range of likely impacts on our brand, our customers and our other products, if one of our key suppliers files for bankruptcy?
- What competing products or disruptive forces will have the potential of threatening and forcing us out of business?
- What is the impact on our quarterly and annual performance targets of material short term changes in key external variables such as commodity prices, inflation rates, interest and exchange rates, GDP and consumer spending?
- How would the organization respond to unexpected external events such as a major natural disaster, political or regulatory actions, or occurrence of a pandemic?
- What are the likely advantages and disadvantages of moving our enterprise systems to a cloud-based platform versus retaining them in-house?
- What are the global business implications of UK leaving the European Union, and how would our organization react to such a move?
By systemically monitoring a series of performance related triggers, the organization will be able to anticipate major trends and changes in the industry or broader business environment, respond dynamically, gain competitive advantage and seize growth opportunities in both developed and emerging markets.
Used properly, scenario planning shifts from being an only business threat analysis tool to also an opportunity identification tool.
Enterprise risk management (ERM) is at the heart of effective strategic decision making and should be at the forefront of everybody’s thinking within the organization. Today’s risk-filled macroeconomic environment requires front-line employees, middle management, senior executives and the board to take a proactive approach in managing the various risks the business is exposed to.
Risks are increasing and impacting the business at a very alarming level, and as a result, senior management and their teams have to be more prepared to respond quickly than in the past. This means adapting a new view of the risk universe.
Whereas in the past risk management was seen as a compliance and box ticking exercise, this limited view no longer cuts it. Not to say that compliance management is a waste of time, the function still plays a critical role in helping the business achieve its objectives. What is critical and required in today’s VUCA environment is view risk management with a different pair of lenses, assess its role in helping management successfully execute the broader strategy of the business and increase the overall value of the business.
It is no secret that over the past decade the number of corporate crises and scandals the world has witnessed have increased significantly. From natural disasters, product-related mishaps, supply chain failures, employee fraud, to IT system failures and too-big-to fail company liquidations, the media hasn’t been short of a story to post as a headline. Most of these risk events, maybe apart from natural disasters, would have been mitigated had the management and board played their critical role in the effective identification, assessment, management and oversight of risk management within the organization.
Unfortunately, in many organizations today, senior management and the board are turning a blind eye on important risks and effective risk management. Risk management is considered an after-thought activity.
Instead of integrating risk management with strategic decision making, the focus is on short-term performance and incentives that are inappropriate and driving the wrong behaviour from the top and all the way down to the least ranked employee of the organization. As I have previously attested in my posts, although the board plays a critical role in ensuring effective risk oversight within the organization, risk management is everyone’s responsibility.
Employees, management and the board should have a clear understanding of the business model, the foundations and assumptions on which this model is based, the risks the organization faces and how they might combine.
Irrespective of which function you are working, there are risks emanating from that particular function and these risks in turn intertwine with the broader business. As a result, it is critical that each employee is aware of what risks are emanating from their line of business, at what frequency and how they fit into the overall risk strategy of the business. If the tone of risk management from the top is rotten, how can the board except the tone below to be different? Remember the fish rots from the head down.
If the leaders are ignorant, then the whole organization will follow suit. It is therefore important that top leadership sets in motion the right organizational risk culture and lead by example.
As a starting point, this means changing the role and status of those employees and management tasked with implementing the organization’s risk strategy so that they don’t feel inadequate but can confidently report all that they find to the board. One of the challenges facing many businesses is that of complacency. There is a misguided belief that good times will last indefinitely. As a result, many businesses are failing to recognize the rapid change in the business environment. Risks change overtime, and it is essential that management and boards are aware of all the important risks capable of derailing their plans.
How competent is your organization when it comes to identifying and analyzing risks emerging from the company’s internal and external environment, as well as from the leaders’ activities and behaviour?
How often are you stress-testing the core of your business model?
To avoid falling into the complacency trap, management and the board must learn to ask questions all the time. For example:
- How is your company consistently producing exceptional results?
- What are the foundations of the company’s success and how sustainable are these?
- Even if the company’s strategy is implemented flawlessly, what other risks could undermine the business?
- Does your incentive structure promote any form of inappropriate behaviour?
- Are you focusing more on cost-saving and efficiency to the detriment of quality?
Asking the right questions helps management uncover surprises early enough and address these before they become big and damaging to the organization. It also helps the board understand and evaluate the adequacy of the answers received. In the financial services industry, many institutions are driven by short-term revenue, profit and ROE gains. This massive obsession with achieving short-term performance targets often results in employees bypassing internal controls and management turning a blind eye to risky behaviour.
We have witnessed cases where companies significantly rewarded an employee for making huge profits on behalf of the business, only for management and the board to find out later that these profits were made via questionable and unethical ways. How robust and all-pervading are your company’s internal controls to monitor employee behaviour, even the most senior executives?
When the role and status of risk management is elevated within the organization, there is a free flow of information in all directions. That is up and sideways as well as down and from the very bottom to the top of the organization.
Encouraging free flow of information within the business is key to ensuring that any issues or circumstances and risks that are known within the organization, but not to the leaders, do not remain hidden from the leaders’ sight. Some risks remain unmanaged because employees are afraid of flagging these to their superiors because the manager often refuses to heed warning and advice that something is wrong.
When bosses refuse to listen, risks remain unrecognized and unmanaged for a long time. These Unknown Knowns inherently become dangerous and eventually become detrimental to the organization’s performance and reputation.
It is therefore imperative that when assessing and evaluating risk information, the organization considers all the sources of information at its disposal. Rather than limit their focus to traditional risk areas, companies should take an enterprise-wide approach of risk, and learn from their own experiences as wells as other companies and industries. This helps identify not only challenges that might cause a particular strategy to fail, but also any major risks that might also affect long-term positioning and performance of the business.
Self-deception is often a result of failure to listen to outside perspective, and when this happens, business leaders can only see themselves as in a mirror. This often leads to poor decision-making with far-reaching consequences than would have been the case had the leader listened to outside perspective.
Risk management is not only about looking at the downside, but also at the upside. Thus, in order to take advantage of uncertainty and volatility in today’s environment, maximize gains and create value, it is critical that companies move beyond their corporate structures, and adapt more of an “outside-in” perspective when assessing their strategies, challenges and opportunities.
In an age of Big Data and data analytics, companies can also take advantage of these advanced technological innovations, invest in this modern technology and make sense of the vast information at their finger tips, by sifting through the data, determining the most important risks and risk indicators and establish an effective strategic risk management model to follow while continuously updating the company’s strategic risk profile.
Effective decision-making demands the business leaders to have a more comprehensive picture of the challenges that are in front of the company. This requires integrating ERM into the overall business strategy and planning process, and changing the approach to managing enterprise risks. ERM must effectively support the development and execution of business strategy. However, if risk management is considered a cost and not a value-adding process, there is a big risk that the business will fail to execute its strategy successfully.
Effectively implemented and aligned to the business, ERM can become an important source of information to the board as well as the business via its executives. For example, it can help them become aware of the new risks created by their strategies, evaluate the strategic impact of new technologies and identify investments that are necessary for managing risks and exploiting new opportunities.
On the contrary, if the internal audit and risk management teams are given a very low status and never listened to, they become less effective resulting in the company being exposed to unnecessary risks.
What level of status are you giving to your organization’s internal audit and risk management teams?
How does risk inform your company’s broader business strategy?
Barings Bank rogue trader (1995), LTCM hedge fund failure (1998), Enron bankruptcy (2001), Parmalat accounting fraud (2003), AIG accounting scandal (2005), Lehman Brothers bankruptcy(2008), Bennie Madoff ponzi scheme (2008), Toyota unintended acceleration recalls (2009) , BP Deepwater Horizon oil spill (2010), Fukushima tsunami and nuclear accident (2011), Libor-fixing scandal (2012), JP Morgan $14.6 billion regulatory fines (2013), Rana Plaza collapse (2013) and General Motors recalls (2014) are a few examples of risk management failures we have witnessed over the years.
Although the number of risks affecting the business and list of risk management failures continue to grow year-on- year, organizations are not doing enough to reduce exposure to negative events. This fact has also been highlighted in a recent 2015 Report on the Current Sate of Enterprise Risk Oversight: Update on Trends and Opportunities published by the ERM Initiative at North Carolina State University. Of the surveyed respondents, only 25 percent have mature enterprise-wide risk management process in place, 30 percent have only a partial process, addressing some but not all risk areas and 45 percent have no enterprise-wide risk management process in place. These findings are worrying, especially in today’s volatile, uncertain, complex and ambiguous business environment.
Management of risk is a fundamental and essential element in decision-making at all levels across the organization. Organizations need to rethink the way they look at risk. Instead of only looking at the downside of risks, there is also need to look at the upside of risks. This means moving beyond financial controls and regulatory compliance and spending time assessing, managing and monitoring operational and strategic risks for improved business performance. Risk management is not only about protecting the business but also about enabling business performance. Risk management must therefore be integrated with organization’s performance management activities. There is a positive correlation between financial performance, risk management and performance management. For example, a study by EY found out that companies with more mature risk management practices integrated with strategic planning processes outperform their peers financially.
Implemented properly, enterprise risk management (ERM) helps organizations create value and reduce costs. Today’s volatile economic environment is not making it easy for CFOs. They are being challenged by the board to do more with less, help the business survive and achieve targets. Faced with this challenge, the CFO has no other option but to find cost efficiencies. By implementing robust risk management practices, CFOs will be able to improve the organization’s cost structure. For example, ERM helps management to assess, manage and monitor enterprise risks holistically. Such an approach in turn helps reduce costs by eliminating duplicate risk activities and the savings gained from risk management activities can be used to fund strategic corporate initiatives and create value.
In order to embrace risk for better business performance, organizations must:
- Strengthen the Organization’s Risk Governance and Oversight
Enhancing risk strategy enables organizations to more effectively anticipate and manage risks proactively. In order to enhance the organization’s risk strategy, the board or the management committee must strengthen its risk governance and oversight and increase transparency and communication with stakeholders. Developing a risk governance structure includes establishing the organization’s risk appetite, defining the risk universe, determining how the business would measure risk and establishing enabling technology to help manage risk. If the board or management committee is unable to clearly define risk management objectives, this will automatically make it difficult to adopt and implement a common risk framework across the organization. Risk must be aligned to strategy. This helps identify and understand the risks that matter, invest in the risks that are mission-critical to the organization and effectively assess risks across the business and drive accountability and ownership.
- Make Risk Management an Everyday Part of the Business
To successfully achieve strategic and operational objectives, organizations must embed risk management practices into their business planning and performance management processes. Current information about risk issues must be included into the organization’s business planning and strategic planning cycles. By linking risk to the business planning and strategic planning cycle, the organization is able to prioritize and link the key risks to its operations and performance indicators.
- Do you understand how the different parts of your organization fit together and the risks inherent? Risk is everywhere within the organization. You must be able to identify the connection between business, technology, processes, people and risk strategies and coordinate all the risk functions.
- Is there a formal method of defining acceptable risk limits within the organization? Stress tests must be used to validate risk tolerances
- How committed to embedding risk management is the organization’s leadership team? Leadership must drive the adoption of the risk management program across the organization and ensure it is effective.
Unfortunately in some organizations risk conversations are done once in a while. Risk is not embedded as part of the organization’s DNA. This must change if the organization is to become agile and respond effectively and efficiently to materialized risks.
- Coordinate Risk Activities Across All Risk Functions
Organizations go through various changes during their lifecycle. Some grow and diminish at an alarming rate and others remain stagnant for considerable periods. During the growth phase, various activities (risk, control and compliance) often become fragmented, siloed, independent and misaligned. The result is a negative impact on both the governance oversight and the business itself. Very often, because of this lack of coordination, costs spiral out of control and there is duplication and overlap of risk activities. When this happens, management must act promptly and address these problems to reduce risk burden, lower total costs, expand coverage and drive efficiency.
- Monitoring and control functions must be aligned to the risks that are mission-critical to the organization.
- Risk technology must be integrated to create visibility to risk management activities across the organization and eliminate or prevent redundancy.
- Individuals must receive risk-related training in order to enhance their skills and promote efficiency. You need to continuously evaluate the skills gap in your organization and invest in skills development.
- Risk consistent monitoring and reporting methods and practices must be applied across the organization to ensure all the risk functions are speaking the same language.
- Improve Financial Controls and Processes
Management must build optimal controls and processes that that balance cost with risk. These controls must be optimized to improve effectiveness, reduce costs and support increased business performance. If the environment is over-controlled (costs of control are too high) this hinders finance’s ability to effectively respond to changes in the competitive landscape. In this case, a review of current controls is necessary. This helps highlight duplicate and ineffective legacy controls. Investing in technology is also assisting organizations minimize the use of manual detect controls, automate controls and drive a more efficient, effective and paperless controls environment.
- Change the Organization’s Risk Culture
Effective risk management requires the right tone from the top. If there is no commitment or drive from the executives to create a risk aware culture, the program is bound to fail. A risk champion is required to change the way people view risks – from business protection to business support. The chosen individual must have great people and influential skills to ensure successful buy-in. During the change process, a decision might arise to invest in new technology for maximum benefits. Care must be taken that the change process or risk initiative is not technology-driven. The chosen technology must act as an enabler of change and the IT strategy must be aligned with the broader risk and business strategies.
It is critical that executives operating in today’s volatile economic environment periodically evaluate existing risk investments, move beyond compliance and focus more on strategic issues that will increase or decrease the value and performance of the business.
As the challenge on CFOs and other business leaders to do more with less continue to increase, we have witnessed an increase in the number of outsourcing arrangements across all industries. Most organizations, led by their CFOs have outsourced selected projects, functions and delegated the day-to-day management of these activities to third-party organizations.
Many at times, the reasons for outsourcing include but are not limited to – outsource to achieve significant cost savings, focus management on core activities, improve quality, achieve higher activity levels, improve customer service(s) and improve financial control.
Whether CFOs and their organizations achieve these intended outcomes is a debate for another day as some research findings have proved otherwise. When outsourcing certain business activities, it is imperative that CFOs do not succumb to “herd mentality”. Just because everyone is doing something doesn’t necessarily mean you have to follow suit.
When the decision has been made to outsource, it is critical for CFOs and the other business leaders to thoroughly understand the risks inherent therein and devise intelligent means of managing and monitoring these. Unfortunately, outsourcing risk is poorly managed in a considerable number of outsourcing arrangements.
What business leaders need to be clearly understand is that, if improperly managed, outsourcing risk can be fatal to their organizations. Just by mere outsourcing a selected part of your business does not mean all your problems are over. You can never outsource responsibility, nor can you outsource reputation risk.
By handing over critical parts of your organization to a third party and delegating their day-to-day management to a third-party organization, you are to a certain degree, losing degree of control over operations and quality. However, you still maintain ultimate responsibility of the partnership performance and results. It is therefore important to remember that when something goes wrong, your customers, employees, vendors and other key stakeholders will come knocking at your door for answers. They do not care much who the outsourcing company is.
Thus, having an effective enterprise risk management (ERM) framework can help CFOs monitor and manage a wide array of risks in outsourcing arrangements. Lack of preparation and improper decision making are what causes a large percentage of outsourcing arrangements to fail. CFOs and business leaders need to know and understand the critical units that are absolutely essential to the functionality of the core business processes.
In other words, the decision to outsource should be made on good business grounds, looking at the overall value outsourcing can bring, and not solely on grounds of cutting costs or improving ROI. Having clearly defined goals and objectives from the outset is key to identifying risks to the project and minimizing failure. If clear objectives are not defined, it makes it difficult to assess all the risks with potential of derailing the outsourcing arrangement. What CFOs need to understand is that outsourcing risks go beyond the planning stage. They are found at each stage of the outsourcing arrangement.
Once the agreement has been entered into, risks will continue to creep in along the way. How are you going to respond if service delivery fails to meet your expectations, confidentiality and security are breached, there are management changes at the outsourcing company, the contract is too rigid to accommodate change or the outsourcing company goes out of business? These are some of the risks CFOs must keep an eye on and ensure there are adequate plans and controls in place to monitor and manage these.
As mentioned earlier on that poor planning and decision making are what causes a large number of outsourcing arrangements to fail, selecting the wrong partner is one of the worst risks. Selecting the provider to deal with should not be based on whoever provides the cheapest deal but also on other factors such as capability and competence, supplier pricing transparency, data and information security, third-party dependency risk, compatibility with your organization’s culture and vision and the supplier’s governance structure and internal management practices. By having various perspectives of the supplier CFOs will be able to manage the process effectively.
Another area of risk concern lies within the SLA, the contract which governs the buyer-supplier relationship. Although SLAs are partly standard for any type of outsourced arrangement, they must be properly designed to your specific business. Bad SLAs can hide unacceptable problems in the business and this has a high potential of backfiring in the long run. Thus, when negotiating the SLA, it is critical to take a risk-based view of the contract development.
In addition to containing details of what needs to be done, division of responsibilities, activities that will impact the arrangement and critical deadlines that must be met, performance review process, reporting of performance, issue escalation process, confidentiality expectations, change control protocols and the exit strategy, the SLA should also act as a fundamental risk control. Risk profiles should be developed for each outsourced function, service or activity to allow for appropriate oversight. These risk profiles must be aligned to the desired process outcomes and the risk metrics developed accordingly so that they can be monitored logically.
Designing risk profiles helps CFOs and other business leaders evaluate the performance of the outsourcing partner and determine whether the desired outcomes are being achieved or not. The risks metrics designed to monitor the arrangement should tie into the SLAs that have been established for the service provider. Furthermore, they must be properly focused and the means of producing and reporting them must be real time and near time.
Lack of appropriate outcome-focused metrics and the right measurement criteria is a key failure point in outsourcing arrangements. The problem with many arrangements is that too often unrealistic expectations are placed on the provider by the client. CFOs and their executive management team should be reasonable and realistic and try to ensure there are no surprises. Good communication ensures that management’s expectations are managed and also acts as a prudent risk control mechanism.
The exit strategy must be laid bare from the outset. Although there are various reasons why the contract should come to an end, failure by the provider to deliver on expectations or poor quality are some of the reasons. When negotiating SLAs, CFOs must think about their exit strategy. There should be clarity about the circumstances under which the agreement may be terminated, how the service or function can be brought back in-house or passed on to a third-party, who owns what assets and when compensation is due. Failure to do so can result in the organization becoming dependent on the provider or losing its negotiating power making it difficult to transition elsewhere.
In concluding, it is important for CFOs to understand that an outsourcing arrangement is a partnership that must be nurtured and managed effectively on a collaboration basis to achieve the desired outcomes. Getting it right from the start is key to minimizing failure and maximizing performance.
Enterprise Risk Management (ERM) is all about the organization making sure and proving that it is identifying and managing the significant risks to which it is exposed to. Failure to identify and manage these risks can have devastating effects on business performance and the long term value of the organization.
If we look back at the origins of the global financial crisis of 2008, lessons abound of what happens when organizations decide to give risk management a back seat and treat the function as a non-strategic one. A handful of reputable financial institutions went under because of poor risk management implementation practices. In search of higher short-term returns and profits, these institutions took questionable risks that proved damaging in the long run.
When implementing ERM, it is therefore important to determine the organization’s risk tolerance. This is the risk exposure an organization determines fit to take or avoid taking. Risk exposures are the extent to which your business or organization is exposed to a risk or portfolio of risks and the extent of this exposure is a function of the potential impact (financial, reputational or ability to carry out goals) of a risk event and the probability of that event happening. The potential impact of the identified risk events can range from insignificant to very significant. The probability that a risk event will occur can range from highly unlikely to highly likely.
Setting the risk tolerance ensures the organization makes risk decisions and manages risk exposures according to established expectations. It helps clarify what is and what is not an acceptable risk exposure and clarity helps the organization to know with certainty what risk exposures it can take and what risk exposures it must avoid. Furthermore, setting the risk tolerance helps the organization to evaluate actual risk exposures against authorized risk exposures which in turn helps determine whether it needs to do more or less to manage the identified risk or portfolio of risks.
When establishing its risk tolerance, the organization must consider the following five factors:
- Risk attitude. This relates to the willingness to take risk. Are you a risk taker, risk-averse or risk neutral? Suppose there is an investment with an average monetary return and an equal probability that the return will occur or not occur, how much you are prepared to invest on the investment determines if you are a risk taker, risk averse or risk neutral. If you are willing to invest more than the average return, you are a risk taker. If you are willing to invest less than the average return, you are a risk avoider. If you are willing only to invest the average return, you are risk neutral.
- Organization’s goals. From a risk-tolerance perspective, goals set the target to which an organization directs its resources. Differing goals lead to differing risk tolerances. For example, public and private organizations have different owners, goals and performance measures. This dictates how the organization sees and reacts to its risks. Some risks exist for private sector organizations but not for public-sector organizations.
- Risk management capability. This is refers to the organization’s ability to manage its risk exposures within the accepted risk tolerance ranges. In order to determine your organization’s capability to manage risks, you should ask the following questions:
- Does your organization understand the risks it is exposed to, in terms of potential risk events that could result in the occurrence of a risk and the potential impact and likelihood of these events?
- Does your organization have risk measurement models capable of looking into the future and predict risk events instead of making decisions based solely on historical information?
- Does your organization have sufficient, qualified and experienced people to manage risks?
- Does your organization have appropriate and effective risk management practices to manage risks?
- Does your organization have appropriate and effective controls and oversight in place to ensure that risk management practices are working?
- Does your organization’s risk management environment (tone from the top and structure) support or impede the management of risks?
- Risk-taking capacity. The organization’s risk capacity determines its ability to assume the impact of an adverse risk event. When setting your organization’s risk tolerance, you need to consider its financial capacity to absorb losses related to adverse risk events, the potential impact of adverse risk events on the achievement of organizational goals and its reputation.
- Cost and benefit of managing risk. The benefits of managing each risk exposure must exceed the cost of doing so.
Each of the above factors must be considered individually and collectively. Risk tolerance is about taking risks within clearly defined and communicated boundaries set by the organization. There is always potential upside and downside of taking risks. Trying to eliminate risks altogether, rather than managing and leveraging them, could harm the organization in the long run.
Over the past decade, the total number of risks affecting organizations has increased rapidly. Organizations now operate in an environment that is characterized by risk exposures that are more complex, more interrelated and potentially more destructive than ever before.
As a result of this evolving business world, there is increased pressure on senior executives and their boards to effectively manage risks so that stakeholder value is preserved and enhanced. They must adequately recognize and manage risks associated with strategic and operational decisions being made throughout the organization and clearly understand the devastating effects of these risks on business performance.
To ensure that risk management forms part of the organization’s strategic and operational decision making processes and help drive business performance, the board must establish the appropriate tone at the top. Effective enterprise risk management (ERM) requires a top-down holistic view of risks faced by the organization. Thus the actions of the board and senior management team should provide a clear message to the organization that policies and procedures are to be followed thoroughly.
Although the board is not involved in the actual day-to-day management of risks faced by the organization, it is the responsibility of the board to exercise significant oversight and ensure that the implemented risk management processes are aligned to the organization’s strategy and functioning as designed. By actively exercising its oversight role, the board is able to send an important message to the company’s senior management and its employees that ERM is an important element of the organization’s corporate strategy, culture and value-creation process.
Without the board’s direction and support, efforts to implement an effective ERM process are destined to fail. It is therefore important for the board and its senior management team to develop a risk-aware culture that operates within the agreed risk appetite that aligns with the organization’s corporate strategy. Excessive risk taking can have devastating effects on the overall business performance. Lessons can be learned from the recent collapse of African Bank Limited Investments (ABIL) in South Africa. The bank’s board and its senior management team have come under public and regulatory pressure for poor risk management oversight and poor processes.
To avoid liability in their oversight role, boards must ensure that their organizations have implemented comprehensive monitoring systems bespoke to each category of risk. For example, the monitoring systems in place must include reports on significant matters that have been levied against the company and may be used as evidence in shareholder litigation. Such reports can act as red flags or violations of risk limits for the board and these should not be ignored as they warrant further investigation and ultimately action. Furthermore, these monitoring systems ought to be reviewed regularly and their robustness tested and measured.
Where the board assigns primary risk oversight responsibility to a committee of the full board such as the executive audit and risk committee, it is important that the committee periodically delivers reports on the status of the ERM process to the full board to help ensure that the entire board has a clearer understanding of the company’s risk profile and the steps management has taken to monitor and control such exposures. The idea is to facilitate serious and thoughtful board-level discussion of the organization’s ERM process, the trends in the key risks the company faces and the robustness of the company’s policies, procedures, and actions designed to respond to and treat these risks.
Actively devoting meeting time to discuss and analyze information about the organization’s ERM program and the most significant risks impacting the company’s ability to achieve its strategic objectives enables the board to fully discharge its fiduciary duties. In-depth knowledge of the organization’s fundamental operations is necessary for understanding the implications of the key risks the organization is exposed to and then assessing the organization’s planned responses to these risks.
Board composition plays a critical role when it comes to performing the risk oversight role. To effectively monitor the organization’s ERM program, boards should pay particular attention to the background and experience of the individual board members serving on the committee charged with the oversight of the ERM function.
This is because the board’s ability to perform its oversight role effectively is heavily reliant on the flow of information between the directors, senior management and the ERM executives in the organization. Such information include the external and internal risk environment faced by the firm, key material risk exposures affecting the company, risk assessment and prioritization policies, key risks treatment strategies, strengths and weaknesses of the organization’s ERM program etc.
In conclusion, it is important for the board and senior management team to realize that the traditional practice of managing risk on an adhoc basis is no longer tolerable. Instead, the board needs to adopt ERM as a process to develop a more robust and holistic top-down view of the key risks facing the organization. An ERM focus assists boards and senior executives to think about risks more holistically and also helps avoid managing risks inconsistently or within each individual risk manager’s personal tolerance for risk.
I welcome your thoughts and comments
In order to make informed decisions, risk reporting must be of high quality. Managers need to be able to evaluate the suitability of the risk management methods they are employing to identify, assess, mitigate and monitor enterprise risks. Are these methods working? Do employees know when these methods are not working? What are the consequences of risk management failure? How can this risk management failure be resolved?
If the data used to identify and assess enterprise risks is flawed, regardless of how excellent the risk mitigation strategies are, the organization will just be wasting resources. One advantage of good regular enterprise risk reporting is that it helps management identify and evaluate the risk profile and risk strategy of the organization.
Poor enterprise risk reporting often leads to poor decision making and in the worst case scenario no decision making at all. Today, sources of risk data are vast. Managers need to know what to do with this data. They must be able to turn this huge amount of data into a strategic asset in the form of information and knowledge that can be used to make effective decisions capable of helping the organization mitigate risks, achieve its strategic objectives and drive business performance.
The problem so many managers make poor enterprise risk management decisions is because of basing their decisions on poor quality reports. There is little value in carrying out the processes in your enterprise risk management framework without good reporting. Thus when designing and building your enterprise risk reporting structure, it is important to ensure that the report:
- Is defined clearly: When defining the report it is important to consider the name of the report, objective(s) of the report, distribution list of the recipients, names of fields to be used, calculations required in each field, manual actions to be performed in each field and how the final report will be used. You should start considering design of the report only after the definition stage.
- Uses a common language understood throughout the organization: Employees normally have a different understanding of the true meaning of risk. It is therefore important to ensure that there is a common understanding of the terms used in the organization’s risk report. The terms used must be clear and mean the same thing to every employee who reads them. One way of achieving this involves managers running risk awareness programs/workshops or incorporating a glossary in the enterprise risk policy document.
- Highlights the important messages: Since managers have busy schedules, because of the limited time at their disposal, sometimes they just scan through the reports. It is therefore important that the produced risk report highlights the critical risk areas. The producer of the report need not assume that they possess equal enterprise risk management knowledge as the reader. By highlighting those critical risk areas that need management attention, for example through colour shades, managers will know where their focus is highly required and will therefore not spend much time in unimportant parts of the report.
- Integrates quantitative and qualitative information: Enterprise risk management generates both quantitative and qualitative data thus both sets of data must be interlinked in risk reports. Relying on one set of information to report risks leads to treating risks in isolation and in turn flawed decision making.
- Uses reliable quality data: The quality of data used in enterprise risk reporting is critical to making informed decisions. How reliable are your risk data sources? Failure to fully embed ERM throughout the organization leads to poor data quality as risk and control assessments are still not yet accepted. Continuously using data of poor quality to produce reports used by senior managers to make strategic decisions can cause them to make poor and loss-making decisions and this in turn affects buy-in of ERM throughout the organization.
- Guides effective decision-making: Are your reports stirring up action? Many at times managers receive reports that are useless. A lot of time and resources is spent producing these reports but they serve no purpose in aiding effective decision-making. In addition to highlighting values, a good risk report must guide managers in deciding whether or not action is required. If the produced reports fail to highlight the need for action or some form of decision, then their existence should be question.
- Is produced in a timely manner: Let us suppose that risk reporting is done on a monthly basis, chances are that values in the report will change monthly, there is no point in producing a risk report halfway through the month as the report would have relatively little value. It is therefore important to ensure that reports are produced in time to enable management make use of them and embed ERM throughout the organization.
- The report’s structure is evaluated continuously: In a constantly dynamic and volatile business environment, the organization’s risk profile, indicators and controls is also most likely to change. This therefore signals a need for change in the structure of the organization’s risk report. For example, if the risks confronting the organization increase in number, the risk report(s) can easily grow in both length and number. It is therefore important for the report producers to establish what information really matters to the audience for whom the report is intended.
- Enables risk ownership: Management need to take ownership of the information contained in the risk report. Thus a risk owner must be identified and this can either be an individual or a department or business line. A good risk report should enable the risk owner to take action when required to.
- Is integrated with other processes: Organizational risks do not happen in isolation. Other business processes play a part and these should be taken into account when reporting enterprise risks. For example, by taking into account audit conclusions, resources will not be wasted as a number of people seek to solve the same problem. Also, taking into account of other processes reduces confusion and chances of inaction as the report will indicate risk acceptable actions from the other processes.
Good reports are essential to good enterprise risk management. Thus a good risk report should be able to deliver information in such a way as to support informed business decisions on the organization’s risk profile.
What else would you say are the qualities of good enterprise risk reports?
I welcome your thoughts and comments.
Enterprise risk management (ERM) is critical for the successful execution of the organization’s strategy. Failure to identify, assess, manage and monitor key risks can have devastating effects on the long-term performance of the business.
In order to successfully identify, assess, manage and monitor key risks managers need to establish and implement a compelling enterprise risk management structure within their organizations. When establishing ERM the question normally asked is, “Who owns the risk management process and who is responsible for what?”
In some companies the CFO is responsible for all the risk management processes. In others the Chief Risk Officer (CRO) or the Head of ERM is the chief architect. Does this mean that the other personnel play no role in managing enterprise risks? Not at all.
When establishing an ERM framework and culture it is critical to understand that neither the CRO, CFO nor the Head of Risk Management is solely responsible for the ownership of all the risks facing the organization. These personnel are responsible for properly reporting significant risk events and potential opportunities to the other senior management and the board members.
You could also say that they own the organization’s risk management functionality itself. That is they are responsible for setting up the infrastructure for gathering risk information, setting risk responses, determining probability of occurrence and impact, discovering the root causes of risk, and the timely reporting of same. Risk ownership is every employee’s responsibility. In other words, all the organizational risks that confront the organization everyday are owned by everybody in the organization in the respective levels at which they operate.
Take for example the sales employees or any other front-line employees. Their actions can either build or destroy the image of the bank through the relationships they form and constantly enhance with the customer base or by the ones they ruin. They also set the tone whether the customer is going to be interested in buying other services or products of the organization that are being offered. Thus these employees own their own set of risks and certain risks of the organization as well.
To be successful at implementing ERM, the process must involve virtually every key person in the organization. The reason being that they possess greater influence over buy-in. If these people fail to embrace ERM, then ERM will never become an important part of the business on a day-to-day basis.
To ensure that everyone within the organization make enterprise risk management an important aspect of their jobs it must always be approached as an environment that is owned by everybody for their own mutual benefit.
The benefits of implementing ERM must outweigh the costs. In other words, the process must earn a return on investment that is deemed acceptable by the organization. If the benefits outweigh the costs the possibility of every key member of the organization embracing ERM and not just tolerating it as another one of those corporate fads is high.
Everyone in the organization should want to actively participate in ERM. If ERM becomes a DNA of the enterprise, then it has a chance of attaining a high degree of success.
I welcome your thoughts, comments and feedback.
In his book, The Black Swan: The Impact of the Highly Improbable, Nassim Nicholas Taleb defines “Black Swans” as random and rare events that underlie our lives and business, are nearly impossible to predict and have a huge impact when they materialise. According to Taleb, “Black Swans being unpredictable, we need to adjust to their existence, rather than naively try to predict them.”
In the past several years, many large-scale events (similar in nature to Black Swans) have manifested and changed the course of many businesses. Examples of these events include increased food and product safety issues; energy supply volatility; global financial instability; geopolitical instability; natural disasters etc. These events have had significant impact not only on the organizations located in the borders where they occurred, but also on various parties across geographical borders, industries and sectors.
Because of this unprecedented change in the business environment and risk landscape, organizations need to take a new look at their risk management processes and the allocation of resources to ensure that emerging risks are effectively identified, assessed, managed and monitored at all levels of the organization i.e. from strategic planning to day-to-day operational processes.
Although many organizations have put in place risk management processes to identify, assess and manage enterprise risks, their programs are repeatedly failing to identify emerging risks relevant to the organization; assess their impact and interconnectedness with other risks and mitigate them. This failure has implications for the organization’s strategy and objectives. It is therefore important that the organization’s board and senior management continuously scan the business environment for changes that could impact strategy execution and the achievement of business objectives.
A systematic approach to risk identification is achieved by first considering what risks the organization is facing on the macro and micro levels. Macro-risk identification involves the identification of major risks that may have significant impact, financial and otherwise, on the organization by using techniques such as industry analysis, competitor analysis, country analysis and market/environmental analysis. Micro-risk identification involves identifying sub-risks within the major risk classes that can usually be prevented by introducing effective risk control measures. Risk inspections, HAZOP studies, failure mode and effect analysis (FMEA), fault tree analysis (FTA), hazard indices, safety audits, legislation and codes of practice, research and risk sourcing can all be used to identify risks and their sources at a micro level.
In a fast-paced and changing business environment which is always presenting opportunities and threats, the organization needs to build a dynamic ERM model, be proactive and resilient. Lessons are still being learnt from the 2008 Global Financial Crisis (GFC) which started first in the US and spread overnight to other developed and developing economies. What began as a crisis only within the banking sector immediately spread over to other non-banking industries, for example, the automotive industry. This GFC revealed the shortcomings in the risk programs of many financial and non-financial institutions. Organizations that were once thought of as “too big to fail” have disappeared while others have come out stronger.
Since then, supported by a stronger risk management culture, organizations across industries, sectors and national borders have attempted to strengthen their risk management programs by using techniques such as risk assessment, scenario analysis, event simulations and stress testing as a basis for determining response strategies that are aligned with the organization’s strategies, objectives, risk appetite and tolerance.
Today, risks are very much interconnected and go beyond enterprises, industries and national borders. Businesses no longer conduct business locally. Globalization has made it easier for organizations to seek opportunities across national borders either through direct market entry or through joint ventures and collaboration with foreign partners. Although benefits can be accrued from collaboration, because of these interactions, the organization is also exposed to a wide range of risks which in turn has increased the complexities in managing risks.
Effectively applying ERM principles can help the business address risks that may appear unknown but have a huge impact when they materialise. By implementing ERM and building a strong risk management culture throughout the organization, business leaders are able to:
- Identify emerging risks relevant to the organization’s strategy and objectives by carefully scanning and analyzing all the relevant risk factors.
- Assess the significance of different risks to the business and stakeholders, their interconnectedness with other risks and implication to the business.
- Determine risk response strategies as well as consider collaboration with external parties to mitigate the risks and possibly even capture opportunities.
- Regularly monitor emerging risks through the effective use of qualitative and quantitative indicators.
In a global economy where opportunities are hunted across national borders and industries, risks spread equally very much. It is therefore important for boards and senior managers to ensure that the organization’s risk tolerances are not exceeded. Proactively monitoring risks and analyzing trends and the underlying relationships between risks helps organizations avoid significant losses and seize opportunities. By applying ERM to emerging risks, the board and management are able to reveal to investors and other stakeholders the organization’s agility to detect and respond to large-scale risks.
Risks affecting the organization’s business performance can be known, unknown and unknowable. Where the risks are known, their causes, probability of occurrence and likely impacts are well defined. These risks can therefore be measured and managed because they have manifested previously. Unknown risks are well defined but impossible to assign probabilities as to the occurrence of specific events e.g. acts of terrorism. Unknowable risks have not yet manifested and understanding of these is more of a speculative event. Understanding this distinction of risks is important. It helps with the allocation and reallocation of resources to help foresee risks that are currently being ignored.
Identifying, assessing and managing risks relevant to the organization should form part of its strategic planning and performance management processes. This also requires the organization to strengthen its ERM capabilities and skills to ensure adequate risk oversight and management. In addition to identifying risks relative to its key objectives, the organization also needs to embrace and manage risks throughout the value chain. Each relationship within the value chain not only does it imply new opportunities, but also risks. If one of the relationships fails, this results in consequences for all the relationship partners. Thus, it is important to understand the risks faced by each partner when identifying and evaluating risks. Through historical data and forward-looking analysis, the organization will be able to go beyond known risks and expose what may seem to be unknown risks.
In today’s complex and rapidly changing environment where an organization can thrive or disappear overnight, effectively applying ERM principles and building a strong risk culture to identify, assess and manage enterprise risks is important for executing strategy, driving business performance and meeting various stakeholder expectations.