erhaps more than ever, large businesses must navigate a world of financial crises, volatile markets, natural disasters, growing regulatory scrutiny and the risky waters of global expansion. As a result, risk management has moved from the background to center stage in the boardroom. Because of the increasing uncertainty of business outcomes, shareholders, with the support of regulatory agencies, are becoming more intolerant of “surprises” that damage investment value and are demanding that companies have thorough, dynamic risk management processes in place. It all starts with creating a risk-aware culture. The CFO can play a significant role.
The Demand for Better Risk Management
There are seemingly many regulatory requirements to address shareholder concerns. Companies undergo costly, lengthy audits to adhere to Generally Accepted Accounting Principles (GAAP) and receive objective opinions on their financial statements from accounting firms. Section 404 of the Sarbanes-Oxley Act of 2002 (SOX 404) assesses a company’s internal controls and requires a top-down risk assessment. The Public Company Accounting Oversight Board (PCAOB), concerned about the quality of independent audits, has recently embarked on audit reform to ensure that accounting firms render an objective opinion. In 2010, the U.S. Securities and Exchange Commission established rules that require boards to disclose risk oversight measures. The Dodd-Frank Act requires U.S. public companies to adopt clawback policies requiring the return of incentive compensation paid to executives based on erroneous financial statements. In addition, companies can no longer exclude proposals from proxies where shareholders are seeking more disclosure on risks related to major policy issues.
Yet these measures can be inadequate. While regulatory requirements address internal controls and attempt to measure risk, companies are ultimately responsible for managing it. Compliance with GAAP, for example, does not speak to how management decides to apply it. A company can be in compliance with regulations and still fail to effectively manage and mitigate risks. One multibillion-dollar company cleared its SOX 404 testing with significant liquidity issues and filed for Chapter 11 bankruptcy a few weeks later.
Many organizations have not yet developed robust risk management programs or embraced a culture of risk management. According to a 2010 survey by the American Institute of Certified Public Accountants, 45% of companies had no enterprise risk management framework in place. Of those that did, only a fraction described them as “mature” or “robust.”
To bolster and centralize risk management efforts, management and the board should consider turning to the CFO and finance organization. It is already the CFO’s responsibility to ensure that the company’s books and records can withstand scrutiny. He or she manages the risks associated with issues such as financial restatements, liquidity crises or even fraud. But CFOs can contribute more. Through their enterprise role in budgeting, raising capital, making investment decisions and providing operational oversight,
CFOs engage with every aspect of a business. These executives have a prime vantage point and possess the analytical skills to identify and quantify risks with an integrated enterprise view. Even in companies in highly regulated industries with long-established risk functions and officers, the CFO is becoming a more important partner in assessing systemwide risks.
The Transformation of the CFO
The finance profession within large organizations has been in transformation for more than a decade. Where it was once relegated to reporting, budgeting and cash management, finance professionals have become business planning partners by weighing in on strategies and contributing input to product development, manufacturing, marketing and other key functions.
As organizations struggle to connect strategic management with financial and other planning processes, the CFO and finance organization are taking on a more active business planning partnership role within many enterprises. It is not uncommon, for example, for CFOs to lead operational reviews, develop planning models and test assumptions in different business scenarios. Enterprise risk management is the next logical step in the transformation. CFOs and their staffs can harness industry and company knowledge and combine it with sophisticated analytical techniques to drive the assessment of enterprise risk and the decisions made to measure and mitigate it. Developing key performance indicators is a start; building a risk-aware culture is the continuum.
The CFO as Risk Manager
Since CFOs often lead enterprise performance management processes, risk management efforts can be tied into that work and role. In addition, CFOs bring to the table a long-term view with a strong focus on quantifying the financial impact of decisions and events. As a result, CFOs are increasingly making contributions to managing financial and nonfinancial risks beyond their purview of ensuring accurate financial information.
Some notable examples include developing risk metrics that tie directly to shareholder value, moving beyond narrowly focused measures that analyze currency or credit risk. CFOs also play a hands-on role in identifying and mitigating market risks. At Virgin Mobile, for example, the CFO saw the financial troubles at Circuit City early on and immediately tightened credit terms and started monitoring shipments daily.
CFOs can link capital structure to strategy, ensuring that the balance sheet isn’t overleveraged, and quantify and monitor the impact of investments. At Concentra, a healthcare services company, the internal audit team developed an annual risk assessment portfolio to evaluate the performance risks of the enterprise after an aggressive series of acquisitions.
To mitigate natural-disaster and environmental risk, CFOs can develop contingency plans in the event of work stoppage and associated cost/benefit analyses of these contingency measures. Technology executives can turn to CFOs to assist in quantifying security risks and their potential impact on the enterprise to justify investments in enhanced security measures. CFOs are also involved in managing risks associated with employee recruitment, retention and compensation, and may also manage risk associated with suppliers and third parties.
Some CFOs are also playing a greater risk management role with individual lines of business. In that role, they communicate critical issues internally and externally. It is not uncommon for the CFO and finance organization to spend time in the field deepening their knowledge of unique risks specific to individual businesses. They can translate these risks into “heat maps” that articulate levels of risk and then tie those risk levels to corporate scorecards. CFOs are also
involved in communicating with the analyst community and media by detailing how certain risks, such as currency exchange rates, may affect performance without also reflecting weaknesses in the company’s strategy.
Talking about risks is a first step. Acting on risk programs is prudent and protects enterprise value. CFOs who create a robust risk management architecture not only can minimize financial restatements, liquidity crises, or other embarrassing or catastrophic events, but they can also help a company increase efficiency and achieve its profitability and performance goals. CFOs can play a role and proceed logically to the next step in the transformation of their profession: moving beyond reporting and compliance to bringing their organizational purview and analytical ability to a more active role in enterprise risk management.