FP&A is connected to risk management, as it frequently deals with volatility, uncertainty, complexity and ambiguity. AFP’s latest FP&A Guide explores how risk methodologies have the potential to improve FP&A.
Define and apply risk appetite and risk tolerance. A risk appetite statement describes the nature and amount of risk that a company is willing to accept. It should guide the board and management decisions, and apply to both upside growth or downside loss that a company is willing to accept in pursuit of its objectives. Risk tolerance is the defined limits of the risk appetite as applied to different risk classes in the taxonomy.
Risk appetite shapes the risk profile of the organization—the growth or diminishment of products, services, markets, infrastructure and even risk management investments. FP&A is best positioned in to apply the risk appetite throughout the company. Corporate FP&A can ask, does the plan align with the limits imposed by the board for different classes of risk? Does the consolidated forecast show us attaining the plan?
Decentralized FP&A teams can break down the goals for business and product lines, and measure frontline progress. Knowing the tolerance for risk in different areas assists in selecting projects and composing the optimal portfolio.
Management reporting should align with risk appetite and related tolerances, highlighting acceptable variation in performance and opportunities to rebalance the risk-return tradeoff.
Leverage risk taxonomy and risk identification to forecast. A risk taxonomy is a comprehensive, common and stable set of risk categories that is used within an organization. By providing a comprehensive set of risk categories, it encourages those involved in risk identification to consider all types of risks that could affect the organization’s objective. It allows the business to ask, ‘What types of risk do we want to accept or defend against?’ It also allows the organization to consider risk drivers that may accelerate risks across categories.
Finance can tap into this taxonomy and gain several benefits. The hierarchy and structure can allow FP&A to gain a broader understanding of where risk can impact the company and the nature of the impact on specific business units. Identified and agreed-upon risks can inform sensitivity and scenario analysis, and threats to the plan.
As the first line operational team becomes more fluent in the lexicon of risk, they can share the same language with FP&A, which can enhance the ability to become a good business partner. FP&A have discussions with the business on specific risk areas where they can contribute, and demonstrate operational understanding.
Especially in organizations where the risk function is not well defined, FP&A may be the one to demonstrate the value of leveraging the risk taxonomy for risk identification, mitigation, and action planning, working hand-in-hand with the operational teams to embed risk managing activities.
Link risks and performance to financial commitments and flexibility. Companies pursue value for their stakeholders, and risk is any uncertainty that could lower that value. The following image shows that the forecast is the expected future earnings from company activities; upside or downside events will impact the ability to meet various commitments and pursue and deliver value to stakeholders.
Leverage risk taxonomy and risk identification to forecast. The following example shows how a risk team can approach operational risk.
Company X has a warehouse and is subject to several Occupational Safety and Health Act (OSHA) rules to protect the safety of its employees. Failure to satisfy these rules could lead to various types of sanctions, ranging from fines to shutting down the warehouse. This risk is an example of operational risk, and is a cost of doing business; that is, the business accepts this risk if it wants to continue its warehouse department. The potential sanction is called the inherent risk, because it is involved in doing business, and if it is quantified, it is going to be some factor based on the likelihood of sanctions and the impact of the sanctions. However, this risk does not exist in a vacuum; Company X has put several internal controls in place to mitigate the likelihood and severity of sanctions, such as training for all staff, internal safety operators, and process audits to ensure that safety procedures are followed. These mitigating factors lead to a residual risk, the impact that cannot be managed away, that is less than the inherent risk.
In addition, many risk teams create risk registers or event databases that collect historical events and the impacts to the organization.
Finance can leverage the extensive research and experience that risk has performed in several ways. Event databases can provide documented exposures for various projects; risk quantification can be factored into models and forecasts, and expert examinations can lower risk in projects.
For example, as one risk manager at a large company noted, “I can add a lot of perspective on new product launches, but I want to be brought in six months ahead of time. It is a challenge to get a full review if I only know of it in the last six weeks.”
Key Point of Differentiation: There is a significant difference in how risk and finance quantify risk events. Most risk managers view the world through the lens of “what can go wrong, and how bad it could be.” They are trained (and incentivized) to protect against negative events.
Finance thinks of “risk and reward,” that every dollar spent either creates or destroys value. Finance should be careful not to accept all risks and controls at face value, as that may overstate the exposure and lead to excessive conservatism and costs.
For further insights, download Increasing FP&A's Effectiveness by Integrating Risk Management.