Business is the process of managing risk in pursuit of a goal. At every moment, you are risking company resources to create value. Too much risk and you could go broke; not enough risk and you will underperform. The goal is for your organization to take the right amount of risk.
But not just you in finance; everyone needs to take the right amount of risk, and that implies driving risk-based decision-making into all levels of activity in your organization. You can do this if you can overcome some of the common challenges that companies face when embarking on this journey.
The first challenge is ensuring management commitment and support of risk management programs. It’s quite common in today’s lean operating environment to slash the cost centers, or non-revenue producing departments, including risk management and other quality control functions. While cost cutting is inevitable, it’s critical to have senior management champion risk management as an asset for smart top-line growth while protecting the bottom line as well. Strong tone at the top is a key pillar for any successful risk management function.
One reaction to this trend is to push ownership of risk away from risk centers to the daily operators. To delve into jargon, there are usually three lines of defense in a risk management program:
- The daily operators who run the business
- Compliance groups who design the risk frameworks and applications
- The audit function that provides assurance that the framework is implemented.
The trend is to empower the first line to know, measure and report on risk instead of deferring that to the second line, which previously had responsibility for this work. This has the benefit of moving risk management to process owners without creating overhead costs.
The second most common challenge is tying risk management to a company’s overall strategic goals and objectives. According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO)’s June 2016 proposed update to its ERM framework, aligning risk with strategy makes it easier to develop a risk program “fit for purpose,” or designed for the unique capabilities of your organization. For example, your employees need to clearly understand their roles in achieving goals and objectives so that they can act as the human firewall and monitor key risk metrics.
This can happen at multiple levels throughout the organization. At a strategic level, this may involve writing risk scenarios or creating stress tests to see how the forecast or liquidity might respond. At a tactical level, it might be about backups and redundancies for delivering products and services. Redundancy is expensive, so as financial analysts, we must remember that a strict cost-benefit analysis based on quantitative analysis may not capture the strategic benefit of risk mitigation adequately.
The third challenge companies face is implementing risk management standards that create a repeatable and sustainable process. Simply put, understanding one’s risk profile or risk appetite allows business leaders and line management to make consistent risk-based decisions in pursuit of value.
It is extremely hard to create your own risk methodology, especially since effective implementation requires a standard taxonomy for the business. Fortunately, a variety of frameworks exist to create value through risk management. It is helpful to have a unified view of risk management through a framework such as COSO or ISO 31000 that will help to define a company’s risk appetite and link risks to goals. This ties in with FP&A’s need to align finance, strategy and capital.
The fourth and final challenge is to consistently evaluate current risk programs to ensure they are continuously improving and that the risk standards they are implementing are still relevant to the risk they are looking to manage or mitigate. Risk management is an ongoing exercise that offers the opportunity for analysis and improvement over time.
This is the corollary to having a standard framework in place—it now becomes possible to measure and report through defined channels. This fits in with FP&A’s mandate of performance measurement and management reporting. Organizations can capture data on key risk indicators and specific incidents and review them at the operational level or in risk review committees. There are many software solutions that allow for the measurement, tracking and reporting of risk. FP&A needs to keep track of key risks in order to alert management and prepare a flexible response.
You can build a risk-based culture by driving risk thinking into the daily actions of your company. Building a risk-based capability requires ownership by your people at the front lines of operations; processes and standards designed to link risks to strategy in daily operations, and technology can be deployed to support risk decisions and monitoring.