A planning process starts with the company’s mission and goals, and then breaks those down into more detailed execution plans and forecasts. In FP&A, we focus on how to achieve the goals and create forecasts that show whether we are on track or need to re-allocate capital because we are on an alternate path. Our colleagues in risk management start from the same goals, but look at what can prevent us from achieving those same goals and ask the question, “What could go wrong?” The overlap between the two is obvious, and so there should be common ground for discussing risk.
That common ground starts with finance learning the risk taxonomy of a company. Note that for companies that do not have a risk group, and therefore no risk taxonomy, this is an opportunity for finance to introduce this common practice.
Any taxonomy is a way of classifying objects into groups so they can be examined and discussed. For example, a grocery store has a taxonomy for assembling its products—dairy items are grouped together in a refrigerated case, cereals are together, and all the baking supplies and spices are together on a different aisle. This makes it manageable and efficient for the shopper to navigate the store.
The risk taxonomy establishes categories of risk. Common categories include financial risk (market, credit, liquidity), operational (people, process, technology, compliance), and strategic (strategy, reputation). For example, lending institutions might be sensitive to credit risk where there is concern that counterparties may not fulfill their obligations. Health care companies may have very high data compliance requirements, or a decision to move up/down market may carry strategic risk for a brand. The taxonomy can extend to deeper levels and get more discrete, and have categories for counterparty concentration, access to data networks and password controls, or new product risk.
A taxonomy allows the business to ask: What types of risk do we want to accept or defend against? Consider the following example: Company X has a warehouse and is subject to several OSHA rules to protect the safety of employees. Failure to satisfy these rules could lead to various types of sanctions, ranging from “wrist-slap” to fines to shutting down the warehouse. This risk is an example of operational risk, and is a cost of doing business; that is, the business accepts this risk if it wants to continue its warehouse department. The potential sanction is called the inherent risk, because it is involved in doing the business, and if it is quantified, is going to be some factor based on the likelihood of sanctions and the impact of the sanctions. However, this risk does not exist in a vacuum; Company X has put several internal controls in place to mitigate the likelihood and severity of the sanctions, such as training for all staff, internal safety operators, and process audits to ensure that the safety processes are followed. These mitigating factors lead to a residual risk that is less than the inherent risk.
Finance can tap into this taxonomy and associated analysis to help talk about company risk. First, finance can benefit from the risk methodology by obtaining a sense of potential exposure and impacts to the income statement or charges against reserves. Each company will incorporate the risk study differently, but the key area of focus is how to build these residual impacts into the forecast for high frequency, high likelihood events; lay off the risk through insurance, hedges or other options; or simply accept the risk. Finance can apply the risk taxonomy in presenting a risks-and-opportunities or SWOT analysis (Strengths, Weaknesses, Opportunities, Threats).
A second reason for finance to learn the taxonomy is that speaking the language or risk means understanding the control structures that are in place, and being able to opine on the cost efficiency of the control paradigm. Risks will always exist, and it is possible to create additional layers of internal controls through review, process checks, or other forms of oversight. However, these will come with additional costs in the form of slowed processing, additional staff, or oversight software and compliance. At some point, the cost of controls can outweigh the benefits and stifle growth. Finance can add value to the risk team by studying the cost-benefit trade-off that comes with layers of controls as part of its existing mandate to staying on top of internal expenses.
A third reason for finance to learn risk taxonomy is that risk management processes are evolving and moving closer our business partners. In the past, risk was managed by a dedicated risk group as a second line of defense supporting the business who was considered the first line of defense. The trend today is to transfer the ownership of risk to the first line and support them with training and oversight by the second line. And the risk practice is growing, driving by the need for cyber security and the changing regulatory compliance landscape. This means that our business partners are going to be speaking the language of risk, i.e., risk taxonomy, and FP&A should too.
Understanding the taxonomy of risk means speaking the language and provides an entry point for finance to talk to other parts of the enterprise and overall operations. That can lead to expanded collaboration and professional opportunities that can make everyone better.
For additional insights on FP&A, subscribe to the AFP monthly newsletter, FP&A in Focus.