The Value Integrator and Enterprise Risk Management
In my last post, I wrote about the CFO as a Value Integrator and the need for CFOs to start thinking about how they can help their peers in other parts of the organization by focusing on helping them solve problems by mapping their own unique expertise to the challenges these other business executives face. Earlier, while doing some other research on Risk Management I ran across a rather interesting Corporate Executive Board (CEB) blog post on the Six Myths of Risk Management and, as you might suspect, one of these myths crossed my mind as I was writing the Value Integrator post.
Myth 1: The Biggest Risk My Firm Faces is Financial Risk
Neither the myth nor the recommendations offered by the author, Srikanth Seshadri, were particularly surprising (see my posts How Well Do You Manage Your Risks and Award-winning Risk and Performance Management).
I already knew risk management was more than evaluating Value at Risk (VaR) for financial risk management, which is really more about loss management and mitigation than anything else. What really shocked me was how inconsequential financial risk was when compared to the other root causes of market capitalization declines based on a CEB study of the top 20% of Fortune 1000 companies whose market capitalization declined 50% or more from 1998 thru 2009.
Operational risks (13%) and strategic risks (68%) easily topped both financial risks (12%) and legal/compliance risks (6%) as causes of market cap decline. If you’re a shareholder, these are scary numbers because no amount of auditing will mitigate these risks and most risk managers probably aren’t thinking about operations or strategy, at all.
So, how can the CFO, as a value integrator, help solve some of these challenges? The first thing they need to do is to think about the problem from a holistic point of view. Back in 2004, COSO created a framework for Enterprise Risk Management (ERM) as a way of extending the work they had done on internal controls, which was largely adopted by the SEC for the implementation to meet the requirements of the Sarbanes-Oxley Act. Let’s look at how COSO defines ERM:
“…a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
So, ERM is a process. That means there’s probably not going to be a magic formula or silver bullet software solution to the problem (see Myth 3: We are good at sensing risk because of our investment in ERM systems). In fact, risk management cuts across all aspects of corporate management, especially strategic, operational and financial. At Carnival Corporation, risk management is everyone’s job. It’s also not something you do once in a while (see Myth 2 & 4).
Now it’s starting to sound like a crusade, or worse, an ERP implementation, right? Not necessarily. In their book, The Execution Premium, Robert Kaplan and David Norton describe a multi-stage executive management system that takes you from strategy formulation to execution and periodic reassessment of both operational and strategic plans so that adjustments can be made when underlying assumptions change or are no longer valid, thus closing the loop and starting another loop around the system. The continuous monitoring and testing is the key determining whether or not a strategy is working, in other words, evaluating whether or not the strategy is at risk of failing. Kaplan reiterates this in his article Risk Management and the Strategy Execution System, where he outlines a method for creating a risk heat map for mitigating risk that incorporates not only a risk probability analysis, but also an impact analysis for global, strategic, operation, financial and compliance risks. In it, he advocates the use of scenario planning as a way of helping managers consider the correlated consequences of future events. Using Time-Driven Activity-Based Costing models of the entity or business provide a critical tool for managers to determine the future outcome in financial, strategic and operational terms. This sounds a lot like the ABC war gaming I described in my post on forecasting and one of our customer’s mentioned at a recent user conference.
While risk analysis involves both probability assessment and impact (or scenario) analysis, one of the panelists in the roundtable on risk management that the recent CFO Core Concerns Conference reiterated that CFOs should focus less on determining probability and more on determining impact of even the most unlikely (or worst case) scenarios. The volatility of today’s economic conditions mandate that companies improve their ability to do this type of scenario analysis because they’ll need to do them ever more rapidly. A robust performance management solution can easily be leveraged to provide this capability. The CFO can extend his skills as a value integrator by expanding the scope of these tools into the arena of strategy management, thus providing a valuable risk mitigation solution within the framework of the executive management system as the process for Enterprise Risk Management.
I know I’ve covered a lot of ground here, but there’s something that I’d like you to consider. Given the dire results of CEB’s study, can you really afford not to become a value integrator? The reality is that if you don’t, you’ll believe many of the myths about risk management and they all have one thing in common: they all remind me of that ostrich who sticks his head in the sand in the face of danger.