Risk management for CFOs: 5 toplines

Risk management sounds almost paradoxical: It’s about providing a certain response to uncertainty. Companies and their audit committees surface hundreds or thousands of things that may go wrong, and determine what they will do to address those issues. It is the art of knowing about the unknown.

Abstract as all that may seem, it’s an advanced field of practice in business, complete with detailed frameworks and best practices—and a major role for the CFO and the finance team.

What types of risks should CFOs be planning for?

Risk often springs from acute internal and external events. Steven M. Bragg, in his ebook The New CFO Leadership Manual, cites the following categories:

• Natural disasters, which are increasing in frequency amid climate change
• Systemic issues, such as malfunctions at a company’s manufacturing plant
• External forces, such as cybersecurity attacks and fraud

But there’s also a growing interest in “strategic” risk—the idea that a company may be putting its business focus in the wrong area, or that the business model may be disrupted by technology and other factors.

Companies also are gauging reputational risks, the internet-amplified risk that a mistake or bad luck could turn public opinion against a company.

How can companies plan for risk?

Enterprise risk management follows this standard arc:

• Identify and categorize risks
• Prioritize risks based on their probability and likely impact on the business
• Develop mitigation plans for the highest priority risks
• Manage and monitor risks on an ongoing basis

But the execution of those steps can vary widely. Often—but not always—there’s a risk management committee, which may even be a subcommittee of the board.

Most companies also offer standardized risk assessment processes for business leaders, but only 42% provide training in enterprise risk management, according to an AICPA report, The 2023 State of Risk Oversight.

What are the types of strategic risk?

There are subtleties within strategic risk, which can be divided into two major categories, according to a Deloitte report entitled “The Risk Intelligent CFO.”

The report lays out risks “to” and “of” an organization’s strategy.

In other words, risks “to” a strategy are those that could stand in the way of growth, such as difficulties obtaining financing, or a breakdown in the supply chain.

But the risks “of” a strategy are often harder to spot. These are the risks created by the strategy itself, including the possibility that its underlying assumptions are wrong and that the effects of implementing strategy may be damaging, for example, if a new product is offensive to public opinion.

“What’s looming that could upend assumptions about your company, customers, and market environment? How deeply are those assumptions embedded in your strategy? Which changing assumptions might actually turn out to be opportunities?” the report read.

What is a CFO’s role in risk management?

The growing attention on this process creates a new role for the CFO, who may manage the Chief Risk Officer and oversee much of the collation and presentation to the board of risks and associated data. That takes a broader skill set than traditional accounting.

“Many financial executives respond not only to change, but also to the demands these changes create for more comprehensive information, better understanding of risks, deeper market knowledge, and, especially, a new skill set,” reads a report from the Financial Executives Research Foundation.

The executives interviewed for the report named a number of key roles that the CFO can support, such as:

• Identifying sources of change, such as technology
• Building a process to screen signal from noise
• Reassessing a company’s competition
• Analyzing the customer base as a “source of information, not just about current sales but about future change and potential disruption,” according to the report.

What kind of training is available for risk management?

Nonprofits and professional associations offer a range of training in enterprise risk management. Some examples include:

• The Risk Management Society, which offers two-day virtual workshops starting at $775 for members, with a focus on implementing ERM.
• The Committee of Sponsoring Organizations (COSO) has a certificate program for ERM. Lasting two and a half days, the virtual program includes 18 hours of CPE and starts at $1,799.
• The Public Risk Management Association offers a four-day virtual course on ERM starting at $500 for members.
• The Institute of Risk Management (based in the UK) offers a range of virtual and classroom training.
• The Enterprise Risk Management Association offers three levels of certification in ERM, including one for senior corporate leaders.
• The Society of Actuaries offers a Chartered Enterprise Risk Analyst credential.
• The Professional Risk Managers’ International Association offers a Professional Risk Manager designation through a series of evaluation exams.