Risk Management

Risk management for CFOs: 5 toplines

From the types of risk to the best training options, here’s what CFOs need to know.
article cover

Mikkelwilliam/Getty Images

· 5 min read

Risk management sounds almost paradoxical: It’s about providing a certain response to uncertainty. Companies and their audit committees surface hundreds or thousands of things that may go wrong, and determine what they will do to address those issues. It is the art of knowing about the unknown.

Abstract as all that may seem, it’s an advanced field of practice in business, complete with detailed frameworks and best practices—and a major role for the CFO and the finance team.

What types of risks should CFOs be planning for?

Risk often springs from acute internal and external events. Steven M. Bragg, in his ebook The New CFO Leadership Manual, cites the following categories:

  • Natural disasters, which are increasing in frequency amid climate change
  • Systemic issues, such as malfunctions at a company’s manufacturing plant
  • External forces, such as cybersecurity attacks and fraud

But there’s also a growing interest in “strategic” risk—the idea that a company may be putting its business focus in the wrong area, or that the business model may be disrupted by technology and other factors.

Companies also are gauging reputational risks, the internet-amplified risk that a mistake or bad luck could turn public opinion against a company.

How can companies plan for risk?

Enterprise risk management follows this standard arc:

  • Identify and categorize risks
  • Prioritize risks based on their probability and likely impact on the business
  • Develop mitigation plans for the highest priority risks
  • Manage and monitor risks on an ongoing basis

But the execution of those steps can vary widely. Often—but not always—there’s a risk management committee, which may even be a subcommittee of the board.

Most companies also offer standardized risk assessment processes for business leaders, but only 42% provide training in enterprise risk management, according to an AICPA report, The 2023 State of Risk Oversight.

What are the types of strategic risk?

There are subtleties within strategic risk, which can be divided into two major categories, according to a Deloitte report entitled “The Risk Intelligent CFO.”

The report lays out risks “to” and “of” an organization’s strategy.

In other words, risks “to” a strategy are those that could stand in the way of growth, such as difficulties obtaining financing, or a breakdown in the supply chain.

But the risks “of” a strategy are often harder to spot. These are the risks created by the strategy itself, including the possibility that its underlying assumptions are wrong and that the effects of implementing strategy may be damaging, for example, if a new product is offensive to public opinion.

News built for finance pros

CFO Brew helps finance pros navigate their roles with insights into risk management, compliance, and strategy through our newsletter, virtual events, and digital guides.

“What’s looming that could upend assumptions about your company, customers, and market environment? How deeply are those assumptions embedded in your strategy? Which changing assumptions might actually turn out to be opportunities?” the report read.

What is a CFO’s role in risk management?

The growing attention on this process creates a new role for the CFO, who may manage the Chief Risk Officer and oversee much of the collation and presentation to the board of risks and associated data. That takes a broader skill set than traditional accounting.

“Many financial executives respond not only to change, but also to the demands these changes create for more comprehensive information, better understanding of risks, deeper market knowledge, and, especially, a new skill set,” reads a report from the Financial Executives Research Foundation.

The executives interviewed for the report named a number of key roles that the CFO can support, such as:

  • Identifying sources of change, such as technology
  • Building a process to screen signal from noise
  • Reassessing a company’s competition
  • Analyzing the customer base as a “source of information, not just about current sales but about future change and potential disruption,” according to the report.

What kind of training is available for risk management?

Nonprofits and professional associations offer a range of training in enterprise risk management. Some examples include:

News built for finance pros

CFO Brew helps finance pros navigate their roles with insights into risk management, compliance, and strategy through our newsletter, virtual events, and digital guides.