ICAEW.com works better with JavaScript enabled.

Risk management and the role of the FD/CFO in non-financial services

The fourth meeting of the Blue Chip Finance Leaders Programme, developed in association with IBM, took place at Chartered Accountants’ Hall on 24 November 2011.

The topic of risk management proved so popular that two roundtable discussions were held in parallel on the day; one for those in the Financial Services sector and the other for those in other businesses.

This synopsis covers some of the key points discussed during the non-FS sector roundtable which was attended by fifteen FDs and CFOs from a broad spectrum of major FTSE, private and public companies. The discussion under Chatham House rule was facilitated by Richard Anderson, Deputy Chair at IRM, and allowed for significant sharing of personal experiences and expression of personal views on many different aspects of the role of CFO/FD and the impact of risk management, but also brought home to the group that many are facing similar challenges.

Questions posed for the discussion

Have you a clear picture of your organisational risk management capability? Have you formally assessed how much risk you can carry? Is risk management mature in your organisation and how do you know?

Do you have a risk committee, if not why not? If so, is it a non-executive committee, an executive director committee, a committee of functional experts or a hybrid of all three? What’s on the agenda for the risk committee?

What measurement techniques are you using to measure your risk positions? Do you measure the impact of your strategic risks? How? Do you have risk and control metrics in place to track key risks and controls?

The risk management (RM) capability

The discussion started by asking about the organisation’s capability and maturity of approach to RM and the responses were varied. Some organisations have adopted a formal approach to RM especially the more strategic elements of risk as opposed to the day-to-day operational risks of running a business, which are managed and mitigated by management. For example, strategic and reputational risks aren’t always considered and unexpected risks like the ash cloud are rarely included, though contingency planning and recovery might reflect some of this thinking. Large Capex’s and M&As will often assess such issues such as currency fluctuations and political unrest – but how often are the upsides already included in the base case, leaving only downside risks to be considered and not further opportunities? Whilst risks are often implicitly considered there may be no formal framework adopted to assess risks and opportunities leaving the FD/CFO to make the assessment more explicit and independent. Often the risk appetite may depend on the risk tolerance of the top management and recent experience may colour this appetite. The risk appetite will also vary dependent on the nature of the business and the ownership of the business. The key is to assess the risk and modify processes to mitigate the risk. Minimising risk may lead to poorer risk-averse decision-making and stifle creative and innovative solutions. Few were regularly talking to stakeholders about risk.

Responsibility for RM

Who should bear the responsibility for RM in the organisation? Should it be the responsibility of a professionally-trained CRO to assess the risks or should it be embedded in the culture of the business? Does a NED have sufficient knowledge of the business to take a considered view of the risks involved in operations? Does the CEO’s gut feel obviate the need for more formal procedures? Performance and audit committees often include risk in their remit but how forward looking are these reviews? How often is risk assessment an academic exercise paying lip-service to the real risks? Is bad decision-making a result of poor risk assessment or poor judgement?

Measurement of risk

Sometimes referred to as the “price of risk.”  In attempting to measure the scale of risk, the businesses may pose two questions:

  • How big could the impact be on the business?
  • What is the likelihood of it happening?

In answering these questions the risk can then be assessed in terms of its importance to the business and consideration should be given to the net impact rather than the gross. A form of traffic lights to prioritise risks was mentioned. Is there any evidence that businesses would be better off if these risks were measured?

Barriers to preventing RM being taken further

The following factors might make a more formal approach to M more difficult in an organisation:

  • A dominant CEO with strong views on what risk appetite or tolerance is acceptable
  • Mindset – is it endemic in the way decisions are made? Can it be embedded in the culture?
  • Fear of failure – will all the downsides be considered or is that admitting it may fail?
  • Cost – what will it cost to consider all risks formally? How can it be made a more efficient process?
  • Time and speed of response if a risk is identified? 
  • Distance from the “centre” and local culture – is it in their thinking?
  • Quality of thinking – real assessment or lip-service?
  • Too many other business priorities? How important is it seen at the top?

Future topics for discussion

Suggestions for future discussion topics included:

  • Managing business in volatile territories
  • Budgeting and forecasting and scenario planning
  • Business decision making
  • Managing banks – getting the most from them 
  • Managing other functions eg IT, legal.