Last August, when Virgin Mobile CFO John Feehan spotted signs of looming bankruptcy at Circuit City, a retail outlet for his company's cell phones, he didn't sit idly by. Instead, Virgin Mobile tightened billing terms, demanded cash payments, and adjusted shipments daily. When Circuit City finally filed for bankruptcy in November, the bad news did not leave Virgin Mobile stuck with a pile of illiquid receivables.
Score one for risk management, a discipline that is being taken far more seriously these days thanks to the profound culpability it would seem to bear for the current financial crisis. According to a survey of 125 CFOs last September, 62 percent of finance executives blamed the crisis on risk management's inability to understand complex financial instruments; nearly three quarters of the respondents said risk management now outranks in importance such issues as long-term and short-term debt financing, relationships with financial institutions, pension-plan asset allocation, and the ability to secure equity financing.
But, to paraphrase the "Seinfeld" joke about car reservations, it's not enough to have risk management, you have to practice risk management. Consider Citigroup. The banking behemoth dutifully spelled out, as item 1A in its hefty 2007 10-K, a roster of lurking perils that ranged from credit, market, and market-liquidity risk to fiscal and monetary policy concerns. But barely six months after filing that document, top Citi managers headed to Washington, D.C., hats in hand, hoping for a $25 billion loan to keep the nation's No. 2 bank viable.
Pressure from Above
What makes the current situation so dire is the way in which so many major risks are converging all at once: a credit crisis, volatile commodity prices, soaring government debt, rising unemployment and its attendant impact on consumer spending — the list goes on.
None of those risks are lost on CFOs, of course, who now have an additional impetus to address them: more pressure from boards. Corporate directors in most industries have gotten risk religion, says Henry Ristuccia, U.S. leader of Deloitte's governance and risk-management practice in the Northeast. "More external directors are asking senior management: What are the company's major risk issues? What are the dimensions of governance and risk management? What levers and tools does the company have in place for risk management?"
Steve Young, CFO of Franklin Covey, a global consulting and training company, says that as credit markets have tightened and the economy has worsened, his directors have pushed for a clearer picture of what to expect in a strained economy.
But how to satisfy such requests? Risk management takes many forms. Large firms often have chief risk officers (an increasingly popular post) or even dedicated departments. Smaller firms usually can't afford that kind of resource, but that doesn't mean they can't effectively assess risk. Some take a moderately decentralized approach; at Hughes Communications, for instance, CFO Grant Barber manages risk related to capital and cash flow, the head of HR handles facilities risk and insurance, and IT handles computer security, data protection, and similar forms of what might be called electronic risk.
Virgin Mobile gets even more decentralized. CFO Feehan says that the firm's relatively small size (400 employees) allows it to take a hands-on approach to risk by "perceiving risk management as part of our daily life. We don't separate it out as a separate function; it's just part of how we manage every aspect of the business."
That approach has served the company well, but the aforementioned survey of CFOs (conducted by CFO Research for Towers Perrin) found that they are now more interested in systematic solutions to risk management than they have been in the past. Nearly half the respondents expect to implement broad changes to their risk-management policies and practices, from the shop floor to the boardroom.
So Many Risks...
But some CFOs caution that formal enterprise risk management (ERM) programs won't succeed if they don't mesh well with a company's culture. Impose a new framework from on high and you risk crushing something underneath. Floyd Chadee, the CFO of StanCorp Financial Group, says that his company assesses several substantial risk factors, from potential shortfalls in reserves (to meet insurance obligations) to the adverse effects of declining equity markets.
StanCorp manages all those risks in a host of ways, Chadee says, including "sound product design and underwriting; effective claims management; disciplined pricing; distribution expertise; broad diversification of risk by customer geography, industry, size, and occupation; maintenance of a strong financial position; maintenance of reinsurance and risk-pool arrangements...." You get the idea.
Chadee isn't opposed to ERM, but cautions that "it's important that formal programs consider all the risks. Programs can be packaged and sold as an idea. That's form, not substance."
Cracking the Code
In the same way that organizational improvements can help foster a culture of risk management, some experts argue that modest IT improvements can provide a boost as well. While integrating risk-management reporting into the typical reports and systems that employees rely on may sound daunting, says James Lam, president of the risk-management consultancy James Lam & Associates, it doesn't have to be. Most companies can readily access 60 to 80 percent of the data they require to get a better view of risk, he says. A dashboard display of key data points on an employee's monitor or a company's intranet page can capture, analyze, and present the most salient information. "It's similar to the electoral map on CNN where the anchors drill down into different states or counties and populations," Lam says. "You can get in-depth analysis or an overview."
The new interest in ERM has inevitably led to renewed interest in software designed to automate the deployment of such frameworks and otherwise address risk by scouring databases and serving up reports that might warn of trouble ahead.
ERM software has been around for years but has never taken the market by storm, despite vendors' claims that the newest versions have gotten much better at monitoring and analyzing risks subject to strategic objectives. "Executives often see it as just another [empty] initiative," says Mark Beasley, North Carolina State University's Deloitte professor of enterprise risk management.
Ironically, perhaps, a major investment in ERM software strikes many C-level executives as risky, given how scarce cash is at the moment. Directors at Ensign-Bickford Industries, a diversified manufacturer, are in the beginning stages of reviewing an ERM system, but the collapse of so many Wall Street titans may give their senior management second thoughts. "ERM was supposedly working well for the financial-services industry, but, as we've seen, it broke down somewhere," says corporate risk manager Rick Roberts. Although tarnished, ERM remains viable, he adds.
Indeed, one of the most shocking aspects of the collapse was that it took place in an industry widely regarded as having state-of-the-art ERM practices. "I hope that one of the things that comes out of this experience," says StanCorp's Chadee, "is a sober look at what the industry means by ERM." Chadee says part of that would hinge on a move away from sales hype in favor of programs that cater to unique corporate cultures and risk appetites.
Another part of that sober look, experts say, would involve focusing more attention on truly understanding the risks that shape strategy and tactics. "Businesses have clearly managed risk for centuries," says Beasley, "but this situation calls into question the quality of risk-management processes in relation to strategies."
Progress may depend largely on incremental improvements rather than technological leaps or massive consulting engagements. Existing risk-reporting processes must break down silos that impede risk oversight and prevent a broader awareness of risk throughout the organization. "It's certainly a major mind shift in corporate thinking," says Beasley. "It has to convey top-down endorsement from the board and executive suite." And, he says, it won't happen overnight.
Unfortunately, regardless of which approach a company decides to take to get its risk-management capabilities up to speed, expect to devote plenty of time and effort to it. "It's not something that you can just decide to do in a week," says Chadee. "It builds through the consciousness of the organization and becomes part of the DNA of the organization." In fact, he says, while it's critical to get executive sponsorship, true success depends on a far more organic process. "When you start developing risk in conversation," he adds, "the formality will develop around it."
On the plus side, odds are good these days that risk is coming up in just about every water-cooler conversation — assuming companies haven't canceled the water-delivery service.
Kate Plourd is a reporter at CFO.
Risk isn't just ubiquitous these days; it has an unpleasant way of appearing out of nowhere. Art-supply retailer Hobby Lobby, which operates 392 stores in 38 states, thought it had a firm grasp of its own risks. But when the industry experienced weakness, CFO Jon Cargill grew concerned about potential problems in his supply chain. Cargill says he "immediately identified other vendors that we could give additional capacity to if some of the factories closed and vendors ceased to exist." But the lesson was clear: risk managers now need a much wider field of vision if they hope to successfully see what's coming at them.
Franklin Covey, which trains its customers to sharpen leadership skills and strategic thinking, has put particular emphasis on stress-testing its cash-management policy against worst-case scenarios. "We have assessed business conditions in every way we can think of, from our basic cash position to catastrophic situations," says CFO Steve Young. "We're far more compelled to do that now than in the past." — K.P.