In recent years, facing increased demands from regulators and stakeholders, CFOs have increasingly put managing compliance and risk at the top of their agenda. Indeed, according to a recent EY survey of 769 finance leaders titled ‘The DNA of the CFO’, 57% cited risk management as a critical capability in the future. As Anton Dominique, CFO & CMO at London School of Marketing, noted in a recent interview with us: ‘CFOs have to constantly monitor the business to ensure it is resilient to possible shocks and have mitigation strategies in place should these shocks occur. It is not eliminating risks, sometimes at high costs, but understanding and managing risks.’
The question currently facing CFOs is how do you marry enterprise risk management with strategic business planning? Thomas Aquinas once said, ‘if the highest aim of the captain were to preserve his ship, he would keep it in port forever.’ Similarly, if risk management is your overriding concern, your business will never do anything. CFOs can no longer afford to be a constraint on business growth, they are now expected to be a growth-driver and find ways to add value.
In his recent presentation at the FP&A Innovation Summit, Frank Van Slyck, VP of Finance at Nestle Nutrition (Gerber), discussed the value finance leaders can get from integrating enterprise risk management and strategic planning. He noted that the biggest problem most organizations have is that Enterprise Risk Management and Strategic Planning are separate functions. According to ‘the State of Risk Oversight: An Overview of Enterprise Risk Management Practices 7th Edition’, 60% of large organizations have assigned oversight responsibility to an audit committee and 26% to the risk committee. This is understandable as they deal with risks, but it is also a bit isolationist. These teams have developed policies and procedures to insulate the company from risk, but all of these processes prevent the company from being nimble, and we are in a dynamic world where this is something a strategy has to be.
By putting yourself in a position where you have a risk team isolated from the rest of the company putting together an ERM framework, you also create friction, as you have two sides of the organization doing separate things. You have a misalignment, with each having very different priorities from the process. Strategy is moving in one direction, while not taking into account protecting it from risks. Equally, whoever is setting out the risk priorities is not paying attention to the strategy. The risk management profiles do not necessarily keep up with the needs of the organization, and business can get caught off guard. In the state of risk survey, just 30% of respondents said risk exposures are formally discussed while reviewing the organizations strategic plan and 63% admit they were caught off guard by an operational surprise ‘somewhat’ to ‘extensively’ in the last 5 years.
Organizations need to change their mindset when it comes to audit. Van Slyck likens it to driving a car. You have your CFO and CEO in the front seat looking ahead, steering and deciding which direction to go. The auditor is in the back looking out the rear windscreen describing things that have already happened. This adds no value - everyone needs to be looking forward and driving value.
Setting up an ERM solution starts with understanding your business. You have a team of people who carry out interviews, they send out confidential surveys to get insight, and generally do everything possible to develop a better understanding of what’s going on in the organization. They will often do external benchmarking to get the outside view. With an ERM solution, you don’t just want an internal view or you end up with more policies and procedures in terms of how to control what I have today, rather than looking forward. With this understanding, you can build a very simple, high level overview of your risks, with little detail - essentially a basic heat map of the probability of a risk actually happening versus how severe the impact would be.
The goal when creating an ERM system is not to get everything into the green, nor is it to have everything in the red, it needs to be balanced to drive value.
Van Slyck uses the example of IT security, which is a highly likely proposition with a severe impact. You can set up a team of IT experts together to analyze all systems. They will perhaps recommend standardizing them across the organization or consolidating them all into one. This may create value by introducing synergies, but it could also slow you down, because it stops you innovating For example, if you have a really great technology solution that you want to implement, the restrictions on new systems they have brought in may prevent you from doing so. You’re essentially landlocked. The solution is to ask yourself, ‘how will I drive value to create this. How do i grow revenue? Do I have capacity to do this? Do I have enough single sourced material? Does the organization have a lot of them, or a process to understand how to get more? What are the capital requirements?’ You should be looking at your supplier data to understand if they’re viable for 3-5 years out, for one. If you start asking yourself these questions, risk management stops being internally focused and starts to create value. It also helps everyone throughout the organization to understand the risk profile. If you start asking yourself why, what if, and how can I go ahead and handle that, you get a lot more people at the table.
Increasing the reach of understanding of the risk profile has a range of benefits. It enables risk to be built into everyone’s assumptions and forecast from the beginning. So if you have a marketer who wants to build a new app, for example, if everyone is aligned in their risk strategies, you will already have hired people who truly understand digital security who can provide a solution problem in the embryonic stage of the idea. It allows you to be prepared for any eventuality, but stops you from being hampered by fear.
WATCH Frank Van Slyck's full presentation from the FP&A Innovation Summit in Boston