Ash Noah,VP of CGMA external relations at the Association of International Certified Professional Accountants discusses the need for Enterprise Risk Management in a volatile business environment
Traditionally, risks come in two forms; financial and nonfinancial. But organisations are now facing an ever-increasing array of risks that significantly affect success. Attention-grabbing headlines in recent months have highlighted the dangers of cyber-attacks, with the WannaCry and Petya strikes showing significant weaknesses across government entities and global conglomerations.
With the changing nature of the business environment, it is now more important than ever that CFOs transcend their financial responsibilities and lead the charge for formulating robust risk management strategies.
Building a greater resilience to threats is essential for business growth and, in order to do this successfully, finance teams must be able to detect, assess, evaluate and mitigate exposure to business risk.
This is achievable through a robust enterprise risk management (ERM) platform – a system that encourages professionals to look beyond financial risk and take a comprehensive and all-inclusive view. Below are some of the ways ERM can help finance leaders shore up their defences.
It’s important to understand the global state of play when it comes to existing risk management systems. In today’s digital and interconnected global environment, business risks occur with greater frequency and velocity than ever before. Yet, despite a generally accepted understanding of the complex risk environment, the findings from the 2017 CGMA Global Risk Oversight report are stark; risk management practices appear to be immature and there are real barriers within organisations to integrating risk management and strategic planning processes.
Doing so requires collaboration across businesses from top to bottom, meaning finance professionals need to embrace a wider scope. Similarly, organisations must encourage this broadening skillset so that financial teams can meet evolving expectations and provide greater value to both business and society.
The report found that only 21% of companies in Europe and the UK have a complete ERM process in place. Additionally, less than half of companies describe their ERM process as robust, with some, but not all risks addressed. Those are worryingly low numbers and should be a major concern for finance leaders, as currently, the protective structures simply aren’t in place.
Yet, despite boards and senior management teams understanding that this lack of preparedness can be catastrophic for business fortunes, many still make an association between the term ERM, and a big enterprise initiative that is too burdensome to take on – especially if it’s not mandated. Even for companies that do have ERM in place, its true worth often isn’t realised as it is viewed as a routine “box ticking” exercise.
But risk doesn’t discriminate. No matter the size of the company or the industry it’s in, risk affects all businesses. That’s why more senior leaders are calling on their businesses to implement ERM as a holistic approach to risk management.
Finance teams are central to risk management and the implementation of ERM, to ensure organisation’s survive in this disruptive age. ERM is no longer a ‘nice-to-have’, it’s a ‘must-have’. Implementing a system that is built on a methodical and consistent approach to risk is also the best way to maximise value for shareholders and stakeholders.
A holistic approach to risk management differs from traditional approaches that focus on managing silos or distinct pockets of risks. ERM advocates a top-down, all-inclusive view of key risks. It’s a comprehensive approach that considers the probability of these risks having an impact upon an organisation’s ability to achieve its business goals.
This means it’s not just about protecting tangible and financial assets, ERM focuses on the enterprise-wide risks that have the potential to derail your business strategy.
For finance teams, the beauty of ERM is that it can be applied to large and small businesses across varying industries. It’s a hugely effective way of shoring up a business’s defences in the face of unprecedented corporate risk.
Here are 5 things to think about when implementing ERM:
- Get decision makers on-board. For ERM to work, those at the top of an organisation must really see its value. Commitment from the CEO and board is critical to ensure a smooth implementation. It also ensures that senior management feels confident and supported when managing risk in the company. Once decision makers are on-board with ERM, the importance of the system needs to be communicated to all levels within the company.
- CFOs should act as champions. The financial principal should always be the go-to person when looking to establish ERM. They naturally oversee risk and will play a critical role in understanding the benefits of managing risk in a coherent and consistent way.
- Be clear on your company’s incumbent risk process. It’s worth taking a look at what your company is already doing to mitigate risk. Although it’s clear that the majority of UK and European businesses do not use an ERM process, most will employ some level of risk management – there is no point duplicating work and wasting time.
- Adopt a framework that works for you. Identify the best risk management framework that fits your organisation’s needs. This will need careful consideration and should be aided by detailed research. The Committee of Sponsoring Organizations of the Treadway Commission offers a good starting point.
- Keep on top of processes. Implementing an ERM process is just the first step – it’s not a case of ‘job done’. Once in place, it’s critical that mitigation plans and risk registers are regularly reviewed to keep them up to date with the risk environment.
Finance teams should naturally play a critical role in overseeing risk within a business, but never has it been more important that finance professionals not only play a part, but lead and drive the process.
Increasingly, the onus is on the CFO to implement processes that are robust, capable and resilient. ERM should not, however, be viewed as an exercise in compliance, it is an opportunity for finance professionals to get comfortable with understanding and managing risk, rather than being risk averse.
The finance function should be acting as the value and risk integrator for their organisation, empowered by a resilient ERM system.
CFOs are best placed in an organisation to lead this proactive approach to risk. These risks are best anticipated and prepared for when finance is collaborating with other arms of the business to establish and plan for them – neither function should be working in a silo.
Implementing an ERM system in this way will improve business performance and governance, and – perhaps most importantly of all – play a crucial role in protecting organisations in today’s volatile business environment, ultimately creating a competitive advantage.
Ash Noah, CGMA, is Vice President of CGMA External Relations at the Association of International Certified Professional Accountants (AICPA)