Risk Management

Survival in the Age of Risk

There is danger all around, judging by companies’ heightened focus on managing risk. In the midst of the maelstrom: the CFO.
Marshall KrantzAugust 13, 2008

Faced with threats from all quarters — recession and credit crunch, heated global competition, continuing Sarbanes-Oxley pressures — companies are making intensive risk management a top priority, and once again CFOs find themselves on the front lines.

Many CFOs now must deal not only with managing risks traditionally under their purview, such as compliance and liquidity, but also with the full gamut of enterprise risks, from politics to product launches, as they increasingly play the role of strategist.

In fact, about half of companies globally assign oversight of risk management to their CFOs, according to a survey of some 1,200 CFOs and senior finance professionals conducted last year by IBM Global Business Services in conjunction with the Wharton School and Economist Intelligence Unit. (CFO.com is part of The Economist Group.)

“Enterprises are looking at risk more systemically,” said Stephen Lukens, global and Americas financial management leader of IBM Global Business Services. “Corporations acknowledge that they need to understand the material risks to their value drivers. Therefore, the number of CFOs focusing a portion of their time on risk has gone up.”

Some companies are going so far as to transfer their CFOs to chief risk officer (CRO) positions, a move that until recently would have been viewed as a demotion. Walgreens, for example, took this step in May, and truck and engine maker Navistar International did so in June.

“The CRO position is fast becoming a best practice among large companies,” said Jeffrey Rein, chairman and CEO at Walgreens, which moved CFO William Rudolphson to a newly created CRO slot. He will continue to oversee audit and compliance, as well as risk management, but not finance, whose new chief is former Tyson Foods CFO Wade Miquelon.

“Given our size and complexity, and the highly regulated industry in which we operate, separating the financial and audit fuctions and increasing our focus on risk identification and mitigation is a prudent move,” said Rein.

Most companies, though, have not yet designated a chief risk officer. In the IBM survey, only about 20 percent of respondents said a CRO is responsible for managing risk at their companies. Lukens said he found that result surprising. “The CRO title isn’t as prevalent as we all might think,” he said.

Mary Roth, executive director of the Risk and Insurance Management Society, whose members focus mainly on operational risk, agreed. “Most of our members report through the CFO,” she said, adding, “The CRO position is still trying to find its place in Corporate America.”

One part of Corporate America where CROs have gained a firm foothold is in banks and other financial services companies, noted Kevin Blakely, president of the Risk Management Association, which represents financial-institution risk managers.

Blakely said most major banks and financial services companies employ a CRO and keep finance and risk management as”two separate and distinct” organizations. He observed that finance focuses on risk avoidance while risk management focuses on risk taking.

“The CFO doesn’t have the capability to assess the collectibility of loan portfolios,” Blakely contended. “That’s in the realm of the CRO.”

But it’s precisely that distinction — the traditional CFO role of concentrating on risk avoidance,versus risk taking in pursuit of profits — that organizations are obliterating in other industries by having risk management report to the CFO.

Forty-three percent of finance organizations balance their risk management efforts between risk avoidance to protect assets and risk taking for growth, according to a poll of 680 CFOs and finance executives who attended a Deloitte & Touche webcast last year on risk management. Twenty-two percent focus primarily on what Deloitte terms unrewarded risk, or protecting assets, while 12 percent focus mostly on what it calls rewarded risk, or risks pertaining to growth.

Finance organizations still contribute overwhelmingly to enterprise-wide risk management in the traditional finance areas of compliance, liquidity, credit, and financial fraud — more than 80 percent of finance organizations contribute at least partially to managing those risks, according to the IBM survey.

But some 60 percent contribute partially or fully to managing market risk, more than 50 percent to reputational and information technology risks, and about 40 percent to supply chain disruptions and episodic or catastrophic risks such as pandemics.

“We’ve seen the nature of the CFO profile move,” said Lukens. “In the late 1990s and early 2000s, CFOs tended to be deal makers. Today, CFOs tend to be more focused on strategy, innovation, and performance management. They need to build organizations that are flexible enough to deal with business model changes and innovation.”

For companies that don’t already have comprehensive risk-management programs, the biggest obstacle to developing one is simply not recognizing its value, according to Lukens.

“Organizations that pursue risk in narrow, legalistic terms will probably never get the discussion started,” said Lukens. He recommended that CFOs, in proposing an enterprise-wide risk management program to board members and other senior managers, connect the dots of risk management and performance management. In other words, a comprehensive evaluation of risk provides critical insight into ways that companies can improve their performance.

Even companies that do recognize the value of comprehensive risk management face considerable hurdles.

As one might expect from a company whose expertise is in information management, IBM Global Business Services essentially recommends standardization of information across the enterprise, specifically the following four measures: common data definitions, a standard Chart of Accounts, common information-gathering processes, and company mandated — as opposed to voluntary — standards.

IBM calls these four measures “the components of good governance” — but found that fewer than one in seven enterprises with more than $1 billion in annual revenue practices them. Companies that deploy these methods through what IBM terms Integrated Finance Organizations enjoyed revenue growth rates nearly double that of their industry competitors.

“Those who take control of their risk management in a formal and purposeful way are more likely to identify risk events faster, respond to them quicker, and prepare for them better,” the IBM report concludes.

Deloitte also recommends centralizing information related to risk, warning CFOs about the pitfalls presented by a plethora of risk management programs in various business units or geographically based operations.

CFOs who are assigned responsibility for their companies’ risk management programs might falsely assume that they have risk management covered with those plethora of programs. But once they examine those programs in detail, they often discover something akin to a Tower of Babel.

“That’s where they find duplication and contradictions or a lack of a common risk management framework or infrastructure,” said Henry Ristuccia, deputy managing partner of Deloitte’s audit and enterprise risk services practice in the Northeast.

Ristuccia estimated that a centralized risk management program can save companies up to 30 percent, mainly in soft dollars, in risk management costs. But more important, he said, “By bringing these programs together, senior executives and the audit committee can get a much better understanding of the risks that really matter and what the organization can do to mitigate them.”