Risk Management

6 Steps for CFOs to Minimize Organizational Risk

Finance chiefs should think of risk management as a way of ensuring success rather than as a distraction from other top priorities.
Ashok (Ash) NoahApril 18, 2023
6 Steps for CFOs to Minimize Organizational Risk
Photo: Getty Images

In the past year alone, the world of business has been impacted by geopolitical tensions, supply chain disruption, inflation, changing fiscal policies and regulations, and intensifying natural disasters. A lingering pandemic has also stress-tested the risk management processes of global organizations.

Unknowns are unavoidable in a complex world. But eliminating uncertainty is not only impossible — it’s ill-advised. Why? Because the pursuit of certainty can lead to focusing only on what can be measured, creating dangerous blind spots. For organizations to thrive, they need to find a happy medium between stability and strategic risk-taking. Achieving that balance starts with identifying potential risks and blind spots.

Ash by window 2 copy.jpg

Ashok (Ash) Noah

To best mitigate risk and ensure that critical business functions will continue to operate in the event of an unexpected disruption, finance leaders should aim to create robust business continuity management (BCM) and implement enterprise risk management (ERM) while fostering a culture fluent in dealing with risk and strengthening a risk mindset throughout the entire organization.

Accounting and finance professionals can take the lead on risk management through these key steps.

1. Form a Comprehensive Risk Management Strategy

Disruptions happen. It’s how businesses deal with them that matters most to stakeholders. A solid business continuity plan allows organizations to continue delivering critical products and services in the face of an unplanned incident or crisis.

However, while a majority of business leaders believe the number and complexity of risks have increased over the past five years, only about a third of enterprises have complete enterprise risk management (ERM) processes in place, according to the 2022 Global State of Enterprise Risk Oversight report, jointly commissioned by the ERM Initiative at North Carolina State University and AICPA & CIMA.

These findings point to a dangerous planning gap for many organizations around the world. If your organization does not have a comprehensive ERM plan in place, creating one, or enhancing and updating an existing plan should be a top priority.

The ERM plan should integrate risk management with strategic planning initiatives, something most organizations struggle to achieve, according to the report. In addition to minimizing the impact of a crisis on your business, risk management processes have the potential to offer valuable insights about which initiatives are most likely to pay off and which might not be worth the risk.

2. Include Diverse Viewpoints in the Planning Process

As your organization creates or enhances its ERM plan, make sure you’re hearing from a diverse set of viewpoints throughout the planning process.

Open lines of communication with all key stakeholders, including customers, contractors, suppliers, community members, and employees at all levels. Representatives from each function should have the opportunity to participate and express their thoughts and concerns. Also, finance professionals should avoid using jargon and make the numbers as visual as possible to increase understanding and facilitate discussion.

By casting a wide net and soliciting feedback from a range of sources, you can decrease blind spots and the chance of your organization being caught by surprise.

3. Keep Tabs On Emerging Risks

The list of historic or emerging risks that organizations face includes:

  • Digitalization of society and emerging technologies

  • Public distrust in business

  • Trade tensions

  • Economic and social inequalities

  • The changing regulatory environment

Keeping tabs on the myriad of risk factors and evaluating the various ways they could affect your organization is an overwhelming task. With the ever-increasing amount of available data, it makes sense to harness technology to sort through the noise and uncover insights about which risks are most likely to affect your business and estimate the probability of their occurrence and the likelihood of occurrence of the specific risks. To respond rapidly to crises, it helps to see them coming or at least know about them as soon as they occur.

4. Don’t Rely On Numbers Alone

Other common blind spots organizations fall victim to include confirmation bias and an overreliance on numbers.

It might be tempting to find comfort in the clarity numbers bring, and to use those numbers to confirm preexisting theories or predictions. However, relying on numbers alone means ignoring unmeasurable, intangible but very real, factors that contribute to the situation.

 The best time to prepare for an incident or crisis is during periods of relative calm.

Instead of presenting management reports as static and final documents, use them as jumping-off points for cross-functional discussion and productive debate to uncover potential blind spots, and focus on asking questions rather than providing answers.

5. Invest in Risk Management for the Greatest Returns

Most organizations have some processes in place to manage risk, but some may not be investing enough resources into ERM. Fewer than half of respondents to the Enterprise Risk Oversight report think their risk management processes provide important strategic advantages.

Organizational leaders should think of risk management as a way of ensuring success rather than as a distraction from other top priorities. If your organization doesn’t have complete ERM processes in place, your next step will be to engage key stakeholders to create a plan to define and refine them. The best time to prepare for an incident or crisis is during periods of relative calm. Once an incident occurs, it’s already too late to form an effective plan.

6. Open Lines of Communication Across Functions

Silos are the enemy of agility. When an incident occurs, each key function needs to work together to address the situation with a unified front. To make sure risks are managed across the enterprise, many organizations have formed management-level risk committees comprised of individuals from each business function.

Whether an incident in question is a global pandemic or a company scandal, it will probably involve more than one function. A case in point: The COVID-19 pandemic has required coordinated responses from human resources, IT, finance, marketing functions, and more. 

With a more positive approach to risk management, organizations can focus on what risks will help them succeed — not just what will make them fail. 

The finance function is able to facilitate cross-functional problem-solving by encouraging debate and constructive conversations around doubts. Not all risks are going to be revealed in spreadsheets, which is why it’s essential for management accountants to consistently raise questions about things that cannot be measured. When working to solve complex problems with other business functions, finance professionals should address and mediate any tensions that arise to develop better solutions for the entire enterprise.

With a more positive approach to risk management, organizations can focus on what risks will help them succeed — not just what will make them fail. To create this type of organizational culture, organizations must ensure that risk leaders are well-versed in strategy, so they know when to embrace rather than simply mitigate risk.

Lastly, leaders must view risk management through the lens of what they ultimately aim to achieve. In the end, this allows risk leaders to communicate about ERM with the language of value, which drives more enriching conversations at the board level.

Ashok (Ash) Noah, CPA, CGMA, is vice president and managing director of management accounting at the Association of International Certified Professional Accountants (AICPA)