CFOs are responsible for managing their organization’s risks, and that responsibility is only expanding. Business risks are getting more complex and numerous every day, and finance chiefs are increasingly accountable to shareholders and directors.
But as a profession, we’re not quite mastering all of our risk management duties. Fewer than one in four CFOs consider their risk management mature or robust, according to a new report by the Poole College of Management at North Carolina State University. Fewer than half of the studied organizations have a risk management policy statement or maintain an enterprise-level risk inventory, the report says.
Whether you’re in the majority or minority, it can be hard to be absolutely certain your risks are well managed. What may keep CFOs up at night are the risks they might be missing. But wait — your company has a risk manager or equivalent. That’s one place to get some help with the growing scope of responsibility.
So between a CFO and risk manager, who does what with respect to risk management? Although the risk managers’ positions can vary by title and responsibility, they are typically responsible for two things, according to the International Risk Management Institute:
- Hazard (or event) risk, including natural hazard events, fire, liability and other insurable events.
- Operational risk, which relates to potential failure of processes, systems, controls, or technology.
According to The Institutes Risk & Insurance Knowledge Group, these two risk types constitute half of a CFO’s risk management job (the other half being strategic and financial risk). Which is not to say that hazards and operations don’t have serious strategic and financial implications; they do. Worst case, damage to a company goes beyond what is covered by insurance, like loss of market share, reputation, and shareholder value.
Understand the Risk
So how can a CFO elicit the most risk management help from the risk manager in the shortest time? Extract the right metrics. How do you extract the right metrics? By asking the right questions. Let’s take property risk as an example. Here are the questions I ask my risk manager:
What is our risk quality? It can be quantified by assessing the completion rate of identified mitigation steps. Historic loss data shows that locations flagged as particularly risky ahead of time see far more frequent and severe losses than others.
Where are our losses likely to occur? The risk manager should be able to identify the locations in the company’s global portfolio, regardless of their overall risk quality, most likely to see a loss. A key plant? A data center? An office tower?
Historic loss data shows that 2% of commercial and industrial locations deemed highly predisposed to loss account for as much as 30% of losses annually.
What assets are most vulnerable at a given location? Facilities, systems, and equipment can be ranked by their propensity for loss, the relative likelihood of occurrence. Assets identified as having a higher relative likelihood of a loss are twice as likely than others to result in a loss, experience confirms.
What major equipment is likely to break down? Risk managers should have data on maintenance, operating conditions, history, operators and other factors related to equipment like boilers, turbines, generators, transformers, chemical vessels, compressors, boilers, and pulp-and-paper processing machines.
With that data, they can determine when particular machinery is predisposed to a loss and the relative likelihood of such a failure. Breakdowns of equipment deemed at high risk are typically up to five times more severe than average.
How severe would a loss be? Every potential loss of a building, machine, or important asset should carry a monetary estimate as to its worst-case cost, expressed as a dollar amount.
Which vulnerabilities would do the most harm to the business? This is the key question, but it’s rare to be able to cut to the chase. In a perfect world, the risk manager has analyzed the value of each location’s contribution to the company’s profit, then married the financial data with risk data. Or, someone has requested a business impact analysis.
Either way, the goal is to determine where losses are most likely to occur and where they’d hurt the most. This helps determine where to allocate risk improvement capital.
What isn’t the risk manager telling you? Although these might seem like hard questions for a risk manager to answer, CFOs I’ve talked to have repeatedly been surprised to find that risk managers are sometimes sitting on crucial risk information, having gleaned it themselves or received it from a third party. It turns out that risk managers are sometimes afraid to broach the conversation around these data points for fear of being grilled on the details and being unable to answer fluently.
Make sure the risk manager understands that you’d rather have too much of this quantitative information than too little — and that it’s okay if they don’t have all the answers.
Finally, ask what’s new. Great companies are always innovating, and meaningful innovations create new risks. Is the company doing potentially risky things with new technologies like drones, autonomous vehicles, or 3D printing? Make sure the risks are identified, understood, mitigated, and transferred.
Lean on the risk manager. With pointed questions, you’ll get the information needed to better manage enterprise risk. You’ll also be mentoring the risk manager to think more often in financial terms. That will open all sorts of doors for that person.
Most importantly, you’ll come to know what you don’t know, and awaken to risks you might’ve been sleeping on.
Kevin Ingram is executive vice president and chief financial officer of FM Global, one of the world’s largest commercial and industrial property insurers.