By Bryan Lapidus, FP&A
A planning process starts with the company’s mission and goals, and then breaks those down into more detailed execution plans and forecasts. In FP&A, we focus on how to achieve the company’s goals and create forecasts that show whether we are on track or need to adjust course. Our colleagues in risk management look at what can prevent us from achieving those same goals and ask the question, “What could go wrong?”
The overlap between the two is obvious, and so there should be common ground for discussing risk. That common ground starts with finance learning the risk taxonomy of a company. Note that for companies that do not have a risk group, and therefore no risk taxonomy, this is an opportunity for finance to introduce this common practice.
Any taxonomy is a way of classifying objects into groups so they can be examined and discussed. For example, a grocery store has a taxonomy for its products: dairy items are grouped together in a refrigerated case, cereals are together, and all the baking supplies and spices are together on a different aisle. This makes it manageable and efficient for the shopper to navigate the store.
The risk taxonomy establishes categories of risk. Common categories include financial risk (market, credit, liquidity), operational (people, process, technology, compliance), and strategic (business model, strategy, reputation). For example, lending institutions might be sensitive to credit risk where there is concern that counterparties may not fulfill their obligations. Healthcare companies may have very high data compliance requirements. A decision to move up- or down-market may carry strategic risk for a brand. The taxonomy can extend to deeper levels and get more discrete, and have categories for counterparty concentration, access to data networks and password controls, or new product risk.
A taxonomy allows the business to ask, What types of risk do we want to accept or defend against? Consider the following example:
Company X has a warehouse and is subject to several OSHA rules (Occupational Safety and Health Act) to protect the safety of employees. Failure to satisfy these rules could lead to various types of sanctions, ranging from “wrist-slaps” to fines to shutting down the warehouse. This risk is an example of operational risk, and is a cost of doing business; that is, the business accepts this risk if it wants to continue its warehouse department. The potential sanction is called the inherent risk, because it is involved in doing business, and if it is quantified, is going to be some factor based on the likelihood of sanctions and the impact of the sanctions. However, this risk does not exist in a vacuum; Company X has put several internal controls in place to mitigate the likelihood and severity of sanctions, such as training for all staff, internal safety operators, and process audits to ensure that safety procedures are followed. These mitigating factors lead to a residual risk that is less than the inherent risk.
Finance can tap into this taxonomy and associated analysis to help talk about company risk. First, finance can benefit from the risk methodology by obtaining a sense of potential exposure and impacts to the income statement or charges against reserves. Each company will incorporate the risk study differently, but the key area of focus is how to build these residual impacts into the forecast for high frequency, high likelihood events; lay off the risk through insurance, hedges or other options; or simply accept the risk. Finance can apply the risk taxonomy in presenting a risks-and-opportunities or SWOT analysis (Strengths, Weaknesses, Opportunities, Threats).
A second reason for finance to learn the taxonomy is that speaking the language of risk means understanding the control structures that are in place, and especially the cost efficiency of those controls. Risks will always exist, and it is possible to create additional layers of internal controls through review, process checks, or other forms of oversight. However, these can come with additional costs in the form of slowed processing, additional staff, or software automation. At some point, the cost of controls might outweigh the benefits and stifle growth. FP&A can add value to the risk team by studying the cost-benefit trade-off that comes with layers of controls as part of its existing mandate to staying on top of internal expenses.
A third reason for finance to learn risk taxonomy is that risk management processes are evolving and moving closer to our business partners. In the past, risk was managed by a dedicated risk group as a second line of defense supporting the business (who was considered the first line of defense). The trend today is to transfer the ownership of risk to the first line and support them with training and oversight by the second line. And risk practices are growing, driven by the need for cyber security and the changing regulatory landscape. This means that our business partners are going to be speaking the language of risk (i.e. risk taxonomy) and FP&A should too.
Understanding the taxonomy of risk provides an entry point for finance to talk to other parts of the enterprise and overall operations. That can lead to expanded collaboration and professional opportunities that can make everyone better.
Bryan Lapidus, FP&A, has more than 20 years of experience in the corporate FP&A and treasury space working at Fortune 200 and private equity-owned companies. At AFP he is the staff subject matter expert on FP&A, which includes designing content to meet the needs of the profession and helping keep members current on developing topics. Bryan is also a member of the Global Advisory Board for The CFO Alliance. You can find him on LinkedIn and reach him at Blapidus@afponline.org.