CFOs and ERM: Risky business that’s good for financial performance

Creating value is about managing risk to maximize reward. The most successful companies seize opportunities without stumbling on the risks around them. But when risks are always changing, and you don’t connect risk management with business performance, this gets tougher. How can you best manage risks that are unknown or unpredictable?

Enter the risk-aware CFO. CFOs, with their holistic view of enterprise operations and business data, are in a unique position to help their companies detect and protect against risks and coordinate response. As a strategic advisor to the organization, you can play a critical role in aligning your enterprise risk management efforts with your corporate mission and line-of-business strategies.

But, as CFO, you are busy, and risk management can be daunting. With the explosion of data, digitization, and globalization, risks (both good and bad) are happening faster than ever. You need to identify and react to them faster—and prevent them, if possible. The ability for a company to move quickly, in a coordinated fashion, is now a critical core competency that depends on the right people and processes. You need the right leader – and solution – to quickly act.

With the proper enterprise risk management (ERM) solution, CFOs can connect business risk with results—helping teams to effectively detect and prevent risk, and creating a risk-intelligent culture. The result is transformative: the organization moves to “proactive risk management” and can connect business performance to risk management.

Avoid the trap of disconnected ERM

By definition, ERM is about managing any risk that impacts an organization. When you create a strong ERM framework, you unify, organize, and mobilize your company around strategies to address your most critical risks. But for many companies, their ERM framework is hindered by disconnected risk functions and processes, manual analysis, or siloed risk groups or teams. If ERM lives outside of your core business and financial operations, it prevents you from connecting business performance to risks. This approach to ERM is inefficient: it costs far more than it should and delivers far less than it should. It also compromises your ability to detect and prevent risks, and is frustrating for all stakeholders.

Even when the rest of an enterprise has modernized with cloud applications, ERM often remains the outlier; companies continue to use and sometimes even choose outdated technology to suit their outdated approach to ERM.  This leads to audit misses, time lags in identifying and mitigating risks, and gaps in insight.

Some companies may have deployed integrated risk management (IRM) solutions, which is a step up from the legacy focus on compliance, but falls short delivering on its promise. IRM solutions try to provide an integrated view of how well an organization manages risk, but they’re typically bolt-on solutions that are not integrated with an organization’s most critical business applications. This gives a false sense of security and keeps risk standalone.

The key to avoiding this trap, is to make sure that collaboration is efficient and adds value, and that your people have the relevant insights and the ability to act on them. In the absence of this, you are forced to 1) accept the siloed approach either within or outside of the finance organization, or 2) struggle with inefficient collaboration that saps the organization of energy and does little to reduce risk.

With the right tools, you can engage the entire organization around ERM and manage business risk to maximize business results. What’s the best way to achieve this? And who should take the initiative?

Bringing ERM under the CFO – Why?

ERM can be managed from a variety of places in the org chart. However, as CFO, you are at the intersection of business operations and the ability to execute on strategic initiatives. You are in a unique position to drive ERM.

If you’re looking to incorporate ERM into your list of responsibilities, you’re in good company. In a Deloitte CFO Signals Survey, over half of the CFOs surveyed said they are responsible for enterprise risk management, with 35 percent saying the function reports directly to them. The surveyed CFOs also said risk-related responsibilities are among the most likely to be added to their scope over the next three years, behind IT, and strategy and planning.

ERM takes a lot of effort—but with the right solution it can become a competitive advantage.

What to look for in an ERM solution

When you’re ready to adopt new technology for your ERM efforts, consider the following:

• Avoid bolt-on solutions. Siloed ERM software often fails to reach and influence other stakeholders; ERM becomes merely a framework with no collaboration, impact, or enterprise adoption―all of which are essential to success. Bolt-on solutions prevent coordinated responses and delay action. Instead, aim to build a culture of risk awareness across your organization with a built-in solution.
• Look for more than integration. Many ERM solutions can be integrated with other applications in your enterprise. But an ERM solution that is natively integrated with your ERP can automate day-to-day operational risk management. You improve your risk posture while freeing up resources to focus on the more strategic risk issues.
• Embrace artificial intelligence (AI) and machine learning, but don’t DIY. Risk-intelligence can be “amplified” through the power of AI and machine learning. When both are embedded in your ERM solution, you can continuously monitor for suspicious activity in your core business processes, stop insider threats, and coordinate preparation and responses. Your solution will bubble up that information through dashboards designed specifically for your stakeholders so they have easy access to insights and analytics. From assessment to recovery, your solution should take a holistic approach that helps you keep mission-critical operations going, whatever risks come your way.
• Cloud, Cloud, Cloud: Take advantage of the resiliency and agility that cloud technology provides. Cloud delivers benefits that are natural requirements for an ERM solution: faster to deploy, far more secure, and always on. Business disruptions from internal or external forces are better mitigated with the cloud’s always-on infrastructure, which is at the core of keeping you up and running.
• Simplicity promotes usage. Your ERM solution must be easy for all stakeholders to use. Your stakeholders will be able to easily detect and prevent risks, promoting a risk-aware culture.
• Engage broadly across the enterprise. For effective and efficient ERM, you must work effectively with all stakeholders throughout the organization. An ERM’s real success is rooted in engaging both frontline and organizational leaders so that it becomes part of everyone’s daily responsibilities and decision-making, both small and large. This capability should be your key deciding factor when selecting a solution.
• Deploy best practices to meet standards and obligations. Any ERM solution should embody global ISO standards and best practices and include a standard set of analytics to get you started.

So, take on the responsibility of ERM, if you haven’t already. With the right solution, you’ll be happy you did.

Learn more about risk management in the cloud.