Risk is an inherent element of the business. Given that every business activity or decision has a risk consequence, a business should not expect to operate and progress by making risk an afterthought.
Technological advances, evolving customer expectations, volatile markets, global political instabilities, shifting demographics and natural disasters are impacting business models and forcing organizations in every sector to rethink the way they operate.
Left unaddressed, these forces of change have a huge potential of derailing the strategic plan of the business and accelerate the organization towards failure. In order to survive in this VUCA world, the business should make a paradigm shift from reactive to proactive mode. This helps prepare and plan for the future rather than respond to it after it has arrived.
The challenge today in many companies is that risk-based decision making is an afterthought. Only after going through a turmoil do people start asking where is risk management and why did the risk experts fail to anticipate the events in advance. In financial services companies where there are dedicated risk management teams, it is easier to point the finger of blame.
However, not all companies have a dedicated risk management function.
Risk is everyone’s responsibility
What exactly is the meaning of this statement?
Is making risk everyone’s responsibility part and parcel of risk culture?
What is the best approach of making everyone embrace risk-based decision making?
If some employees within the organization have never received training or guidance towards risk decision making, are they still held responsible?
By making risk everyone’s responsibility are we increasing confusion and blurring the lines between accountability and responsibility?
In the event that a business fails as a result of activities or decisions that could have been avoided, who is held accountable and responsible?
The CFO as the champion of risk-based decision making
In companies lacking a dedicated risk management function with a CRO at the helm, overseeing of risk management is normally under the purview of the CFO. The CFO is better positioned to champion meaningful risk conversations across the organization and drive better decision making processes.
Many people connect risk management with the negatives, hence the desire to avoid risk at all costs. Risk-based decision making is not about managing or avoiding risk. Effective risk management involves looking at the upside of risk and making informed risk decisions that help the organization achieve its stated objectives.
Driving a risk-based decision making culture therefore goes beyond lip service. It is not about merely saying everyone is responsible for risk. It is about raising risk management awareness and developing risk competencies across all staff levels through training, discussion and sharing of risk information.
Risk doesn’t start to happen once the strategy has been set. With the world always changing, risk is a constant present both before and after strategy setting. That is why it is important to understand the risks of your strategy including risks to the execution of the strategy.
Once every employee has a better understanding of risk, how it applies to their individual area of responsibility and align with the overall strategy of the business, risk-based decision making ultimately becomes part of the culture.
Given that finance has a unique end-to-end view of an organization the CFO plays a critical role in helping business partners understand the strategic plan of the business, identify, quantify, and mitigate any risk that affects or is inherent in the company’s business strategy, strategic objectives, and strategy execution.
The CFO is capable of leading the risk conversation and ensuring that the focus is more on taking advantage of opportunities and achieving strategic objectives and less on the downside, in turn ensuring that more value is created than is preserved.
Although the CFO has the bird’s eye view of the organization and an understanding of where the risks are coming from including the mitigation strategies, s/he cannot do it alone. Risk management requires an holistic approach across the company, and different risks are the problem of the function that they most impact.
It is therefore imperative that the CFO co-ordinates efforts and works alongside other C-suite executives to identify and assess emerging risks and best understand how to mitigate them.
Having the ability to partner with the business and speak their language is key to leading and engaging C-suite executives in meaningful risk conversations that help mitigate risks to the execution of the strategy.
Relationship between risk and performance
Risk conversations have to keep pace with the complexity of the business. Elevate the conversation to include a discussion around sources of potential disruption, their impact on the day-to-day execution of your strategy and the creation of value, and what your organization should do to increase the possibility of success.
Risk and performance are two sides of the same coin. A business cannot manage risk in isolation of performance. At the same time, the business cannot manage performance without consideration of risk. It is therefore imperative to integrate risk into your strategy and performance management decision making processes.
One way of embedding risk in the strategic planning process involves connecting your risk reporting and your strategy execution. Unfortunately, companies spend a significant amount of time compiling risk registers that do not inform strategic decision making. I have come across risk registers that list hundreds of risk events with very few of the events connected to the achievement of strategic objectives.
Risk assessment exercises should not be performed in isolation to strategic decision making. It is therefore important for the team responsible for performing risk assessments and compiling risk reports to understand what the strategy of the organization is, including what the strategy colleagues are doing on a day-to-day basis.
Not only will this help understand the business environment but also key assumptions. Instead of churning out the same report with the same list of risks on a monthly or quarterly basis, your report should be a reflection of key risk management changes overtime and help influence business decisions.
Risk-based decision making should be integrated into the overall management system of the organization. Given the constantly changing business environment, the business should always be ready for the unthinkable.
Business leaders should therefore focus on continuously improving the organization’s risk management framework and employee risk competencies to ensure both are capable of withstanding the test of times.