Risky Business: Is Your CFO Ready?

Changes in the global economy have necessitated adaptations at the upper echelons of big businesses. Some chief financial officers (CFOs) are finding themselves labeled with a de facto title of chief risk officer. So what is a CFO to do? Should he or she be assigned to minding an organization’s risk position?

Tune into this episode of Deloitte Insights to learn more about CFO risk management.

Speakers

Kevin McGovern, Managing Partner in Deloitte & Touche LLP

Sandy Pundmann, Partner in Deloitte & Touche LLP

Transcript 

Sean O’Grady, Host, Deloitte Insights: Hello and welcome to Insights. Changes in the global economy have necessitated adaptations at the upper echelons of big businesses. Specifically, some chief financial officers find themselves labeled with a de facto title of CRO or Chief Risk Officer. So, what is a CFO to do? Should he or she be assigned to minding an organization’s risk position? Here with thoughts on just that are Kevin McGovern, a Managing Partner in Deloitte & Touche LLP and the leader of Deloitte’s Governance and Regulatory and Risk Strategies services, and we also have Sandy Pundmann, also a Partner in Deloitte & Touche LLP. Folks, first of all, thank you very much for joining us today on Insights. I have heard that as a strategist, a CFO must develop a process of identifying risks both to and of an organization’s strategy. So, Sandy what does that mean?

Sandy Pundmann: Most CFOs are very comfortable in dealing with risks to the strategy. Many times those are articulated out from a standpoint of what’s our execution risk, what could get in the way of achieving our strategy, do we have the right people? Do we have the right promotional products? So people think about that quite often, but thinking about the risks of your strategy -- what of your assumptions about your new direction, like international growth or expanding into China or Russia. What if the products that you’re trying to promote in those countries are not going to necessarily be received well? What are your assumptions and looking at your assumptions and thinking about what risks do we have in our strategy today is a good way to begin to think about broadly the risks of your strategy.

Sean O’Grady: Kevin, how about your views on ‘to’ and ‘of’?

Kevin McGovern: I think Sandy did a good job of describing what ‘to’ and ‘of’ are. Perhaps, I will add by saying in risks to the strategy one of the ideas we have for the CFO is to think about how to decide what are the risks to the strategy. It is something that we call predictive analytics. So, taking information you have either from historical perspective or what’s happening in the organization today and building models that will tell you more about what is happening with the strategy today within your organization. And then risks of the strategy, I think it’s important that you understand for example, changing business models outside of your own organization. So, one of the famous ones is, if you think about what happened with buying videos in the store. Ten to 15 years ago, you went to a store, you bought a video, then you went and you bought them, they came in the mail, and then now you just buy them on the Internet. So, the change in business model came quickly. Some organizations have actually thrived in the changing business model, but some actually haven’t. So, you have to think about that very carefully.

Sean O’Grady: Thank you for those examples. I feel that managing risk is about preparing both for the expected and the unexpected, and my question is where does a CFO start when thinking about managing those concerns?

Sandy Pundmann: So, most CFOs have a good plan of action to deal with the expected. So, you look at probability, there is a high probability of this occurring, and you put plans in place to deal with that. The unexpected, it is important for a CFO to sit down with their team and think about what could happen and those things that could have a high impact on your business. You might want to put together some plans to be prepared to deal with those issues. So, doing a scenario analysis and saying if a tsunami hits, how are we going to deal with interruption in supply chain throughout our organization. Would that impact us, could it shut us down, do we need to have alternative forms of supply distribution? So, thinking about the unexpected and thinking about how severe it could impact your organization is important to be prepared to deal with that unexpected, even if it has a low likelihood of occurrence.

Sean O’Grady: Kevin, over to you again.

Kevin McGovern: On the expected side, most CFOs can gather up a lot of information about what’s happening in the organization today, and most of them, certainly the larger firms, have lots of scenarios that they build to say, if this is what we are seeing happening in our organization today this is the expected outcome, but that’s not always the case. So, you can start to see trends coming along slowly, then all of a sudden they are on your doorstep or as Sandy said you can also have some things happen quite quickly, and the CFO has to be ready as a risk manager to react to those.

Sean O’Grady: So, I would like to know how does a CFO gauge and communicate an organization’s risk appetite?

Kevin McGovern: For us, risk appetite means defining what the acceptable levels of risk for an organization to take on, and there ought to be some very bright lines where it is clear throughout the organization what’s within bounds and what’s out of bounds. And then there is a lot of gray; Sandy will probably talk about that. So, for example, what’s within bounds, a lot of organizations are very clear about the requirement to comply with all of the regulations that many companies have to deal with today, and one of the questions is how much money is the organization willing to spend and how much in terms of people, resources, and systems to make sure that compliance remains at the top of list of things that are important. Also within bounds, it typically is if we have a growth strategy, for example, how much are we willing to spend on either developing a new product and bringing that product to market, or how much are you willing to spend on acquiring other organizations to build out products.

Sandy Pundmann: So, how much you’re willing to bet, so if you are doing an acquisition, if the acquisition fails, are you okay with that? That’s the risk appetite, and risk tolerance is also important because sometimes the objectives don’t necessarily mesh well. You know, it is not always black and white, from a standpoint of we wanted to achieve 10 percent year-over-year earnings growth or we want to achieve these margins. Sometimes, in order to meet deadlines or timelines or some of your other key performance indicators, you might need to. Your employees might think that they need to scrimp on safety or regulatory processes and you really want to set a clear understanding with your teams on what your risk appetite is. If you do not want regulatory or safety rules not taking any kind of issue with that, it’s important to really communicate that well out to the field, so that the risk appetite and the risk tolerance of the organization is clearly known.

Sean O’Grady: Kevin, my next question is for you and that is what does a CFO needs to watch out for when evaluating, managing, or taking on risk?

Kevin McGovern: CFOs have a lot to think about in that area because, as you said earlier, CFOs are often also in a role of being a chief or a significant person thinking about risk and in today’s world, particularly larger companies have lots of risks that they are trying to deal with whether it be financial risk, compliance risk, systems risk, reputation risk, whatever you want to call it. I think the key thing for the CFO to do is to decide on what are the five to 10 things that really matter to the organization. Sure, there are probably hundreds, but what are the real important ones and getting the management team of the organization to focus on those, measure those, monitor those, so you know everyday what is happening in the organization.

Sean O’Grady: Sandy what do you think CFOs need to watch out for?

Sandy Pundmann: I think they really do need to make sure of the communication of what the risks are and be very aware of all the things that are happening externally and how that impacts their organization. And then they need to be very resilient in adapting to those changing risk profiles.

Sean O’Grady: Now my last question for you as we wrap this up is about collaboration, and ultimately, how can CFOs work more closely with Boards when it comes to planning and discussing risk management?
Sandy Pundmann: The Boards really have a greater responsibility for overseeing risk management within the organization. They are now on the hook to take on that responsibility and disclose how they are looking at risk within the organization. So the CFO can take a very proactive role in helping companies and helping the Board fulfill that responsibility. They can be the de facto Chief Risk Officer as you said earlier and really take ownership in helping make sure that the Board is aware of what processes are in place, what scenarios have been looked at, how risks are being looked at from both the value protection as well as a value creation perspective, and really be the avenue to help make sure that the Board is fulfilling their responsibilities.

Sean O’Grady: Kevin, you get final thoughts.

Kevin McGovern: I only just had one thing. I think that, as Sandy was saying, the CFO is one of the primary educators of the Board with respect to risks in the organization, but I think it is also important to remember that as the Chief Financial Officer the CFO is ultimately responsible for disclosures that are made about the company -- what the financial statements say -- but also what all of the other disclosure documents say about the organization, and in working with the Board and educating the Board about what is in there, what is not in there, what has been left out, and why. This is a very critical component of how the CFO and the Board need to work together to make sure that the right risks are being disclosed and are being discussed in those documents.

Sean O’ Grady: So, collaboration is the key. Folks thank you very much. Alright, we have been talking CFO risk management with Kevin McGovern, a Managing Partner in Deloitte & Touche LLP and the leader of Governance, Regulatory, and Risk Strategies services, and Sandy Pundmann, a Partner in Deloitte & Touche LLP. If you like to learn more about Kevin, Sandy, or any of the topics we discussed on this broadcast, you can find them and many more on our Web site. It is www.deloitte.com/us/podcasts. For all the good folks here at Insights I am Sean O’ Grady. We will see you next time.

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this publication.

As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.