3 Steps to Building Strong Risk Management

Published on August 20, 2020

The coronavirus pandemic has already resulted in a significant business downturn around the globe. Even though during this wide-scale crisis with its catastrophic consequences some winners have emerged, over all, the pandemic has had an extremely negative economic impact.

What lessons can be learned from this type of event for the future? And how should management accountants prepare for it in terms of risk management systems, to mitigate possible negative consequences or to achieve some gain from these types of situations?

From a risk management perspective of COVID-19, scale is not something that could be modelled and measured like currency risk or customer insolvency risk, using economic or business models and past statistics. This type of event is classified more as uncertainty or force majeure than business risk. And it happens, as history shows, once in many decades, maybe even hundreds of years, and because of that it usually carries the “black swan” label.

Nevertheless, it is worthwhile analyzing how to best respond to such events, which are unpredictable but need to be coped with if organizations want to survive. As we live in a fast-changing and hardly predictable world, events of similar scale may occur one day in another area, which we do not know now. Being prepared for them is important for success.  Business models and risk

Any business model should incorporate attitudes towards risk and uncertainty. It is well known and accepted that measures of risks are vital for the successful operations of many businesses in the finance world — banks, insurance companies, and mutual funds, for example. The current crisis has elevated the importance of the business risk component for all organizations. Even if in the past some thought they could avoid thinking about these “complexities”, the scale of the current crisis has uncovered the meaning of risk — it is widespread, and not only listed entities or finance companies should care about their risk profiles. Private companies in any industry that are not required to make public disclosures should also consider the external environment and understand their strategies in various circumstances, even the most unfavorable ones.

There are many technical aspects of risk management in terms of how to organize it, what metrics to use, the frequency of assessments, and more. But current events emphasize three strategically important issues, which are often overlooked, even by those who claim they have risk management in place:

  • Contingency planning.
  • Establishing rigorous management information systems.
  • Penetration of risk thinking throughout all layers of the organization.

Contingency planning

Contingency planning has to be established as a tool to cope with extraordinary situations. When an unexpected event takes place, usually what is key is the limited time available and the high speed with which you need to react.

There is no time for building and implementing new processes and procedures when you are faced with some unexpected disaster. They must already be in place. As we know from the ancient past, fortresses were built during peaceful times because, when the enemy attacked, there was no time left for complicated construction activities. And if you did not have strong walls with appropriate armament already in place, your fate could be dire. Even though in many cases these fortresses were not used, and now they are often museums, they were needed as a means of insurance against somebody’s unpredictable hostile acts.

It’s the same with the business environment in which we live now — there must be contingency plans in place before something terrible happens, and tools to enact these plans when we encounter hostile events caused by different factors — for example, competitors, technological complexity leading to accidents, or nature, such as COVID-19. The role of the CFO as the main holder of financial information within the contingency planning process is absolutely crucial because all activities of an organization can be converted into financial outcomes to be monitored and controlled by the CFO.

Contingency plans should contain step-by-step activities for managing the enterprise’s resources (or production factors) like labor, fixed assets, and financial resources where unexpected events affect measures critical for a company’s operations, eg, sales or operating cash flow.

Scenario planning can be used and different routes established for different levels of external critical changes taking place. Responsible managers for particular areas should be assigned in these plans. The complexity and detail of contingency plans will differ from company to company — a multinational oil company’s plan should naturally be more complex than the plan of a local coffee shop.

Rigorous information systems  

To be able to react, or even notice some negative developments, we need to have rigorous information systems in place. Indicators and events monitored by these systems are critical as triggers for launching activities included in contingency plans. They can include measures of overall business activity, political changes, significant man made accidents, and implementation of new breakthrough technologies. In addition, internal metrics reflecting business activity such as sales, stocks, and cash should be under constant control. In the case of critical deviations, appropriate responses should follow.

Nowadays, with the level of technology available, such systems are not difficult to implement. The key effort to be made is to realize that in the information age that information is key. The faster we have necessary information and the better the quality of its analysis, the more effective our response will be to external events of any sort.

Technological advancements such as cloud computing, big data, artificial intelligence, the internet of things, and others should be used wherever possible to ensure that management information is useful for making the right decisions in a manner that is timely, relevant, error-free, bias-free, comprehensive, understandable, and consistent.

Here we need to think about which systems better fit our particular organization and how to maximize these systems’ potential and functionality through efficient processes and procedures. They should be flexible enough to evolve over time to account for environmental changes.

Again, the role of the CFO as the main holder of financial information in all these activities should be the leading one. At the same time, considering a high level of automation, the IT function becomes important. Of course, cooperation between finance, IT, and users of management information systems across the whole organization is vital in establishing proper information systems to guide management in its activities. This is especially crucial during turbulent times, which leads us to the last point.

Risk thinking

Everything said about contingency planning and information systems should not be locked in one or two departments but spread across the whole organization to make it work. Any organization’s success depends upon the input of all its constituent parts, and implementation of new processes or systems requires everybody. Otherwise the organization will always struggle with bottlenecks.

To achieve this goal there should be a well-established internal control function which brings all parts of an organization together and ensures complementary operations, collaboration efficiency, and desired outcomes.

To achieve this goal managers responsible for risk management and internal controls should act like teachers and detectives:

  • First, they need to explain to the whole organization on a regular basis why mutual efforts are key.
  • They should also be in a position to notice any weaknesses and fix them in due time. This job should not be “bureaucratized” but executed in an open fashion.
  • And incentive systems should be established to make people really interested in achieving good outcomes.

As the economy becomes more complex and technology more sophisticated, more risk factors appear. This obvious development is not always taken into account when organizations elaborate on their strategies and short-term plans.

Living in a fast-changing world requires us to change our thinking on risk, and to roll out risk management systems that can help management avoid negative consequences, minimize losses, and turn risks into opportunities. To succeed in this undertaking, modern CFOs should take the lead and with the help of IT implement corporate-wide risk management systems that utilize all available technological advancements that also evolve over time.

(Source:  AICPA – CPA Letter Daily - Financial Management – August 11, 2020)