The Risks Facing the CFO

By: Frank Manzi, CPA and Mark Martinelli, CPA

Business risk is defined in generic terms as the exposure a company must consider that may lower its profits or lead it to fail. This definition will suffice for purposes of this discussion, especially because it clearly lays business risks within the realm of the CFO, as it focuses on the impact on profitability. Because risks are often quantified in financial terms, they ultimately end up on the CFO’s desk. Anything that threatens a company’s ability to achieve its financial goals is considered a business risk.

Business risks were brought to the forefront as they became more visible due to the ongoing challenges presented by the coronavirus (COVID-19) pandemic. These challenges range from newly unfolding economic events, a remote workforce, and supply chain disruptions, as well as consumer expectations arising from environmental, social, and governance accountabilities. Compounding these uncertainties are disruptive innovative developments in a rapidly evolving digital world. These risks have traditionally not been on most companies’ radar, either due to their unforeseen nature or decades-long favorable economic conditions.

This column will explore some of these risks and the role that a CFO plays in identifying and developing effective enterprise risk management practices.

Globalization as Risk Driver

The pace of change has substantially increased over recent years. Some of it can be attributed to the proliferation of technology that propagates the spread of new concepts, processes, and business structures globally. An overall openness to globalization further ensures that the pace of change will continue as businesspeople seek to capitalize on new business opportunities. The increase in business globalization also brings increased risk due to the interconnectedness of businesses, countries, and economies. The current conflict in Ukraine is a perfect example of how the world is not only smaller, but more interdependent. The impact of war on combatants is obvious, but the rest of the world can easily be impacted by supply chain disruptions, increased costs, and the potential for spillover conflicts.

Major Risks Facing Businesses

The following is a summary of the specific risk categories that threaten all businesses and take up much of a CFO’s time. These are the areas of greatest risk for which companies must implement risk management strategies to minimize their impact on the business.

Cyber risk.

Cyber risk includes any risk of financial loss, disruption, or damage to a company’s reputation from a failure of its information technology systems. Cyber risk has long been top of mind, as cybercriminals, hackers, and nation states try to take advantage of vulnerabilities. Traditionally, cybersecurity has been the responsibility of IT, but as more finance processes run remotely and on the public cloud, CFOs need to develop security measures, specifically for the finance function to safeguard its data. Finance functions not only hold accounting information, but they have access to other sensitive data within a company, including customer and supplier data. CFOs need to drive the development of policies and practices to identify the areas most vulnerable to attack. Many CFOs have had to prioritize security and access to data due to their companies moving more critical data to the cloud. Increased security can add significant costs to a business, requiring a CFO to constantly do cost/benefit analyses.

When collaborating with IT security and risk teams, CFOs should prioritize the financial data and systems that are most critical to the business to ensure that those processes are protected. The most common threats include:

• Phishing attacks: This includes all methods to lull employees into giving up sensitive information, typically by e-mail, but also via voice phone calls and text messages.
• Malware: This term is generally used to describe any malicious software attack that is intended to disrupt a computer through spyware, ransomware, viruses, or worms.
• Data leakage: This threat arises from the transmission of data from within an organization to an unauthorized external destination or recipient, whether electronically or physically.

Remote work and workforce continuity.

One of the unintended benefits arising from the pandemic has been the ability of employees to work remotely, thereby providing safety from COVID-19 and newfound flexibility. These remote practices have benefited both employees and employers; businesses can save money on real estate and other office-related costs whilst employees can be more productive by reducing their commuting time and improving overall morale due to lifestyle choices for employees. Nevertheless, several challenges have also arisen with this new work paradigm:

• Working from home reduces a company’s ability to monitor employees’ day-to-day activities.
• Lack of visibility into day-to-day activities reduces oversight, thereby making it more difficult to identify potential wrong-doing, including fraud.
• Remote workforces decrease opportunities for informal communications, on the job training, and in-person conversations, potentially impacting an employee’s professional development and possibly impacting corporate culture long-term.
• Working remotely complicates the ability to protect confidential materials, as well as corporate and customer data.
• Home or public networks may be more susceptible to security breaches.

Another byproduct of the remote model has been increased employee turnover, termed the Great Resignation, during a time of record low unemployment in the United States.

This disruption of job markets is further complicated by the need for more subject matter expertise and specialized skill sets in an increasingly technological world.

Speed of innovation.

Disruptive innovation, through new (or less regulated) competitors in a rapidly changing environment presents an increasing risk to organizations. The pandemic accelerated the broader use of digital technologies. This took the form of how customers shop, bank, make payments, and even entertain themselves. These disruptions have impacted the competitive landscape for companies in various ways, and have come in the form of either moving too slowly or too quickly.

The impact to a company can come from within if it is not funding new initiatives or funding them too slowly. The disruption can also come from lack of strategy or vision, or it can come from stagnant or closed-minded executive leadership. CFOs with their fingers on the company’s purse strings can help fund key initiatives. CFOs can help drive annual strategy discussions looking at the internal landscape to see where internal capital can be directed to get the best economic return. They can also require an analysis of the company against outside peer competitive landscapes to help fund initiative, drive strategy, and spur creativity.

Globalization.

The reality is the world gets smaller on a daily basis. This is due to many factors that reinforce globalization in everything we do, from both a personal and business perspective. Business opportunities abound—as do the associated risks. Lower barriers to international trade need to be considered in conjunction with a company’s ability to compete effectively across the globe. Companies must get better at competing with global, national, local and, increasingly, digital players. Considerations of investment abroad become more serious as a company decides on the business model that works best for it. Risks increase substantially, as a business needs to deal more intimately with a different society’s culture, legal environment, government, and many other factors. Aside from the direct involvement within a foreign environment, a company must be clear and focused on its business strategies—primarily because the overall topic of globalization is broad, and its definition varies for different organizations. Companies must define their involvement in a more globalized world, which can encompass different risks and opportunities. The CFO is a key member of the executive team determining strategy and plays a key role in devising the operations and addressing the related risks, including the following:

• The simplest strategy is to expand selling into foreign markets. One related risk is ensuring that a company’s pricing strategies do not violate local anti-dumping rules or even cause inconsistencies in overall go-to-market pricing methods.
• Producing in markets where costs are lower always includes the risk of quality control when a company’s manufacturing operations are further from the overall corporate control structure. There is also always the risk of product counterfeiting and other intellectual property concerns.
• Significantly autonomous sales and marketing operations in the foreign market are another option. This is generally a high-cost structure that requires investment in people, infrastructure, and assets. A decentralized structure runs the risk of making it difficult to affect business operations and a relocation of the business can quite costly.
• Another strategy is to outsource non-core activities, such as some elements of customer service and accounting transaction service operations. Many companies started their globalization efforts in this arena once technological improvements made such outsourced operations possible. Moving these functions abroad causes some difficulties due to time differences and other operational difficulties that can dilute the overall corporate culture.

Supply chain.

Supplier risk includes delays from suppliers, production disturbances, natural disasters, material shortages, and organizational and operational issues.

Traditional thinking defined the supply chain as being limited solely to procurement and transportation, in the wheel-house of the Chief Operating Officer. The goal was simply getting the best-delivered price for goods and raw materials, as well as customer shipments. The pandemic has disrupted supply chains and put them under greater scrutiny, transforming the supply chain into a critical link in the business value chain.

Pandemic-driven disruptions and subsequent geopolitical events have placed CFOs in a role that requires them to transition beyond traditional reporting of financial data and controlling costs to an active role in supplier strategy. CFOs need to better understand their companies’ supply chain and how it affects cash flow, growth, and—ultimately—shareholder value.

CFOs also need to better understand the geopolitical connections of their companies’ supply chains. Risk factors, including the pandemic, China’s economic impact, and most recently Russia’s invasion of Ukraine, have intensified the need for risk assessment, monitoring, and preparedness for supply chain disruptions.

Economic risks.

Economic risks include a broad array of items, including interest rate, unemployment, recession, inflation, and changes in demand and supply. All can pose a threat to a company’s survival.

Although CFOs are accustomed to dealing with economic risks, the looming combination of inflation, rising interest rates, and a seller’s market for labor is causing a significant amount of uncertainty both in the short and long term. Any of these risks can affect a company’s growth opportunities.

CFOs need to monitor their balance sheets to ensure they have adequate cash reserves, liquidity, and cash flow to weather economic storms. They also need to consider locking in lower interest rates on debt and investing in productivity enhancements, while ensuring continued access to capital markets. Rising inflation and the aftermath of the pandemic are further clouding the U.S. economic horizon, driving higher-than-anticipated costs thereby forcing CFOs to decide on how they can maintain their margins.

The use of enterprise-wide risk assessments in combination with financial forecasting and modeling tools is essential for CFOs to make sound financial decisions.

Environment, social, and governance risk (ESG).

ESG-related risks include the environmental, social, and governance-related risks and opportunities that may impact a company. The categories can be defined as follows:

• Environmental—impact on the planet, energy and water consumption, greenhouse gases, and climate impact;
• Social—impact on employees and community, including worker safety, employee diversity and inclusion, retention, data protection and supply chain; and
• Governance—corporate conduct and policies, including risk management processes, governance, board diversity and structure, and executive pay.

ESG has become a focal point for investors, shareholders, and activist groups; increasingly, consumers are also looking at companies’ ESG practices to make purchasing decisions. Shifts in perspectives and expectations about diversity, equity, and inclusion have also impacted the social perception and customer loyalty of many companies.

Companies are evaluating how to best align their organizational vales and goals with ESG considerations. The SEC and the Financial Stability Board Taskforce on Climate-Related Financial Disclosures are providing guidelines for disclosures that fall into the CFO’s purview to report on. ESG is a paradigm that the CFO must recognize to ensure the business has the ability to supply information to support regulatory authorities and the public at large.

Operational resilience.

Operational resilience is an organization’s ability to detect, prevent, respond to, recover, and learn from disruptions that may impact delivery of operations or business services (see https://www.protiviti.com/US-en/operational-resilience).

Operational resilience ensures that a company is continuously operational in times of disaster and other challenges. Resilience helps ensure delivery of a company’s goods and services. Resilience is tied to business continuity, but more broadly includes other disruptive elements, such as cyber, technology, supply chain, and the ongoing pandemic.

Recent events, including the COVID-19 pandemic and subsequent economic disruption, highlight the need to understand and plan for the possibility of multiple, converging events and their impacts on operational resilience.

CFOs as Managers of Business Risks

CFOs now find themselves at the center of many risk-related challenges. They have the skills to identify, quantify, and monitor the impact of new risks facing their companies. Although it is true that all risks have financial implications, many of them are specific operational risks that surface due to their potential impact on a company’s financial results. CFOs must take the lead as the executives with primary responsibility for the design and operational effectiveness of internal controls. As defined by the Treadway Commission Committee of Sponsoring Organizations (COSO) Internal Control Framework, controls are meant to address the following business objectives, which are all risk based:

• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations.

A critical element of all companies’ internal controls includes the “risk assessment slice” of the COSO cube. CFOs play a pivotal role in this arena through their role in monitoring financial and operational results in an ongoing manner, as well as identifying future issues through an effective forecasting process. Companies are continuously presented with risks and opportunities, and the forecasting process allows a CFO to identify the larger issues and chart a course for addressing issues as they arise. Preparing regular forecasts help to identify and address current and future conditions provides confidence in companies’ ability to address changing conditions as well as their ability to understand and maximize business opportunities.

Enterprise Risk Management

The competitive global business environment forces companies to identify business risks on a daily basis and to develop processes and procedures to deal with them effectively. The risk management process must be enterprise-wide, involving employees at all levels and in all organizational units. This process is best managed by the CFO and the financial organization in order to focus efforts on the areas that are most financially significant. Taking an enterprise risk management approach comprises the following steps:

• Risk identification
• Quantitative or qualitative assessment of the risks
• Prioritization and management of associated risks
• Monitoring risks in an ongoing manner.

Risk identification needs to occur throughout the company, and it is best accomplished with a thorough understanding of business and management objectives. It is a process that should be updated on a regular basis and is more than merely an introduction of risks impacting the business currently. From a practical perspective, this can be most effective if incorporated into the regular forecasting effort, so the risks that most jeopardize the forecast are identified and properly assessed. One of the biggest benefits of risk identification is to allow CFOs to keep the risks that the business always faces top of mind.

Once the operational team has assessed the possibility that the risk is likely, and the outcome is apt to be negative, the CFO should be the driver of quantifying the financial impacts of the risks. The CFO is most skilled and well positioned to turn possible issues into quantifiable outcomes. The intention of management to address the specific risk will be determined by its relative impact on the business. The CFO will be on the team to develop, implement, and monitor the effectiveness of the plan of action.

Risk Process Monitoring

Risk management is a process that must be maintained; although it is best managed through a team approach, individual management and accountability increase its effectiveness. A manager should be assigned specific responsibility for the methods to address risk; once identified, this risk owner needs to be monitored from two perspectives. First, an operational manager must be accountable for addressing the risks as well as developing monitoring processes for future increases in risk. Second, the CFO, as the driver of internal controls, must constantly monitor risks to ensure that the level of diligence in addressing them is maintained. The CFO’s role should be addressed within the confines of the ongoing forecasting process in conjunction with using internal audits to conduct guided process audits within the areas of most risk.

Future Risk Management Practices

The COVID-19 pandemic has underlined the importance of business resilience and the need for effective risk management. Risk management programs must be integrated across an organization. The overall objective is to be proactive and not reactive. Proactivity emanates from a powerful risk identification process to allow management to develop risk response strategies before they negatively impact a company. Only by using an effective risk management framework can businesses ensure they are in the best position to sustain operations through unexpected events.

C-level risk executives must be responsible for the overall oversight processes. CFOs, as the individuals intimately involved with all operations and their related financial commitments and potential weaknesses, are the natural choice for this responsibility. They need to be able to identify, monitor, and quantify risks and establish action plans to address them. Risk awareness must be infused across the business and effectively linked to the objectives of the business and compliance; management effectiveness must also be monitored. Risk management must be part of all strategic and tactical decision-making processes, which leads to the need for an enterprise risk management framework to align any codependences of a company’s risks.

Frank Manzi, CPA, is a professor of accounting at the College of Mount Saint Vincent, Riverdale, N.Y.