WebinarsIMPACT AwardsResearchReworked TVPodcastEvents CalendarEditorial CalendarAdvertising
YOUR GUIDE TO THE R/EVOLUTION OF WORK
two people sky diving without parachutes
Editorial

Do CFOs Understand Risk Management?

3 minute read
Norman Marks avatar
By
October 23, 2024
Information Management
SAVED
Risk management is a team sport, which makes one CFO's take on how to manage risk ... perplexing.

It is far too easy to generalize about all CFOs from the example of one.

But I am going to take one CFO, share what he has to say about risk management, and talk about how dangerous his views and practices are.

One CFO's Take on Risk Management

Earlier this year, the Wall Street Journal published a sponsored article by Deloitte, which interviewed its CFO-in-Residence, Frank D’Amelio, on Managing Enterprise Risk.

D'Amelio was the “former CFO and EVP at Pfizer and [is] currently CFO-in-residence and independent advisor to Deloitte’s CFO Program …. In his two decades as finance chief [he] has developed many important ERM practices. D’Amelio also currently serves as a board director for Hewlett Packard Enterprise Co., Humana Inc., Zoetis Inc., Catalent Inc., Sail Biomedicines, EntityRisk and the Michael J. Fox Foundation for Parkinson’s Research.”

D'Amelio tells the interviewer:

  • The CFO still needs to own and drive the ERM process within the company. 
  • He made the head of internal audit the leader, in charge of advancing risk sensing, assurance and mitigation strategies.
  • He expects internal audit to be closely tied into all areas and functions of the organization so that together with those business and functional leaders they could identify the key enterprise risks.
  • Typically, large global companies have 15 to 20 main enterprise risks, and those are the things you spend a lot of time on and drill down on. His team would then build a who, what and when action plan for each of those areas. That kind of ownership and clarity is very helpful in developing an enterprise-wide risk program.  
  • He would talk to the CEO, the head of internal audit, the controller, the lead partner of his external auditing company and the chair of the audit committee and full board to get his arms around what they think the enterprise risk is and the process in place to deal with that risk.  
  • Next, he would speak with the CIO to understand the systems environment and controls environment he was inheriting, and then the chief information security officer (CISO) to understand who is working to prevent cyberattacks. He'd also sit with the business leaders to understand their involvement in enterprise risk oversight.
  • He thinks if you’re doing enterprise risk right, there aren’t going to be a lot of major changes among the top issues you’re following from year to year. 
  • He views opportunities as offensive and risk as defensive, and you need to be prepared for both. If he's in front of the board presenting a five- or 10-year strategic plan, before he ever gets to the numbers, he highlights the top 10 parts of the plan and flexes them upward in terms of opportunities and downward in terms of risk. If his baseline assumption is he'll have an annual price increase of, say, 2%, the opportunity might be that he can get that higher depending on various factors. The risk is that it’s going to be lower.  

Related Article: Technology Debt Is Putting Your Organization at Risk

... and What He Got Wrong

There are so many errors in this thinking.

  • The CFO is taking far too much control of risk management. It should be owned collectively by the entire executive team, especially as in most organizations I would expect the majority of sources of risk to be outside the domain (and expertise) of the CFO.
  • Internal audit should not be “in charge of advancing risk sensing, assurance and mitigation strategies.” The CAE may facilitate the processes involved and even provide summary reports to the board on behalf of management. But every executive should own and be fully in charge of understanding and addressing all the sources of risk (and opportunity) in their domain, and collectively across the extended enterprise, to enterprise objectives.
  • Risk is involved (created, modified or taken) in every decision. There are nearly as many sources of risk as there are stars in the sky. (OK, that’s a slight exaggeration.) But the idea that enterprise risk management is about managing a list of 10-15 risks is crazy and dangerous.
  • It takes a while for D'Amelio to talk to operating management, including manufacturing, sales, HR and so on. They would be my first stop, although a Strategy executive might come first. The idea that the external auditor has valuable insights is ...!
  • Risk is changing all the time, so if you don’t see change you are not doing it well.

What is your experience with CFOs? Do they understand effective risk management? Should they own it? Should the CRO report to and be controlled by the CFO?

I welcome your thoughts.

fa-solid fa-hand-paper Learn how you can join our contributor community.

About the Author
Norman Marks

Norman Marks, CPA, CRMA is an evangelist for “better run business,” focusing on corporate governance, risk management, internal audit, enterprise performance, and the value of information. He is also a mentor to individuals and organizations around the world, the author of World-Class Risk Management and publishes regularly on his own blog. Connect with Norman Marks:

Main image: Kamil Pietrzak
Tags
eimrisk managementgovernanceinternal auditgrccfoerm
Featured Research
Featured research
Research Report
From Participation to Performance: Measuring The True Value of Learning
Demand for proof of ROI is rising but just 16% of orgs are ready. Are you?
Read now
Featured research
Guide
The Lean Advantage: Scale Smarter, Not Heavier
Cut the busywork to get 30 minutes back, per person, per day
Read now
Featured research
Research Report
The AI Productivity Shift
3,000 professionals and 140,000 Hubstaff users are proving shallow adoption won't cut it — here's how you can unlock real results
Read now
Featured research
eBook
Is Your Software Really Being Used Effectively?
Learn the secrets to successful software adoption
Read now
Featured research
Buyer's Guide
Unlock ROI With Smarter Software Adoption
Cut friction, reduce tickets and drive measurable productivity gains
Read now
Featured research
eBook
7 Strategies to Optimize Your Communication Efforts
97% of employees say communication affects their daily work, so why are your messages getting missed?
Read now
Featured research
White Paper
The Comms Strategy That Actually Reaches Frontline Workers
Nearly 1 in 4 deskless workers feel left out. Reconnect with a comms strategy built for the frontline.
Read now
Featured research
White Paper
How to Lead Distributed Teams Without Burning Out
Because Slack pings, performance goals and team burnout don’t solve themselves
Read now
Featured research
White Paper
Five Ways Retailers Can Leverage AI With Immediate Impact
What do product recommendations, refund policies and onboarding have in common? They’re all getting a whole lot faster with the right AI.
Read now
Featured research
White Paper
How to Put AI Agents to Work – at Work
Unlock time, efficiency and impact with agents that think, plan and execute across your enterprise
Read now
Featured research
Guide
Rethink Your Intranet Strategy for 2025
Discover which platforms actually improve comms, engagement and employee experience - without starting from scratch.
Read now
Featured research
Guide
Learning Experience Platform (LXP) Market Guide Executive Summary
How to choose the right LXP for your business needs
Read now