Risk Management in Accounting Firms: Overview of The New Australian Standards

INTRODUCTION

At its most basic level, risk is defined as the probability of not achieving, or reaching, certain outcomes (goals). Risk is measured in terms of the effect that an event will have on the degree of uncertainty of reaching stated objectives. Risk is commonly thought of in this context as a negative connotation: the risk of an adverse event occurring.

This article discusses the risks faced by accounting firms in Australia, and gives an overview of the new risk management standard (APES 325) issued by the professional standards board.

WHAT IS RISK IN ACCOUNTING FIRMS?

In the context of the professional Accounting Firm, risk is not a new concept for practitioners: it has been attached to the profession for as long as accountants have offered services in a commercial setting. However, as the number and size of legal claims against professional public accountants has increased over the years, so too has the issue of risk and risk management also increased in importance.

Risk management is the system by which the firm seeks to manage its over-arching (and sometimes, conflicting) public-interest obligations combined with managing its business objectives. An effective risk management system will facilitate business continuity, enabling quality and ethical services to be supplied and delivered to clients, in conjunction with ensuring that the reputation and credibility of the firm is protected.

WHY IS A STANDARD REQUIRED?

The Accounting Professional & Ethical Standards Board (APESB) recognised that public interest and business risks had not been adequately covered in existing APES standards, notably APES 320 (Quality Control for Firms). In releasing the standard, the APESB replaces and extends the focus of a range of risk management documents issued by the various accounting bodies. Accordingly, APES 325 (Risk Management for Firms) was released, with mandatory status from 1 January, 2013.

The intention of APES 325 is not to impose onerous obligations on accounting firms who are already complying with existing requirements addressing engagement risks. All professional firms are currently required to document and implement quality control policies and procedures in accordance with APES 320/ASQC 1. Effective quality control systems, tailored to the activities of the firm, will already be designed to deal with most risk issues that arise in professional public accounting firm. However, APES 325 does expect firms to consider the broader risks that impact the business generally, particularly its continuity.

THE NEW REQUIREMENTS

The process of risk management in the Professional Accounting Firm requires a consideration of the risks around governance, business continuity, human resources, technology, and business, financial and regulatory environments. While this is a useful list of risks to consider, it will be risks that are relevant to the operations of the practice that should be given closest attention.

Objectives

The ultimate objective for compliance with the Risk Management standard is the creation of an effective Risk Management Framework which allows a firm to meet its overarching public interest obligations as well as its business goals. This framework will consist of policies directed towards risk management, and the procedures necessary to implement and monitor compliance with those policies. It is expected that the bulk of the Firm’s quality control policies and procedures, (developed in accordance with APES 320) will be embedded within the Risk Management Framework, thus facilitating integration of the requirements of this standard and that of APES 320, and ensuring consistency across all the Firm’s policies and procedures.

A critical component of the Risk Management Framework is the consideration and integration of the Firm’s overall strategic and operational policies and practices, which also needs to take account of the Firm’s Risk appetite in undertaking potentially risky activities.

Whilst the standard allows for the vast majority of situations that are likely to be encountered by the accounting firm, the owners should also consider if there are particular activities or circumstances that require the Firm to establish policies and procedures in addition to those required by the Standard to meet the stated aims.

Establishing & Maintaining

Ultimately, it is the partners (or owners) of the Accounting Firm that will bear the ultimate responsibility for the Firm’s Risk Management Framework. So it is this group (or person if solely owned) that must take the lead in establishing and maintaining a Risk Management Framework, as with periodic evaluation of its design and effectiveness.

Often times, the establishment and maintenance of the Risk Management Framework is delegated to a single person (sometimes not an owner), so the Firm must ensure that any Personnel assigned responsibility for establishing and maintaining its Risk Management Framework in accordance with this Standard have the necessary skills, experience, commitment and (especially), authority.

When designing the framework, the firm requires policies and procedures to be developed that identify, assess and manage the key organisational risks being faced. These risks generally fall into 8 areas:

Governance risks and management of the firm;
Business continuity risks (including succession planning, and disaster recovery (non-technology related);
Business operational risks;
Financial risks;
Regulatory change risks;
Technology risks (including disaster recovery);
Human resources; and
Stakeholder risks.

The nature and extent of the policies and procedures developed will depend on various factors such as the size and operating characteristics of the Firm and whether it is part of a Network. In addition, if there are any risks that happen to be specific to a particular firm – caused by its particular operating characteristics – these also need to be identified and catered for. At all times, a Firms public interest obligation must be considered.

A key factor in any risk management process is the leadership of the firm, as it is the example that is set and maintained by the Firms leadership that sets the tone for the rest of the firm. Consequently, adopting a risk-aware culture by a Firm is dependent on the clear, consistent and frequent actions and messages from and to all levels within the Firm. These messages and actions need to constantly emphasise the Firm’s Risk Management policies and procedures.

Monitoring

An essential component of the Risk Management process is monitoring the system, to enable the Firm overall to have reasonable confidence that the system works. The system works when risks are properly identified and either eliminated, managed, or mitigated. Most risks cannot be entirely eliminated, so the focus of the system needs to be on managing risks down (preventing occurrences as far as practicable), or mitigating the risk (handling the event should it occur).

As part of the system, a process needs to be installed that constantly ensures that the Framework is – and will continue to be – relevant, adequate and operating effectively, and that any instances of non-compliance with the Firm’s Risk Management policies and procedures are detected and dealt with. This includes bringing such instances to the attention of the Firm’s leadership who are required to take appropriate corrective action.

The Framework needs regular monitoring (at least annually), and by someone from within the Firm’s leadership (either a person or persons) with sufficient and appropriate experience, authority and responsibility for ensuring that such regular reviews of the Firm’s Risk Management Framework occurs when necessary.

Documentation

A Risk Management system needs to be properly and adequately documented, so that all the necessary requirements can be complied with, and referred to (if necessary). The form and content of the documentation is a matter of judgment, and depends on a number of factors, including: the number of people in the firm; the number of offices the Firm operates, and; the nature and complexity of the Firm’s practice and the services it provides.

Proper and adequate documentation enables the Risk Management policies and procedures to be effectively communicated to the Firm’s personnel. A key message that must be included in all such communications is that each individual in the firm has a personal responsibility for Risk Management and are required to comply with all such policies and procedures. In addition, and in recognition of the importance of obtaining feedback, personnel should be encouraged to communicate their views and concerns on Risk Management matters.

In documenting the risk framework, the Firm needs to include and cover following aspects:

The procedures to be followed for identifying potential Risks;
The Firm’s risk appetite;
The actual identification of risks;
Procedures for assessing and managing, and treating the identified risks;
Documentation processes;
Procedures for dealing with non-compliance with the framework;
Training of Staff in relation to Risk Management; and
Procedures for regular review of the Risk Management Framework.

In alignment with the monitoring of the Risk Management system, all instances of non-compliance with the Firm’s Risk Management policies and procedures detected though its Monitoring process need to be documented, as with the actions taken by the Firm’s leadership in respect of the non-compliance.

Finally, all relevant documentation pertinent to the Risk Management process needs to be retained by the Firm for sufficient time to permit those performing the monitoring process to evaluate compliance with the Risk Management Framework, and also to follow applicable legal or regulatory requirements for record retention.

SUMMARY

Risk is an ever-present and growing component of delivering professional accounting services to clients, and is not confined to taking on client work that can put the firm’s reputation into decline. It is the everyday business conditions and decisions made that can weigh heavily on a firm.

The modern accounting firm is in the unique position of having all the operating risks of a main-stream business, with the addition of those imposed by the various regulators and authorities.

A comprehensive and effective Risk Management Framework will assist owners of firm in identifying deficiencies and blind-spots that can impact a firm, as well as placing a commercial assessment on the probability of an occurrence, and putting in place clear plans on what to do and when.

With more than twenty years in the fields of accounting and finance, sales and marketing, and operational activity, Michael (MK) has an extensive understanding how businesses succeed in a holistic manner.

He is also the Director of Insignia Consulting, accounting and business management consultants. Insignia Consulting has particular expertise, and specialises in The Quality Control Manual for Accounting Firms in Australia, with experience with QA Audits and developing customised manuals for public practice firms.

Risk Management Certification: Developing and Implementing A Risk Analysis Template

Individuals who are hoping to begin or enhance a career in business are often looking for opportunities to learn new and tangible skills. The number of business-training options available to individuals is almost endless, and it is often difficult to judge both their credibility and value. A risk management certification is a professional accreditation that provides legitimate and tangible business management skills that can aid any ambitious individual in their career progression. The training involved in earning a certificate in this area builds on the individuals previous training and work experience, and sufficiently prepares the individual to become a high-functioning and contributing member of any senior management team. During the certification process the pupil is introduced to the many different aspects of being a certified risk professional, including the development and use of risk analysis templates and organizational risk policies. Other areas of study include risk identification, analysis, assessment, prioritization, mitigation, and management. A certificate that focuses on these areas that be attained from any of the six primary industry associations that oversee the risk management profession. To earn a certificate in this area the student typically undertakes a certain level of training which in some cases includes class time as well as at-home reading materials. Most people use their certificate to pursue careers as risk managers, either as a consultant with a major international consulting firm, or as an internal risk professional within an organization.

An individual with a certificate in risk management typically begins their career as a risk analyst, a component of a larger risk analysis and oversight team. Over time these individuals have the opportunity to transition to the role of a risk manager or risk officer. One of the primary tools that a certified risk professional is taught how to develop or use is a risk analysis template. This is a document or series of documents that standardizes the risk assessment techniques that the organization plans to use to identify and evaluate the risks their operation is exposed to. These templates are usually designed with the help of a certified risk management professional and adequate examples are available for limited expense. In some cases an organization will develop their own series of templates that are unique to the idiosyncratic operation of the company, while other organizations may use a publicly distributed risk analysis template. That being said, those firms that take the latter approach will often take a standard framework and morph it to apply to their unique organization.

A risk analysis template is traditionally designed in a checklist format that aids the user in asking the correct questions when identifying and analyzing the operational risks the organization is exposed to. They suggest regular areas of risk exposure while also providing insight for organizations to look in areas unique to them. These frameworks are considerably helpful in evaluating the impact and probability of risk events, and aids the organization in prioritizing risks for mitigation and avoidance initiatives. It is always important to use a template that best matches the industry in which the organization operates; for instance, frameworks that apply to a multinational financial services company will be different from ones that apply to a manufacturer of chairs catering to local businesses.

Risk analysis templates are particularly attractive to small and medium sized businesses that either can not financially justify the expense of an external risk management consultant, or have no need for a full-time internal risk specialist. Of course, it is possible to acquire risk assessment and management skills through informal risk training, but free time is at a premium for most small business managers. These pre-designed templates and frameworks offer a great opportunity to leverage the insight of risk management professionals at a reduced cost.

Applying Collective Intelligence in Risk Management

I was reading a risk management blog today and was very impressed with the technical article covering various aspects of solvency and valuation of insurance industry. As I was reading it, my mind analyzed the information with respect to various laws, sections, cases etc. After finishing reading it, I took a breath and thought- “I actually felt like referring to various books to understand the article, will a regular business operation employee actually understand it?” This resulted in a depressing thought- “I do the same, to show my knowledge; I mention sections and case laws of various acts which leave business people stumped.” Well, in my defense I will say, it gives a heightened sense of satisfaction and success.

Somewhere I feel risk managers ( referred to as RM) are having their cake and eating it to. The primary responsibility of managing risks is of business operation team. The RM’s role is of a support function, a facilitator to the business. The business managers are not being provided with the necessary information, knowledge and tools to proactively manage their risks. Let me explain why I am making this statement.

In their role as auditors, they are focused on what went wrong in the past rather than equip the business managers to how to deal with the future. It is a feedback rather than feed-forward system working. The other aspect is that they in their role as advisors issue guidelines and policies without the complete involvement of the business people.

Scenario 1: Let me take a scenario here of implementation of information assurance policies. The RM will discuss the overall requirement with the business managers, prepare the policy, take feedback regarding it and then issue the final policy. Then they will tell business users to implement it. Since in quite a few areas implementation may not be possible, exceptions will be granted to the business users. In nutshell, around 75% of the policy only will be implemented.

In both these roles the involvement of business operations team is minimal at the commencement of the project. They are expected to implement the recommendations.

Considering the above mentioned short comings in the above mentioned approach, I wished to explore the concept of collective intelligence and its applicability to risk management functions.

As a first step, let us understand the nature of information and intelligence which risk managers require to conduct their jobs:

1) Organizational Intelligence- Information regarding processes, structure, culture and technology. These they normally get from the business managers through interviews and review of standard operating procedures.

2) Commercial Intelligence- Information regarding the external environment- customers, suppliers and competitors. This information they obtain from interviews with business managers, customers and suppliers. Other sources are various media and research reports published.

3) Technical Intelligence – Information regarding the various laws, acts, methodologies and tools applicable for risk management. RMs have the knowledge on how to conduct the risk management while using this information appropriately.

As can be seen business managers have more information and knowledge on two of the three intelligence capabilities required for conducting risk management. In a more collaborative approach the risk managers should be able to impart their skill specialization to the business managers effectively.

The question is how can this collaborative model work? Let me take the example again of preparing information assurance policies.

Scenario 2: In this scenario the RM puts up the objectives of preparing and implementing information assurance policies along with a table of contents and broad outline on the intranet. Now it is open to the employees to contribute and decide how it should be developed and implemented. The employees comment on what is applicable, how the process works, what are the bottlenecks and challenges, who should review it, how it should be implemented etc. The RM identifies the major contributors and meets them up to interview them. Based on the web interactions and meetings, the RM prepares a draft policy document and uploads it on the intranet. Again the employees are invited to review the same and provide feedback. After incorporating the feedback, the risk manager proceeds to obtain approval of the senior managers.

In this approach the RM has the buy in of the employees before the finalization of the policy. Hence, implementation will be easier since employees feel a sense of collective ownership and responsibility. This will enable adoption of information assurance polices as part of organization culture.

To further delve on the approach, I am adding the example which I read in “Collective Intelligence- Creating a Prosperous World of Peace” fore-worded by Yoachai Benkler and remixed by Hassam Masum. I have adapted the example “Three ways to storytelling” to the risk management function.

Three Ways of Story Telling- Risk Management Adaption

Let us formulate three societies for risk management: Red, Blue and Green. Each society has specific procedures on how to conduct and discuss risk management activities.

Red: In Red society hierarchical top down approach is followed. All the risk issues/ observations can be reported by the risk management department to the CXO’s. Business operation manager is required to go to their respective RMs to discuss their issues. A business process team member has to route their risk issue/ query through the business operation manager to the respective risk manager.

The senior management issues the guidelines, policies and reports to the business operation team. The business operation team members hear regarding the issues only from the senior management and implement accordingly. In this case, an employee’s understanding of risk issues is at an overall level controlled by the senior management. An employee’s perceptions and knowledge are based on the information provided to him/her by the seniors.

Blue: In Blue society again hierarchical top down approach is followed however with a slight difference. Here the business operation manager can bring up the risk issues directly to the CXO’s attention. Then the risk management department and business operation manager work in collaboration to address the issue. In this case, a change agent from business operation team can be nominated to address the risk issue.

In this scenario, the business operation team members hear about the risks which senior managers, RMs and their elected change agents inform them about. The employee’s perception, knowledge and awareness on risk issues are governed by this select group. Though information is not controlled as in the completely top down approach of Red, it is controlled by the major key players in the business operation team.

Green: In Green society the approach adopted towards risk management is of collective intelligence. Business operation team members can put all their concerns, suggestions and problems regarding risk management on the intranet. The other team members including the risk members would discuss the same on intranet and meetings, to suggest a solution to the issue and mitigate the risk.

In this scenario, the business operation team members discuss the issues which concern them. There is no control from a senior manager regarding the topics to be discussed, and no permission is required for the same. The flow of information regarding risk management is through multiple channels- team members, business managers, RMs and CXO’s. The information which an employee has is extensive and he/she is well informed regarding the subject. The perceptions and awareness is built through multiple sources of information.

The problem with the collective intelligence approach can be that employees have extensive information and on what basis will they decide the relevance and applicability of the information. How will the risk management function operate? The adjacent diagram depicts the steps for using collective intelligence in risk management activities.

The main advantages of this approach are:

1) Risk management department generally faces the challenge of adoption of risk management practices by the business operation team. There are enough people who commence the process, but for implementation a significantly higher number need to be knowledgeable about the issue. This requires focused efforts of building awareness and training. The cost of training and implementation is subsequently quite high. With collective intelligence approach a significant mass of people are already aware and knowledgeable about the issue. Hence, cost and time of implementation is lower.

2) Whistle blowing is the only option which is allowed to employees to bring a critical issue to light. This has a lot of negative repercussions on the employee, management and organization. With open communication, the employees will be able to discuss the smallest issue of corruption, illegality and unethical behavior without hesitation. Risk of exposure will also inhibit employees from indulging in such practices.

3) The other aspect is that this approach fulfills the psychological needs of the employees. The approach provides a sense of ownership to the business operation team and this motivates them to implement risk solutions. The RM are adopting feed-forward system by guiding the business operation team into doing what is right in the future. Rather than focusing on providing a critique on what has been done wrong in the past.

4) This approach encourages innovation and adoption of new ideas. Employees are encouraged to do their own research and revert back with their feedback. They are not told on what they should research on. The diversity in thinking works effectively in providing better solutions.

5) Last but not the least, a sense of collaboration and cooperation exists between all the departments. It breaks down the walls which managers construct to work in silos.

Do you think this approach is worth adopting for risk management function? Presently, most organizations are adopting the Red and Blue society approaches to risk management. What according to you would be the inhibiting factors for applying collective intelligence for risk management of Green society?

Another point not to be missed is which I think might be the unconscious agenda when I started exploring this concept. It significantly reduces the work and responsibility of RMs. They can chill!

Sonia Jaspal is a risk management and corporate governance professional with +15 years of work experience. She is a Chartered Accountant from India, a Certified Internal Auditor from USA and has also cleared Certified Public Accountants examinations from Delaware state (USA)

Still Using Spreadsheets for Managing Risks? – Switch to Risk Management Software

Managing risk is essential in every organization to accomplish its key objectives effectively. Risk management not only requires a reliable process to capture risks, but also needs a mechanism to document and administer the organization’s response.

An appropriate risk management tool always helps the risk managers to identify, assess, and prioritize the risks which can be prevented. Here, we will discuss about spreadsheets – commonly used risk management tools and their true costs. We will also know about the best tool to replace spreadsheets for effective risk management.

Spreadsheets are commonly used management tools because they are
• Convenient to use: Many people believe that spreadsheets are convenient to collect, code, sort and analyze data. Yes, they are better than paper based management systems, but they are risky.

• Flexible to enter data: With some basic encoding, spreadsheets offer flexible arrangements of rows and columns to enter data. They allow the user to configure and enter information in a way that suits his unique needs. But risk management involves analysis of various factors and a spreadsheet may not be helpful.

• Low cost or free option: Spreadsheets are either available as freeware or at low-cost. That is why organizations use them extensively. But they fail to understand the fact that the true cost of a tool should be defined by the operational costs that affect the business on long-run; not by the initial cost of the tool.

Are they really beneficial?
Many business owners and risk managers today are using spreadsheets as risk management tools unaware of the risks involved (however some are aware). Here are the risks involved:

• Inability to process huge amounts of data: Although spreadsheets are a good solution for small volumes of data, the processing and calculation will become complicated with the continual growth.

• Time consuming: Risk management requires collecting great deal of information, which often results in huge number of spreadsheets interlinked to each other. A little change to the data structure becomes a great task. This makes risk managers spend countless hours validating data, double checking formulas, and updating values, which is as a time-consuming process.

• Complex to find mistakes: It is quite difficult to find mistakes in a spreadsheet with lot of data. It is often time consuming process to find where exactly the mistakes have occurred.

• Limits the depth of risk analysis: With each change made to a spreadsheet, links between the information are lost making it difficult to analyze relationships over time. Without these links, it becomes tough to link risks and their controls. Also they offer limited access to past and current data making it difficult to compare data overtime.

• Intensive labor: The process of risk management involves continuous updating of data and it increases day by day. Updating data and using spreadsheets effectively requires lot of time and effort. So intensive labor with good knowledge of using the shortcuts and formulas is compulsory.

• Lacks security: A user can accidentally or intentionally delete vast amounts of critical information. Spreadsheets are highly vulnerable to virus attacks, hard disk crashes, and other unexpected disasters.

Underlying costs of using spreadsheets
In general, people think that spreadsheets are free, but they never calculate the underlying costs that can impact the business. Following are the true costs of using them.

• Labor costs: As discussed earlier, it takes lot of effort to create, maintain, organize, and report using spreadsheets. However, the fact that these things require labor, which in turn results in huge costs to the company, is often ignored.

• Opportunity costs: Spreadsheets consume lot of your time and effort, which you can productively use for adding value to the organization. Many business owners, in fact, lose many opportunities hanging around with spreadsheets.

• Risk and non-compliance costs: Spreadsheets lack in company wide visibility, accountability, security and control which results in increased costs in terms of failed audits, unforeseen events, increased insurance costs and so on.

• Scalability costs: A small company can manage and use one spreadsheet to track all records. But as the business grows, the effort of maintaining and consolidating these records increases exponentially. At one point this process fails and negatively impacts the business.

• Human error costs: Spreadsheets are vulnerable to manipulation, which can dramatically impact the company. Moreover, with the increasing chances of human errors, it is difficult to consider that the data is valid and reliable. These human errors can cost a lot to the company.

Effective tool to replace spreadsheet – Risk Management Software
After seeing all the risks and costs involved with spreadsheets, one would certainly ask for a better tool to manage risks and here is the solution – the Risk Management Software. It can effectively replace spreadsheets in the risk management process. Following are the benefits of using risk management software.

• Effective control over GRC processes: Risk management software helps in the effective control over the GRC (governance, risk management, and compliance) processes with proper documentation and work flow. They also help managers in risk assessment and analysis, visualization and reporting.

• Data security: User can limit the availability of data by creating passwords. He can also give full access to all the data to a particular group of people within the organization. This feature eliminates the risk of manipulation of data.

• Real time recording: Recording and updating information regarding risks is easy using this software. You need not spend hours to update the data.

• Reliable audits: This software offers full protection to all the data in the system with fully automated backups. This allows auditors to extract robust and reliable audit trails without unnecessary effort and thus it helps them in identification of risks, and creation of risk management strategies.

• Automated risk reporting: It provides the user with clear information on their objectives and risks associated. It also informs about the required actions and scheduled dates to implement them to prevent risks.

• Clear and consistent reports: A unique feature of this software is that it provides clear and consistent reports making it easy for managers to view the risks in real-time.

How to choose effective risk management software
With growing demand of the risk management software, many companies offering this software evolved in the market. Therefore it is important to choose the effective one to reap the maximum benefits. Following are some tips to choose a good one.

• Reputed vendor: A well established and experienced vendor definitely offers standard products as he fully understands risk management standards.

• Maximum features: Before buying the product, make sure that it has all features to help you in managing the risks properly.

• Customer service and tech support: As this product is new for the organization, it is important to choose a company that offers 24/7 tech support and timely customer service. Moreover, as risk environment demands a constant change of compliance, make sure that the vendor is offering regular product updates and maintenance releases.

An upgrade in the existing technology never says that the existing product is of no use, instead offers the user with more useful features. Upgrading to latest tools like risk management software enhances the organization’s capabilities in managing risk.

Strengthening the CFO’s Role in Strategic Risk Management

Strengthening the CFO’s role in strategic risk management to lead Capital intensive business in market volatility

Capital Intensive Businesses

Capital-intensive business exists with lower margins. Management is always expecting Return on Capital Employed (ROCE) above the cost of capital. The major businesses are Oil & Gas, Infrastructure, Construction, IT etc.

Market Volatility Challenges

Market volatility, ceaseless pressure on margins and demanding stakeholders increase the difficulties of thriving in an increasingly interconnected, interdependent and unpredictable global economy.

Many organizations have yet to adapt to this new state of the economic landscape. Doing nothing is no longer an option – they need to adjust and take action now.

Many organizations are now transforming their businesses to strengthen their organization to save costs, create more client-centricity, restore stakeholder confidence and/or embed new business models.

For many organizations, long-term success depends on the success of these transformation programs. To make it more challenging, the margin for error continues to be small, and the environment in which transformation needs to happen continues to increase in complexity.

Strategic Risk Management

• It’s a process for identifying, assessing, and managing both internal and external events and risks that could impede the achievement of strategy and strategic objectives.

• The ultimate goal is creating and protecting shareholder and stakeholder value.

• It’s a primary component and necessary foundation of the organization’s overall enterprise risk management process.

• It is a component of Enterprises Risk Management (ERM), it is by definition effected by boards of directors, management, and others.

• It requires a strategic view of risk and consideration of how external and internal events or scenarios will affect the ability of the organization to achieve its objectives.

• It’s a continual process that should be embedded in strategy setting, strategy execution, and strategy management.

Identifying concrete steps for CFOs to increase involvement in risk management for investment decisions

Concrete Steps to Increase the CFO’s Involvement in Risk Management

• Build a tight link between risk management and other Business Process

• Lead a corporate-level discussion of Risk Preference, Focusing on Risk Choice and select optimal mix

• Use Risk Analytics to communicate investment and strategic Decisions

Build a tight link between risk management and other Business Process

• Focus on foresee issues which will emerging in the future instead of current issues.

• On the basis of prioritization a guidelines to be issued for which Business performance metrics would be effected.

• Business Planners conduct adhoc analysis of upside versus risk, focusing most, if not all, of other attention on a single “Center Cut” scenario.

• Highlighting exactly where and how risk will affect the Business Plan

• Incorporating systematic stress testing using macro scenarios which will reflects possible impact on financial planning

• Applying probabilistic “financial at risk” modeling for major investment decision these efforts. (Cash in hand vs cash needs)

Lead a corporate-level discussion of Risk Preference, Focusing on Risk Choice and select optimal mix

• It is critical to have clear answers to the following questions before making decisions:

o What is the company’s competence in the market?

o Are the decision makers familiar with the risks involved including the tail risks and understand their potential impact?

o Is the company capable of surviving extreme events?

• Risk appetite articulates the level of risk a company is prepared to accept to achieve its strategic objectives.

• Risk appetite frameworks help management understand a company’s risk profile, find an optimal balance between risk and return, and nurture a healthy risk culture in the organization. It explains the risk tolerance of the company both qualitatively and quantitatively.

• Qualitative measures specify major business strategies and business goals that set up the direction of the business and outline favourable risks.

• Quantitative measures provide concrete levels of risk tolerance and risk limits, critical in implementing effective risk management.

Use Risk Analytics to communicate investment and strategic Decisions

• CFO plays an important role in financial and strategic aspects of investments and the evaluation of major decision. He leads the discussion and rival proposals and solutions and often hold powerful decision rights.

• Major Projects with value at stake comparable to total risk from current company operations are discussed and decided with qualitative list of major risks.

• The CFO is ensuring by defining right set of core financial and risk analytics to run for each option to ensure this value stake is brought to light and debated.

EXAMINING LEADING PRACTICES APPLICABLE TO CFOS THAT CAN AUGMENT A COMPANY’S FINANCIAL HEALTH

Best Practices applicable for Company’s Financial Health

CFO have several options to compete more effectively in the Risk Management decisions. Improving returns starts with rethinking where to play-and with four strategic steps that many companies often overlook when it comes to improving performance.

Where to play: A more profit-focused portfolio

• The most pressing issue for leadership teams in capital intensive industries is whether to stay in businesses in which margins have been relentlessly driven down. Many companies are choosing to exit low-profit businesses that once were considered to be core. As they rebalance their portfolios, they are migrating up the value-added chain, investing in related sectors where new technologies can provide competitive advantages.

• Profit pool mapping is an important tool for assessing whether and where it makes sense to do business. In heavy industries, management teams often are so focused on volumes and tonnage that they overlook where the biggest profit pools are. By understanding the sources and distribution of profits across their industry, companies can gain an inside edge on improving returns.

• The premium end of the business typically represents a very large proportion of the profit pool. The best opportunities often cluster there for companies competing in capital-intensive industries.

• Picking the right place to play in the value chain is also critical to improving returns-and the most profitable spot varies across industries.

Best Practices applicable for Company’s Financial Health How to win: Four strategic steps to improving returns

1. Improve the cost base and review capex continually -

• In capital-intensive industries where low returns have become endemic, reducing costs and improving capex efficiency are important ways to improve performance – New developing market entrants in capital-intensive industries have built a strong competitive advantage by keeping capex relatively low. By contrast, the focus on cutting costs at many established players means they sometimes lose sight of improving capex. One way to get the balance right: Develop a more disciplined approach to managing capex, and benchmark the company’s performance against the industry’s leaders.

• Cost discipline makes a critical difference. One-time efforts usually fail to deliver savings that stick, as our research shows. One explanation is that in tough times, management teams are quick to cut costs, but when the cycle swings up, they tend to take their eye off cost improvement and focus on growth-related priorities.

• Developing a rigorous approach to cost improvement and nurturing the right capabilities to optimize working capital can help capital-intensive companies outperform.

2. Build the lowest-cost position

• Geography is another key factor for improving returns. Investing in geographies that offer the lowest landed cost position can create a strong competitive advantage. It’s particularly important in asset-heavy industries where the one-time cost of closing and moving businesses is high.

• The best-performing firms revisit their geographic footprint regularly, as cost dynamics are constantly evolving.

• Companies that can choose the lowest-cost geography up front gain a competitive edge. Those in mature industries need to weigh the short-term downside against the longer-term benefits of reducing complexity.

3. Use mergers and acquisitions strategically

• Smart acquisitions can help improve performance significantly, but many companies get off to a bad start by investing at the top of the cycle, when prices are at their peak, simply because that’s when cash is available. Leadership teams that take a strategic, disciplined and long-term approach to M&A instead of a tactical and episodic approach can improve returns significantly.

• Companies that nurture M&A as a core competence derive the greatest value from them. Their leadership teams devote time to developing a structured roadmap of the most attractive potential targets, making it easier to acquire assets when the right opportunity comes along-and to target acquisitions at the bottom of the cycle.

• Companies that are most experienced in M&A build their capabilities over time. They search hard for merger or acquisition candidates that will add to their operating profit and fuel balanced growth. They pursue nearly as many scope deals as scale deals, moving into adjacent markets as well as expanding their share of existing markets. Most importantly, they create Repeatable Models for identifying, evaluating and then closing good deals. What they typically find is that there are plenty of good prospects to be pursued and that the risk involved decreases with experience.

4. Service ace

• For traditional capital-intensive industries, service can be a highly profitable business in its own right, generating better and faster return on investment than new production facilities, large-scale R&D programs or acquisitions.

• Indeed, for many industrial manufacturers, investing in service is the only way to sustainably grow profits in a tough economic environment. Investing in a service business also lowers capital intensity.

• Investing in a world-class service business can become a strategic ace, elevating a company above competitors in an environment where differentiation on products and cost is difficult to achieve. The range of service opportunities, some larger than others, will vary by industry and company. Here again, mapping profit pools can help identify the potential size of service businesses and those with the greatest returns.

o There is no question that companies in capital-intensive industries operate in a difficult environment today. But leadership teams that commit to a bold ambition have opportunities to break away from the pack and achieve double-digit returns significantly above the cost of capital.

Best Practices applicable for Company’s Financial Health-Getting there requires a strategic shift toward a more profit-focused portfolio:

• Find the most attractive profit pools in your businesses.

• Adopt a mindset of continual cost improvement and capex optimization.

• Look for opportunities to drive down the company’s landed cost footprint by investing in the right geographies.

• Develop strong in-house M&A expertise and a structured roadmap of potential deals.

• Invest in related service businesses

Leadership teams that take these steps will not only give returns a powerful boost, they also will help to rebuild competitive advantage and position their companies to win in a changed industrial landscape.

Reengineering Strategies to improve the link Between Risk Management and Business Planning Process

• Business process reengineering is one approach for redesigning the way work is done to better support the organization’s mission and reduce costs.

• Reengineering starts with a high-level assessment of the organization’s mission, strategic goals, and customer needs.

• Within the framework of this basic assessment of mission and goals, reengineering focuses on the organization’s business processes–the steps and procedures that govern how resources are used to create products and services that meet the needs of particular customers or markets.

• Reengineering identifies, analyses, and redesigns an organization’s core business processes with the aim of achieving dramatic improvements in critical performance measures, such as cost, quality, service, and speed.

• Reengineering recognizes that an organization’s business processes are usually fragmented into sub processes and tasks that are carried out by several specialized functional areas within the organization.

• The CFO Act focuses on the need to significantly improve the government’s financial management and reporting practices. Having appropriate financial systems with accurate data is critical to measuring performance and reducing the costs of operations

Management & Decision Support Structure

• Investigate suggestion for reducing costs and to make them practical and acceptable

• Obtain definite prices and costs

• Present recommendation in comprehensive report

People & Organization

• Organize around outcomes and not tasks

• Have those who use the output of the process perform the process

• Built control in process systems

• Treat geographically dispersed resources

Policies & Regulations

• Develop policies and procedures

• Comply with compliances

• Environmental compatibility

Information & Technology

• Information should go along with the process

• Link all activities

• Capture information at source

• Create reports and real time online updates

Frame for Assessing Reengineering

• Assessing the Organisation’s Decision to Pursue Reengineering

• Reassessing of Its Mission and Strategic Goals

• Identifying Performance Problems and Set Improvement Goals

• Engagement in Reengineering

• Assessing the New Process’ Development

• Appropriately Managing of Reengineering Project

• Analysis of the Target Process and Developed with Feasible Alternatives

• Completion of Sound Business Case for Implementing the New Process

• Assessing Project Implementation and Results

• Following a Comprehensive Implementation Plan

• Executives Addressing Change Management Issues

• New Process Achieving the Desired Results

FOCUSING ON RISK PREFERENCE AND CHOICES FOR CFOs CONSIDERATION TO DELIVER ECONOMIC PROFIT DURING TOUGH CONDITIONS

CFOs need to develop a stronger focus on the economic and performance drivers of their business and need to understand how the effective allocation of scarce resource will help them achieve financial objectives. The CFO must build a performance management capability that can:

• Provide visibility and analysis of information to support resource allocation

• Support the decision-making process by providing the right information to the right people at the right time

• Demonstrate the financial impacts of different decisions and scenarios to enable the organization to predict and compare outcomes

• Incentivize executives and managers to make decisions that maximize marginal contribution

• Enable a data-driven view on resource allocations across the entire value chain (to include corporate strategy; sales, marketing and customer service; supply chain manufacturing and production; finance, HR, legal and compliance)

• Identify the most critical decision points that drive economic performance

With a unique perspective across the entire business, CFOs can provide valuable insight into the decisions that create or protect marginal contribution across the value chain. Armed with a detailed understanding of how and where growth in sales leads to growth in profits, they can offer an objective assessment of fixed and variable costs, and then identify how a reduction in costs can maintain revenues while improving profit contribution.

• Establish a clear, forward-looking line of sight on relevant data for critical decision points

Finance must have access to a robust data set, built around the decisions that drive most economic value in the organization, including assessment of opportunity cost. This demands accurate, verifiable underlying data and an understanding of how the data relates to value chain decisions. This will enable the CFO to conduct scenario planning around these different decision points.

• Develop aligned performance management processes that drive rational decisions

Finance must be able to translate insights and understanding into the desired end product – rational decisions that maximize the desired economic return. Aligning traditional resource allocation processes with business objectives helps ensure repeatability and the sustainability of the organization.

• Ensure compliance and make sure that finance’s voice is heard

The CFO and finance function must be positioned appropriately within the organization to be able to influence decision-making and action. Additionally, finance professionals must improve communication and influencing skills to ensure that their voice is heard and their advice is valued and acted upon.