Getting a Grip on Risk

While many surveyed senior financial executives say they are only “somewhat confident” in their organization’s ability to effectively manage risk, most also say the risk strategy of their organization is either mostly or fully aligned with its risk appetite, suggests the report, The State of Enterprise Risk Management in Canada, jointly conducted by Financial Executives International Canada and Chartered Professional Accountants of Canada

Although the majority (66%) of the 320 online survey respondents from across Canada describe themselves as “somewhat confident” in their organization’s ability to manage risk, just 20% of the chief financial officers (CFOs) and other senior financial executives who participated in the survey report being “extremely confident.” Of the remaining respondents, 8% say they are “neutral” and 6% say they are “not very confident.”

However, more than half (56%) of the executives surveyed note their organization’s risk strategy is “mostly aligned” with its risk appetite and 16% say it is fully aligned.

While the vast majority of surveyed executives report the senior management team and corporate directors have a solid grasp on the risks facing the organization, fewer than one-third note they feel the same about front-line employees, indicating a gap between management and staff.

Released in February 2016, the survey’s main respondents were CFOs (30%), controllers (23%) and vice presidents of finance (12%). The leading industries represented included manufacturing (21%), finance and insurance (18%), and mining, quarrying and oil and gas (9%).

UNDERSTANDING OPPORTUNITIES AND RISKS

The study clearly identifies a need to close the gap between upper management, corporate directors and front-line employees, all of whom have different perceptions of risk. Some executives report that risk management is not top of mind for most employees.

“We have several business units across several geographic areas, almost 300 organizations and partnerships, and a few hundred employees,” Jeff Shickele, Amacon’s vice president of accounting, notes in the report. “Most of our employees don’t really think in terms of risk management.”

Robert McFarlane, former executive vice president and CFO for TELUS, suggests it may be that front-line employees simply view risk differently than senior executives. McFarlane recommends using an in-house risk assessment tool to help close the gap between front-line staff and senior executives, for whom the Top 10 risks were typically strategic risks.

In the case of TELUS, for the front line, top-rated risks were typically more operational, such as customer service-related risks or process-related concerns.

“I think it (the assessment) was a tool that actually allowed the organization to say, ‘We have to do a lot more than provide lip service to our stated priority,’ and the entire organization has to put customers first and improve customer service,” he notes. “Unless you have a cross-section throughout the organizational hierarchy of a large organization, as opposed to merely a survey of senior management, then you’re not going to really have a good understanding of the true risks the organization faces.”

While the majority of financial executives did say their Boards of Directors (BoD, 72% of participants) and senior management teams (80%) either mostly fully or fully understood the risks relevant to their organizations, knowledge of risks among corporate directors is not necessarily viewed as comprehensive.

In addition, that level of comfort falls dramatically among small organizations (revenue of less than $100 million), with 10% of respondents reporting that their boards have little or no understanding of threats and opportunities, roughly double the percentage among other revenue groups.

When viewed by employee count, mid-sized organizations (101 to 500 employees) rate their boards lower, with 66% mostly or fully understanding risks compared to small (72%) and large organizations (78%).

“Oversight is 100% the board’s responsibility,” Dean Cosman, CFO and vice president of finance and administration for the Canada Deposit Insurance Corporation, emphasizes in the report. “For me, the role of the chief executive officer and the executive management team is the management of the risk,” Cosman continues.

The survey shows that the senior management team perceives itself to have a somewhat stronger grasp of the risks facing organizations than its BoDs.

Overall, participants state 80% of the responding organizations’ senior management teams mostly (49%) or fully (31%) understood the risks associated with their respective businesses (see chart on page 45).

Confidence in senior management was somewhat lower in small revenue-based organizations, namely those with revenue of less than $100 million (79%).

The type of corporate structure (private, public, government/NGO) indicated some variation. For instance, 28% of respondents from private companies and 25% from government and Crown corporations say their senior management team “fully understands” the risks to the organization compared to 41% of NGOs.

“With the speed of change in today’s economy, identifying, understanding and addressing risks in a timely fashion is critical to an organization’s success,” says Laura Pacheco, vice president of research for FEI Canada. “It’s also essential to communicate these risks to employees. The study results indicate a communication gap exists in companies today with regards to risk. This communication is increasingly part of the role of today’s CFOs,” Pacheco adds.

RISK ALIGNMENT

When asked about the organization’s strategy being aligned to its risk appetite, most respondents say they feel the company was either fully (16%) or mostly (56%) aligned. However, 24% say the company’s strategy was only somewhat aligned to its risk appetite and a further 4% say it was not very aligned at all.

Aligning strategy and risk appetite are important, since there are plenty of real and potential risks that organizations must identify and plan for, yet risk, when managed correctly, can be a driver of new possibilities, growth, expansion and innovation. “We keep reminding ourselves that it is about the opportunities and the threats, but as accountants, our inclination is to think about the threats first,” Bev Davies, vice president of enterprise risk management (ERM) at Investors Group Inc., says in the report.

“That’s the benefit of ensuring we bring more operational, sales and marketing people into the room, to remind ourselves it goes both ways,” Davies adds.

Robust, institutionalized ERM programs are common among bigger companies. For these large and public companies, it is typical that risk management forms part of their overall business strategies, where almost half have a strategy in place, although the percentages decline for smaller and private companies.

The survey indicates that despite the myriad threats facing businesses today, 20% of respondents reveal their organizations do not have a documented risk management plan. And even a documented plan is just a starting point for actual implementation, says Carol Raven, a CPA Canada principal in research, guidance and support. “Having a risk management program in place isn’t enough,” Raven argues. “You need to be putting it into practice and ensuring you have the right people overseeing it.”

The 2008 financial crisis reinforced the need for risk management while highlighting the threat of unexpected occurrences. More recently, high-profile cases of cyber attacks on corporations have raised awareness even further.

Many of these same executives confirm that many risks could have a “major impact” on their particular business, or even threaten the ability of the business to function. For instance, 28% of financial executives surveyed report that cyber risk represents a significant risk, defined as having a major impact or even posing a serious threat to business continuity, to their organizations in the next 12 months.

What risks are Canadian organizations most wary of? Getting the strategy wrong, it turns out. Beyond general economic and industry conditions, organizations worry about leadership, enterprise reputation and enterprise strategy, identifying these risks and others as major impacts or business continuity risks to their organizations.