A piece proclaiming the results of a new survey of Canadian financial executives by FEI Canada and Chartered Professional Accountants of Canada caught my eye (thank you, John Fraser).
It makes some good points:
- While many Canadian organizations are concerned with risk and have a documented management plan in place, a significant number (one in five) do not.
- Robust, institutionalized enterprise risk management programs are common among large and public companies, where nearly half have one in place. The percentages decline for smaller and private companies.
- The majority of respondents (66 per cent) describe themselves as only “somewhat confident” in their organization’s ability to manage risk and the research also suggests there is a greater need for organizations to bolster oversight and operational responsibilities relating to risk.
- “With the speed of change in today’s economy, identifying, understanding and addressing risks in a timely fashion is critical to an organization’s success. It’s also essential to communicate these risks to employees. The study results indicate that a communication gap exists in companies today with regards to risk. FEI Canada increasingly sees this communication as part of the role of today’s CFOs.”
On the surface, it is good news that the majority of Canadian CFOs are confident in their management of risk and believe that employees understand the risks to the organization. 72% feel that their strategy is aligned with their risk appetite.
But, do the authors of the study understand what effective risk management entails?
I am less than sure, especially when I see that they expect top management (including the CFO) to tell the rest of the organization what the risks are.
While some risks are ‘strategic’, most risks are created or modified by everyday business decisions and actions. Thinking that you can identify a list of risks and communicate them down is missing the major part of risk management. Every business decision, by every decision-maker across the extended enterprise, needs to be informed by what might happen. This is not managing a list of risks at all! This is part of managing the organization every day!
The study, to my mind, considers risk management as thinking about and taking action to avoid or mitigate the effect of the storm that might hit at some future date.
But, truly effective risk management is about making the right decisions every day, optimizing outcomes in the face of uncertainty about what might happen.
I wonder what the CFOs surveyed would have said if asked this question?
How confident are you that people are making intelligent, informed decision that consider what might happen in the future – not only what might go wrong but what needs to go right – and how that decision might affect achieving the objectives of the enterprise?