Why FP&A ignores Risk & Control at its peril
Posted by Amrish Shah
What is this article about?
An Enterprise Risk Management framework takes into account both risk management as well as internal controls. This article explores why a good understanding of Risk & Control is important for Business Finance / FP&A. It is not about any detailed view on what a Risk & Control framework should look like.
Why is it important?
Most businesses, commercial or otherwise, are in business to create an impact and this impact can be measured in a number of ways. For most for-profit organisations this can be seen through a value creation lens. For non-profit organisations it might be about programme objectives and outcomes and linking these back to the input resources.
There is also the old saying: “no risk, no reward”.
This is important because it establishes the key principle that to relatively out-perform it is necessary to address bigger risks. But with bigger risks comes the chance of bigger failure. So, the art and science of risk management becomes key to establish it as a core capability that helps to maximise the odds of success and minimize the odds of failure.
Why is this relevant for Finance and FP&A? Traditionally the role of internal controls has been under the purview of Finance. Its main focus being on establishing robust financial controls to give assurance on the reliability of financial reporting, to minimize opportunity for large scale wrong doing / fraud and to comply with any laws and regulations (e.g. Sarbanes Oxley). Within this rather narrow scope, the idea of broader business risk management has been of secondary importance, with the exception of core financial risks for example credit, liquidity risk etcetera.
At the same time the Finance function itself has been challenged to deliver more added value services to the business by moving beyond the traditional stewardship and compliance activities to address the higher level strategic finance agenda. The core of which is active performance management. So, going beyond management reporting to actively drive business decisions and action to support strategic objectives, the understanding of risk and its management becomes unavoidable.
What are the key considerations?
ERM can take many forms depending on the organization context. Some key elements would be Risk Management, Internal Audit, Internal Control, Policy Compliance, Systems Controls, Authorization Matrix etcetera.
Similarly, the choice of how to execute the chosen framework will depend on the organization context, culture, maturity and the amount of investment in this area. For example, the function of Risk Management can be centralized. Or primarily decentralized. It could be fully in house or partially outsourced.
However, I don’t believe systems, models, frameworks, processes matter as much as two other things. And that is mindset and culture. We go back to performance management via effective business partnering as the core purpose of Business Finance / FP&A. Achieving business objectives is going to involve taking risk and addressing risk appetite. But without understanding the nature of the risks being taken the following problems can occur:
- Unlikely the risks will be managed effectively;
- Building relevant control framework as part of managing the risk becomes harder;
- Resulting in it becoming difficult to provide measurement of impact on outcomes;
- Which results is making any learning harder – leading to a vicious circle.
Therefore, a key role of FP&A is to ensure that risk identification, assessment, management and evaluation is actively and transparently built into the performance management cycle and that it informs all key decisions. It is as simple and as difficult as that.
For example, if Risk is not a critical lens in any Strategic Planning process then it makes everything harder.
Are there any critical success factors?
There are a number of challenges to consider in order to help the business cultivate a better risk and control mindset. Some of these are:
- Business understanding: Simply put, if FP&A is not able to differentiate between operational and strategic risk, then it has little credibility to influence this part of the agenda;
- Reframing language: Moving away from compliance and managing downside to calculated or smart risk taking and enabler of improved business performance;
- Black Box syndrome: Helping develop as simple as tools needed to help the organization build its own confidence in embracing the nature of risks (and rewards). Avoid complexity in tools that ultimately are more about style than substance;
- Leveraging resources: Especially in whatever organization structure and context, if there is any group or central Risk & Control function, establish common agendas that focus on adding value to the business
A final word
I hope in this article to have shown that given active management of risk is an integral part of performance management, it needs to be an area that forms a core part of any Business Finance / FP&A role. And that ignoring it risks ignoring a critical lever in managing potential out performance.