Events of the past few years have stress-tested the business continuity management (BCM) and enterprise risk management (ERM) of organisations around the world.
According to the 2022 Global State of Enterprise Risk Oversight, jointly commissioned by the ERM Initiative at North Carolina State University and AICPA & CIMA, in most regions of the globe, only about one out of every three organisations claim to have complete ERM processes in place.
In a complex world, unknowns are unavoidable. Eliminating uncertainty is not only impossible, but ill-advised, because the pursuit of certainty can lead to focusing only on what can be measured, creating dangerous blind spots.
Finance leaders should aim to create robust BCM and ERM processes while fostering a culture that encourages debate and constructive tensions around data to surface unknown but knowable risks and opportunities.
For senior leaders looking to minimise risks and take advantage of opportunities in a world of unknowns, here are some key tips gleaned from AICPA & CIMA research:
Boost resilience through business continuity planning
Disruptions happen. It’s how businesses deal with them that matters most to stakeholders. A solid business continuity plan allows organisations to continue delivering critical products and services in the face of an incident or crisis.
The CGMA Business Continuity Management Tool outlines six key steps to developing BCM capabilities:
- Assessment and objective setting: Gather organisational support, identify a team to lead the project, review existing plans and create a BCM policy.
- Critical process identification: Pinpoint essential business functions, how they are executed and what resources they need to perform tasks.
- Business impact analysis: Identify the ways each business function could be impacted by potential disasters and incidents. Estimate the maximum tolerable outage (MTO) and recovery point objective (RPO) for each process.
- Continuity response approaches: Accelerate the return to normal business operations with preparation and crisis management.
- Plan implementation and testing: Carry out annual (or quarterly) tests of the plan. Aim to simulate real-world conditions.
- Monitoring, validating and improving: Identify any gaps or weaknesses in the plan following tests and actual incidents. Make improvements based on post-crisis analysis.
Financial management professionals possess many of the skills required to create effective and cost-efficient business continuity plans. Leverage your finance team to conduct cost-benefit analyses, align investments with business objectives and identify how organisational change affects large investments.
Invest in risk management for greatest returns
Most businesses have processes in place to manage risk, but some organisations may not be investing enough resources into ERM. According to the 2022 Global State of Enterprise Risk Oversight, fewer than half of organisations think their risk management processes provide important strategic advantages.
Organisational leaders shouldn’t think of risk management as competing with other top priorities, but as a way of ensuring their success.
If your organisation doesn’t have complete ERM processes in place, you should engage key stakeholders to create a plan refine them.
The best time to prepare for an incident or crisis is during periods of relative calm. Once an incident occurs, it’s already too late to form an effective plan.
Business leaders have packed schedules, often lacking time to focus on managing risk. For that reason, an increasing number of organisations are appointing a chief risk officer (CRO) to spearhead risk management.
The CRO might start by asking a series of questions to assess the organisation’s starting point, such as:
- What aspects of current ERM processes are working well?
- Which aspects could be improved?
- How can the organisation better align risk information with strategic decision making?
- Which issue should be addressed first?
More advice for assessing an organisation’s risk management can be found in the Global State of Enterprise Risk Oversight report.
Open lines of communication across functions to pinpoint potential risks
Silos are the enemy of agility. When an incident occurs, each key function needs to work together to address the situation with a unified front.
To make sure risks are managed across the enterprise, many organisations have formed management-level risk committees comprised of individuals from each business function.
Whether an incident in question is a global pandemic or company scandal, it will probably involve more than one function. For example, a pandemic will require a coordinated response by human resources, IT, finance, marketing and more.
The finance function can help facilitate cross-functional problem solving by encouraging debate and constructive tensions around doubts.
In AICPA & CIMA’s thought leadership on ‘Dealing with the Unknown’, the report’s authors argue for management accounting systems that are:
- Visual spaces for interaction
- Methods of ordering and scrutiny
- Platforms for mediation
- Motivating rituals of engagement
Not all risks are going to be revealed in spreadsheets, which is why it’s essential for management accountants to consistently raise questions about things that cannot be measured. When working to solve complex problems with other business functions, finance professionals should address and mediate any tensions that arise to develop better solutions for the entire enterprise.
Was this article helpful?