First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Managing risk means opening your eyes every day

risk-aheadA piece proclaiming the results of a new survey of Canadian financial executives by FEI Canada and Chartered Professional Accountants of Canada caught my eye (thank you, John Fraser).

It makes some good points:

  • While many Canadian organizations are concerned with risk and have a documented management plan in place, a significant number (one in five) do not.
  • Robust, institutionalized enterprise risk management programs are common among large and public companies, where nearly half have one in place. The percentages decline for smaller and private companies.
  • The majority of respondents (66 per cent) describe themselves as only “somewhat confident” in their organization’s ability to manage risk and the research also suggests there is a greater need for organizations to bolster oversight and operational responsibilities relating to risk.
  • “With the speed of change in today’s economy, identifying, understanding and addressing risks in a timely fashion is critical to an organization’s success. It’s also essential to communicate these risks to employees. The study results indicate that a communication gap exists in companies today with regards to risk. FEI Canada increasingly sees this communication as part of the role of today’s CFOs.”

On the surface, it is good news that the majority of Canadian CFOs are confident in their management of risk and believe that employees understand the risks to the organization. 72% feel that their strategy is aligned with their risk appetite.

But, do the authors of the study understand what effective risk management entails?

I am less than sure, especially when I see that they expect top management (including the CFO) to tell the rest of the organization what the risks are.

While some risks are ‘strategic’, most risks are created or modified by everyday business decisions and actions. Thinking that you can identify a list of risks and communicate them down is missing the major part of risk management. Every business decision, by every decision-maker across the extended enterprise, needs to be informed by what might happen. This is not managing a list of risks at all! This is part of managing the organization every day!

The study, to my mind, considers risk management as thinking about and taking action to avoid or mitigate the effect of the storm that might hit at some future date.

But, truly effective risk management is about making the right decisions every day, optimizing outcomes in the face of uncertainty about what might happen.

I wonder what the CFOs surveyed would have said if asked this question?

How confident are you that people are making intelligent, informed decision that consider what might happen in the future – not only what might go wrong but what needs to go right – and how that decision might affect achieving the objectives of the enterprise?

I welcome your views.

Norman D. Marks, CPA, CRMA
Author, Evangelist and Mentor for Better Run Business
OCEG Fellow, Honorary Fellow of the Institute of Risk Management

Occasional Contributors

In addition to our regular guest bloggers, Inside Internal Controls blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of risk management and best practices in finance and accounting, information technology, environmental issues, corporate governance, sales/marketing and operations, not-for-profits and business related issues in Canada. If you are a subject matter expert and would like to become an occasional blogger, please contact Yosie Saint-Cyr at If you liked this post and would like to subscribe to Inside Internal Controls blog click here.

, , , , , , ,

Comments are currently closed.