Summary

In October 2006, CFO Research Services (a unit of CFO Publishing Corp.) launched a research program to examine the role of the CFO and the finance function in management of non-financial risks. In collaboration with IBM, our research partner and sponsor, we developed a set of hypotheses and then tested them by conducting desk research and interviewing senior finance executives.

All risk is ultimately financial. Every risk can be expressed in financial terms, and every risk can end up hitting the top and bottom line. This in itself is perhaps not news. But the major news of this report—an exploration of risk management practices at ten diverse organizations—is that the finance function is getting far more involved in the art—and increasingly the science—of non-financial risk management.

Why is that? This report offers a number of reasons. For one, the finance function extends into every part of the organization, collects information from every part, and thus has a view of the entire company. This allows and encourages the pan-organizational view central to any encompassing risk management approach. For another, the finance function alone has the resources and analytical ability to put non-financial risks in financial terms. Another still is that the savvy finance functions understand that by attempting to identify risk, measure it, explain it, and prepare response plans, they are increasing their strategic importance—their value—to the organization.

This is one significant theme of the report. There are others, related, and they are well worth noting. Most of the respondents cited September 11 as a watershed—a moment when they became far more cognizant of non-financial risks of every kind. These range from scandals, to natural disasters, to disease outbreaks, to outsourcing discontinuities, to aging workforces—indeed, to just about everything when you get right down to it. What is the best response? As this report makes plain, it can and does vary in its precise form, but all of the firms queried attempted to identify the risks, collect as much qualitative and quantitative information as they could, analyze the information, and formulate contingency plans. The exercise itself tends to tear down silos, build corporate cohesiveness, and solidify human relationships—all conducive not just to better risk control, but to better performance generally. Interestingly, the very best firms tend to see risk management not just as a grim exercise in disaster avoidance. They see it as a chance to build and extend the business. That is how the Zoological Society of San Diego, one of the organizations profiled in this report, views it. When an attendance slump struck in the wake of September 11, it began to open its wild animal park to new kinds of activities and to beef up its Internet presence. In response to the Avian flu threat, it developed a “skeleton” that other organizations could use to prepare their own plans. The point is that risk planning in its broadest sense can spur innovation and reinvention. By responding positively to potential threats, the society raised its operating performance and public profile.

So read this report both for specific guidance about non-financial risk management and for the inspiration these examples provide. Finally, perhaps, keep a sense of proportion about risk. It is always going to be there—and truly, just about anything can be categorized as risk. The trick is to understand it and optimize it without being paralyzed by it. The ten firms shown here have managed to do just that.