ACCA - The global body for professional accountants

With CFOs increasingly involved in shaping organisational strategy, for many, the development of enterprise risk management is becoming an integral part of the role

This article was first published in the April 2014 Malaysia edition of Accounting and Business magazine.

Are CFOs aware of what lies ahead, when it comes to risk management? According to Deloitte’s 2013 report, Risk redefined: The SEA CFO Survey, the majority are, and the awareness of both the importance of risk management, and the need to become increasingly involved with it in relation to their respective organisations, is growing.

Statistics from the survey reveal that 72% of CFOs in South-East Asia are more involved in risk management today than they were 12 months ago. This augurs well for business in general but is it enough? Should more be done, especially in the light of quick, sharp developments in the business sphere, and the fact that the calls for tightening regulations, more stringent compliance and tougher policing are growing more strident?

Like many CFOs, Axiata Group’s group financial controller Yap Wai Yip keeps his finger on the pulse of the market and is well aware of the risks that need to be managed when it comes to his industry, so the survey’s statistics come as no surprise to him. ‘There has been increased involvement of CFOs in the area of enterprise risk management in recent years,’ he says.

‘It’s become necessary because of the fast-changing business environment. Nowadays, myriad external factors – economic, environmental, social, regulatory, technological, political – all have an effect on the way business is done. CFOs have to take into consideration all these, as well as internal organisational issues, to adequately manage the risks of the business.’

What all this points to is the growing interconnectedness of businesses at home and abroad. There is also an increasing realisation that any decision made will inevitably have a knock-on effect and far-reaching consequences – hence the need for up-to-date information and adequate skills to make projections as accurate as possible, based on both current practices and trends that have gone before.

In parallel with this realisation is the very real situation of CFOs, particularly in South-East Asia, having to play more comprehensive strategic roles in the development of their respective firms. A CFO is no longer viewed as a head number-cruncher; indeed, he or she is today expected to be the source of sound financial advice while playing a major role in developing company strategy.

Growth of responsibility

While this is a clear indication of the importance of the CFO’s position, the traditional work associated with the head of finance has in no way decreased. The power of the position has grown, but so has the responsibility. The Deloitte survey showed that among the primary factors pushing risk management awareness among CFOs were constantly-evolving global regulatory environment and increasingly stringent domestic regulations. The bottom line is, if you don’t continuously keep an eye on everything, something is bound to go wrong. Risk management is, and will always have to be, a team effort, because any risk that affects any part of a company has the potential to affect the whole organisation.

Some corporations, including Axiata – one of Asia’s largest telecommunications companies – have established units that deal exclusively with enterprise risk management (ERM) but work closely with other departments. ‘Our ERM unit collaborates actively with other business units in the implementation and ongoing management of risks,’ Yap explains. ‘Its work extends to incorporating a formal process in the quarterly board meetings. We are aware that risk needs to be examined from all angles, both internally and externally.’

For multinationals like Axiata, ERM is an end-to-end process that examines current trends, potential changes and developments in the mid and long term. The issue of risk is as broad as it is deep, and it is one that involves the long-term sustainability of an organisation.

Malayan Banking (Maybank), on the other hand, has a group chief risk officer who heads its group risk function. ‘Our risk management is premised on three lines of defence: risk-taking units, risk control units and internal audit,’ explains group CFO Mohamed Rafique Merican.

‘This approach requires collaboration between the business sectors, the finance and risk functions,’ he says. The bank has, he adds, adopted global best practices aimed at strengthening risk management. ‘Risk management is really everyone’s responsibility,’ he continues. ‘Appropriate policies governing the transfer of capital within the Maybank Group are in place; the purpose of this is to ensure that capital is allocated on an optimal basis.’

Because Maybank has one of the country’s widest banking networks, in addition to foreign interests, managing capital is paramount to its operations around the clock, and needs to constantly comply with local and foreign regulatory capital adequacy requirements. The risk that comes with balancing these has to be managed at group and entity levels, Rafique adds, pointing out that as group CFO, his role is one of stewardship and balance, as capital needs to be managed enterprise-wide, across continents.

Axiata faces similar challenges, with Yap acknowledging that the political situation in countries where it operates is a big factor. ‘In such cases, specific risk focus is placed on investment or disinvestment decisions,’ Yap says.

Where to start?

In the wake of the most recent economic crisis to rock the business world and the financial mismanagement that has come to light, regulations have tightened, scrutiny has intensified and distrust of major corporations has grown. Yap believes that ERM today is as important as any of the firm’s traditional primary concerns, and should be an integral part of the financial and strategic management role that CFOs are increasingly required to take on. ‘It’s not something you can delegate,’ he says. ‘It involves the whole company; you really have to define a whole “universe” of risks!’

For that reason, the most effective method of implementing ERM may be to embed it in current practices. Axiata has, says Yap, already embedded it in day-to-day management and operational processes. ‘This universe of risks can then be further broken down to risks which we can manage or mitigate,’ he explains. ‘But we will always have risks that cannot be managed, although we can keep track of them. That is something we have to accept.’

The banking industry may have a different approach. ‘The ability to identify and manage risks is required core expertise,’ Rafique says. ‘Banks act as intermediaries; we ensure that appropriate returns are realised for the risks that we assume as a banking group. Because we face a multitude of risks, we have structured processes that are formalised within frameworks that are reviewed and approved by the group’s apex risk oversight bodies.’

This process, he clarifies, includes stating risk appetite, identifying risk, prioritising material risks, undertaking assessments, evaluating risk management options, designing mitigation strategies, implementation and monitoring, and regular review. ‘The identification process is undertaken from both a top-down and bottom-up perspective, through surveys and discussions with key stakeholders,’ Rafique adds. It also extends to new or emerging risks which, Rafique says, could be identified through new product sign-off processes, periodic bottom-up stress-testing, and regular review of loss experiences that are culled from the group’s various risk systems and databases.

Moving forward

Managing risk is definitely not a one-person job. Axiata and Maybank have special units, but even the teams that are in charge of ensuring that risks are adequately managed have their hands full. Despite constant vigilance, Yap concedes that some risks are beyond their control, especially when it comes to worldwide finance, political and regulatory issues.

‘We have to be diligent and ensure close monitoring constantly,’ he says. ‘Whenever the signs indicate a trend, we have to be proactive and take appropriate action. For that reason, risk managers need to be widely read and keep abreast of current developments in all areas that could possibly affect their particular industry.’

Rafique says that Maybank, with its wide outreach, implements continuous monitoring. ‘We have to pinpoint where and how risk will impact our business plan,’ he says. ‘Before a decision is made, for instance, simulation models are run. The CFO not only needs to have an in-depth understanding of the company’s performance; he is expected to be able to maintain a balance between risk, business planning, finance and pricing, and be the link between the business regarding risk-taking expectations and achieving the firm’s strategy of creating value.’ Issues and emerging trends are discussed vigorously, he adds, risks are quantified wherever possible, and limits are set to mitigate damage.

What do the experts recommend in the light of market place dynamics, and a rapidly evolving, invariably unforgiving business environment? Rafique supports having a structured approach that aligns strategies, policies, processes, people and technology for value creation. ‘One must-have is the support of the board and senior management,’ he emphasises. ‘With risk being reviewed and managed from the top, the culture will permeate the organisation. A consultative approach, openness and accountability will be key to formulating an appropriate risk management culture in the organisation – and effective communication is essential.’

Apply as many perspectives as possible, internally and externally, when identifying and assessing risk because, in order to execute financial management strategy effectively, CFOs need to take a 360-degree approach, Yap concludes. 

‘Current and potential regulatory requirements, business and industry trends, adjacent industry development, consumer market expectations, the state of the financial markets and the economies of countries you operate in, even the development of your organisation’s own talent pipeline, and new technologies,’ he says. ‘All these can have an effect on the kinds of risk confronting an organisation.’

Involvement of CFOs

Deloitte’s inaugural survey of CFOs in South-East Asia was designed to benchmark the thinking of CFOs of major regional companies. Among the survey key findings were:

  • Increasing CFO optimism. Although CFOs of public companies were less optimistic than those of private ones, optimism levels at the end of 2013 were higher than in the third quarter of the year.
  • The level of involvement of CFOs in risk management varies by industry. In technology, media and telecommunications, CFOs tended to be more involved (89%); compared with 62% in energy resources companies.
  • Public company CFOs were involved in risk management primarily because of external global industry changes in regulations and compliance, whereas private company CFOs are more involved because of their respective organisations’ internal emphasis on compliance.
  • The top five areas of risk where CFOs are involved are regulatory and industry compliance (90%); operational risk management (85%); managing, improving and remediating controls (83%); strategic risk management (81%); and external statutory reporting (76%).
  • Top strategies are strengthening internal controls; continuous internal audit; and implementing or overhauling the enterprise risk system.

Majella Gomes, journalist

Last updated: 16 Jun 2014