In this article, I consider the five key questions a mid-market business should ask themselves when it comes to risk management in the current environment.
Are you clear about the key risks facing your business?
If recent months have taught business leaders anything, it should be that to survive – let alone thrive – in turbulent times requires being prepared for the unexpected. Not many (any?) will have planned for a global pandemic, but maybe some businesses were better equipped to manage risks than others. For example, for the Finance Function perhaps, they had considered whether they might need the flexibility in their Finance operations to scale up or down quickly; how to access key management information they need if normal activities were disrupted and how to access new types of expertise in support of managing their business in turbulent times. The key to this sense of being ready for anything is effective risk management – ensuring you are clear about the key risks to your business and ability to deliver your business plan.
Do you have a clear idea of their potential impact?
Not all risks are born equal. Not all will end up having the same impact on your business. And not all are equally likely. This taxonomy – big or small impact, high or low probability – is the most common way businesses assess risks. However, even apparently low-impact risks need to be closely watched as major incidents for a business can result from a series of minor issues, mistakes and missed chances to contain things. One situation we often see is where a business does not have strong finance processes and controls and the loss of a key member of the Finance Function, taking with them all kinds of informal wisdom about how things are done, none of which has ever been written down, can have a huge impact.
How are these risks being managed and who is leading this process?
Having identified the risks facing your business, you need to know who is in charge of managing them. The most important task to start with is allocating enough time and resource to identify the risks you face across the full operational remit of your business. No two businesses are exactly alike and there is no comprehensive checklist to follow. Instead this requires whoever leads the risk process to be familiar with all parts of the business, to be able to rely on a good incident reporting culture across the business and be used to asking difficult questions – which is why it is often a good idea to hand responsibility for this to the CFO – provided they have the time to focus on this.
How often do you review these risks?
There is no such thing as a static risk register. It has to be a constant process of measuring and monitoring across the business. Previously, these updates may have depended on the rhythm of your sector and general business environment and other reporting within the business. But when faced with increased disruption and volatility you may find the need to assess risks and their potential impact more frequently. Whatever interval is chosen, this needs to include a proper assessment and not a box-ticking exercise or a cursory glance.
Does the person responsible have access to the right skills within your business?
The pandemic has also raised questions about the range of inputs needed to make sense of the risks facing any mid-market business. Right now, along with obvious expertise in areas of finance, economics, politics and technology, whoever is putting a thorough risk report together needs to be aware of previously unconsidered areas, such the wider public health implications of any decisions, not to mention identifying the risks to manage when planning for re-opening for business after a global pandemic. And it may be necessary to consider looking beyond the skills available within your business and to seek the support of external consultants or experts to provide support in these specialist areas.
Understand how EY Absolute can help you improve both your finance operations and your bottom line: ey.com/eya