Risk Resilience for Treasurers and CFOs

Businesses around the world have experienced a wide array of shock events in the past few years—from escalating cyberattacks to the pandemic’s human and economic turmoil, to supply-chain problems ranging from the predictable to a key global trade route being blocked by a megaship. Together, these events serve to highlight the importance of a risk management battle cry: Resilience matters.

Organizational resilience consists of several characteristics. A resilient company responds to, and recovers quickly from, events while minimizing losses. It anticipates upcoming threats and forecasts their prospective impacts. And a resilient company integrates risk planning into strategic decision-making throughout the organization.

Building resilience requires companywide commitment and coordination. Too many organizations relegate the treasurer, or even the CFO, to the sidelines of these processes. That is a mistake. Treasury and finance teams can and should play a strong, vital role in building corporate resilience by helping other functions incorporate risk management considerations in their day-to-day operations, as well as short- and long-term planning.

 

A New Role for Risk in Treasury Planning and Forecasting

Most treasury and finance teams already spend a significant amount of time understanding and preparing to mitigate risks that have a clear financial component. Managing currency, interest rate, commodity, and credit risks is a core competency for the typical treasury team. But the resilient future belongs to organizations whose treasury and finance groups incorporate other risks—those outside the traditional realm of finance—into their risk forecasts.

A starting point is to begin regularly measuring nontraditional operating risks in a way that shows their impact on balance sheets and the profit-and-loss statement (P&L). Treasury groups are continuously planning the organizational response to prospective shocks to cash flows, volatility in currencies to which the company has exposure, increases in debt costs due to rising interest rates, etc. We recommend turning a similar eye to any operational event that might create volatility in the balance sheet or P&L, in either the near term or the long term.

One example of the type of risks I’m talking about is cyber risk. How many treasury or finance managers can answer questions around the amount of financial risk their company would face if a potential ransomware or other cyberattack were to succeed? Most cannot—but if they don’t have that answer, how can they quantify the level of cyber risk their organization can afford? And without that information, is it possible to establish an appropriate reserve for cybersecurity risk?

Treasury and finance teams are already producing quarterly forecasts focused on issues from debt to receivables. They build a model to project the effects of various prospective changes. But most do not also produce such a forecast for the financial implications of different types of operational risk. They don’t ask: What if we suffer a bad cyberattack, or a supplier does? What if a natural disaster strikes? What if both occur within a few weeks or months? They don’t analyze the interplay of shock events on the balance sheet.

 

Adding Risk Forecasting to Financial Analyses

At Marsh, we think companies’ resilience improves when they start thinking about risk decisions through a finance lens. Consider what it would look like if quarterly, annual, and longer-term financial modeling and forecasting processes incorporated the financial impacts of operational risks. How might that perspective change an organization’s assumptions around growth strategy?

The goal of such forecasting would be to optimize risk capital. Throughout the pandemic, we have seen types of risk events that traditional risk management techniques were insufficient to prepare for. At the same time, other unrelated catastrophes—like cyberattacks or natural disasters—occurred in the same period of time. Effectively including risk forecasting within routine financial modeling and planning would require finance and risk teams to consider the possibility that multiple risk events might happen simultaneously.

Such visibility into the financial ramifications of operational risks would help companies make better decisions around prioritization of investment in risk capital. Think how much better of a position companies would be in today had they been asking 24 months ago what impact a severe supply-chain disruption could have.

It’s time for treasury and finance managers to have a seat at the table, to use their expertise to help their companies think about risk in ways that go beyond measuring whether the firm is hitting targets, where to invest, and what level of capital expenditure to target. Seeing risk through a financial lens gives corporate decision-makers a single-pane-of-glass view, containing all the information they need to make informed decisions.

 

Building a Resilience Viewpoint

What does it look like for a treasurer or CFO to be more aligned with a resilience viewpoint? The underlying formula for forecasting is straightforward: Take an issue, build a scenario around it, then run a scenario-based stress test. This enables the treasury or finance team to think about how possible risks may manifest, which they can then translate and communicate to senior management in an understandable way.

In building processes to provide a more robust resilience viewpoint, treasury and finance functions should take into consideration:

1. Risk tolerance. Most companies struggle to define their risk appetite and tolerances for specific types of events. Treasury and finance groups are often adept at discussing issues from a credit risk, merger and acquisition (M&A), or other financial perspective, but they aren’t prepared to carry that thinking into operational risk. For example, looking again at cyber, most companies don’t have a cyber risk appetite/tolerance statement. By adopting a risk resilience approach that includes an integral financial element, companies will have to define their tolerances and appetites, leading to better decision-making.

2. Exposures. A second area that will come into better focus for treasury teams that take a risk resilience approach is an understanding of the company’s exposure base. The risk resilience lens means thinking through the range of exposures facing the firm and assessing the various controls the organization has for spending down the risk, such as adding cybersecurity tools or systems, enhancing risk engineering for physical risks, or diversifying the supplier base to absorb supply-chain shocks from geopolitical risks. Understanding the company’s risk-mitigation options enables staff to determine the residual risk in these areas.

So, after risk managers understand the company’s risk tolerance, they need to work to understand its exposure base. For example, an organization that is resilient against cyber risk has likely fully mapped its technology exposures, including first- and third-party risks; technology-provider–contingent risks; and emerging risks associated with the deployment of new technology, such as artificial intelligence (AI). That same organization has likely also assessed the available risk controls—such as enhanced cybersecurity measures and robust employee training programs—and then re-evaluated its exposures to account for implementation of those controls. Finally, the organization might have layered in an insurance analysis to understand what risk it can transfer. The remaining risk quantum is the residual risk, which the organization can map against its balance sheet and risk tolerances.

3. Prioritization. The third area that treasury and finance professionals should consider involves the prioritization of spending. Once the company understands its risk tolerance and exposure base, the CFO or treasurer can determine what to spend and how to spend on protecting the organization, selecting hedges needed to protect against those various risk exposures.

 

Finance as Resilience Integrator

Taking this perspective helps overcome the view of risk spending as a cost center. It shifts the thinking to one built on return on investment (ROI): How is the company’s risk capital working?

For many years, risk managers wanted to be given a “seat at the table” in companies’ strategic decision-making. They have made a tremendous amount of progress to this end in the past decade. So now, given the central role that CFOs and treasurers play in organizational financial risk management, why aren’t they at the risk resilience table to help drive progress?

A treasury or finance lens on risk resilience enables the board of directors to make better-informed decisions. We know that firms which are more resilient have better total shareholder returns during quarters of crisis than firms that lack resilience.

The past two years highlight how fragile organizations actually are. Looking ahead, businesses should look at risk more holistically and evaluate impacts across their value chains. Visibility into, and accountability for, resilience must cut across organizational functions. The finance function has a leading role to play.

---

See also:

• Resilience in the Face of Geopolitical Threats
• Real-Time, Dynamic Scenario Planning
• Managing Geopolitical Risk
• Emerging Risks: Get Ahead of the Unexpected

---

Reid Sawyer is head of the Emerging Risk Group and is U.S. Cyber Consulting leader at Marsh, the world’s leading insurance broker and risk advisor. He is based in Chicago.