Tag: CFO

Risk Mitigation for CFO’s

In my earlier post, I noted that converting uncertainty to known-unknowns requires thinking hard about the potential things that can go wrong and having a good risk identification search process.  I broke risk down into true risks, which are insurable at some level (known frequency and severity) and uncertainty, which could be hard uncertainty (can’t be known at a reasonable cost) and soft uncertainty (can be known relatively cost effectively).

Many firms do a poor job of searching for problems.  I have found several styles of management teams that struggle dealing with risk.

  • Insular management teams are prone to very large areas of soft uncertainty. Home grown executives are often dealing with problems for the first time.  Unaware of problems at other firms they repeat mistakes long solved elsewhere.  A diverse management team of backgrounds, industry and experience is just a better management team.
  • Management teams that are dominated by a single executive also tend to underestimate risks. Although I’ve worked with some great CEO’s, no one executive can reasonably see or know all the questions.  If the CEO calls all the shots, over time, management teams will let the CEO handle all the thinking too.
  • Firms with long term winning track records can begin to ignore risks as success begets complacency in the company culture. Company culture can be a great strength, but when the culture becomes too dominate, it blinds management to problems.  Andy Grove suggested that only the paranoid survive, which is good advice.  However, when you win a lot, it is tough to remain paranoid.
  • An executive team that is highly incentivized by the stock price (usually with options) tends to stay focused only on the positive news, and to only invest in strategies that appear to have a direct correlation with option value (usually growth initiatives). Stock options skew management priorities because the risk is one-sided.  If the stock price fails to increase or the company goes bankrupt the options are worthless.  So for the option holder, ignoring the risk of a blow-up makes sense, they only get paid if the stock goes up.  In these firms, it can be hard to get management focus on the known issues, much less invest in searching for unknown potential problems.

CFO’s have to assess risk.  To do this, we must examine the business, the environment and the management team.

Managing Risks

When I try to manage risks, I start with a good scan of what could go wrong.  Some of these we insure, some of these we cannot.  Frank Knight broke risk into two categories, uncertainty and real risk.  Real risk is calculable, it has a frequency and a severity.  Uncertainty has neither.

Donald Rumsfield’s comments on knowledge can be related to risks. Rumsfield stated that there are known knowns or things we know we know.  These risks have a known frequency and severity and are generally insurable and controllable.

There are known unknowns, which are questions which we have, but which we don’t have an answer.  These are complicated risks that can’t fully be insured because the frequency is low, or the severity is incalculable.  These risks can still be managed.

Finally, there are unknown-unknowns, where we are not aware of the questions or the answers.  Risks that are unknown can’t be managed or insured. This category is the same as Knightian uncertainty.

The risks that make business crack up are generally unknown-unknowns and are often a surprise to management and investors.  Risk management for the CFO becomes a process of handling the various real risks and trying to better understand Knightian uncertainty.

Bad and unusual events that we were not aware of are sometimes referred to as black swan events.  Nassim Taleb defined black swan events as a surprise with a major impact. The thing about black swan events is that it may be a surprise to you, but it doesn’t mean mean that the event wasn’t known by others.  That is true also for Knightian uncertainty.  A larger knowledge base decreases uncertainty and unknown unknowns can be reduced by learning.

I therefore break uncertainty into two slices, hard and soft.  Soft uncertainty are issues that could be learned with a reasonable investment in diligence and research. Hard uncertainty can’t be.  The trick is to convert soft uncertainty into complicated risks, where management, insurance and reporting processes can be brought to limit losses.  Hard uncertainty remains retained risk.

   “Risk comes from not knowing what you’re doing.” – Warren Buffett

Converting uncertainty into something that can be managed requires an open mind and a sense of paranoia.  CFO’s who think risk management is an annual lunch with the broker are going to find themselves surprised by events.

Some thoughts on Risk Management

CFO’s are usually tasked with risk management. Often that means being in charge of the insurance renewal negotiations.   Basically this consists of an annual conversation with your broker on new policies that have been developed to help eliminate some new exposure which you weren’t aware of, and by the way, at a price that you can’t afford.   Generally, the broker buys lunch, which is the best part of the transaction.

CFO’s that define risk management as simply buying insurance make a mistake. Corporate risk management has to include problems that can severely damage or destroy a business but are basically un-insurable. The types of problems we’ve seen with credit cards and hacking are a CEO’s nightmare. A single instance can cause irreparable damage to sales and the value of the business. How does a modern risk manager or CFO deal with these types of “all-in” risks?

Risk is usually defined as a function of frequency and severity. Frank Knight, back in the 1920s, argued that there are two realms of risks. Simple risks, which have a known frequency and severity, and uncertainty which is not and cannot be known. Pretty much if an insurance company writes a policy, you know they’ve got a frequency distribution and a good handle on severity.   After all, insurance companies aren’t stupid. The big risks, however, remain in the uncertainty realm and those risks remain uninsured and uninsurable. Knight also noted that entrepreneurs generate profit by dealing with uncertainty and not risk.

Since we can’t know the future, business have to learn to deal with both types of Knightian risk. Dealing with known frequency and severity risks can be difficult, but the biggest challenge are in uncertainty or unknown distribution risks. Donald Rumsfield said: “The message is that there are no “knowns.” There are things we know that we know. There are known unknowns. That is to say there are things that we now know we don’t know. But there are also unknown unknowns. There are things we do not know we don’t know.”

Paraphrasing this into risk speak, we have insurance that covers the simple risks we know. Complicated risks that we are aware of but aren’t well known can only be partially covered by insurance. In these cases we manage the risks, putting in control processes, training and contingency plans to limit the occurrences and severity. Unknown risks by definition are retained and aren’t managed. Without a reporting processes, problems start, grow and can overwhelm a firm. This is true uncertainty.

What makes a risk truly an unknown-unknown? Does it imply that no one nowhere knows the risk? It does not. It simply means that the current management team is unaware of the risk. Nassim Taleb has a great story about a turkey who during its life considers the farmer a benefactor. The week before Thanksgiving the turkey finds out the plan, and imagines it an unforeseen and unknowable event. It might have been for the turkey, but it is not for the farmer.

The risks that will hurt your business are generally the ones that you aren’t managing. Integrated risk management is about pulling together efforts that manage exposure, control what can be controlled and insuring what can be insured. A good integrated risk management plan includes bringing the management team together to focus on the key risks, whether they involve credit cards, hacking. off-shore oil wells or workers compensation.

What a Good CFO does…

A good CFO helps the CEO run the company.  The CEO’s job is to set a vision, hire management, build a culture and make sure the firm has enough capital. A CFO partners with the CEO by buying into the vision and taking on responsibilities for managing capital and building the management team and culture.

CFO Magazine a couple of years ago tried to define the difference between a good CFO and a great one.  They basically concluded that great CFO’s understood the customers, used data and analysis to distill problems down to simple words that the team can use to run the business.  I like to think that having a CFO in the mix helps all parts of the management team get better, by bringing in new concepts and ways of thinking about problems.

The basic functions of a CFO revolve around reporting & compliance, treasury functions and strategic planning duties.  The main difference between an accounting manager or controller and a CFO is a matter of perspective and approach.  A CFO focuses on the longer term, and often on issues affecting people outside the business.

Reporting and compliance are often handled by a Controller who manages the monthly close, and maybe the annual audit.  The Controllers focus is on this month and this quarter.  The CFO should be a decent accountant, but they add value by asking the right questions.  A CFO helps define the key indicators (both internally and externally) that need to be tracked, managed and communicated.  A good CFO thinks through the business model so that when it shows up on the financial statements, the data is not just right, but the accounting policy is sound.

Treasury functions (borrowing, investing) require thinking out a couple of years, and an investor/outsider perspective.   Figuring out cash needs, matching borrowing with investments, estimating the debt vs equity ratio are relatively simple calculations. The art is in the estimates.  Managing the relationships with the bankers, lawyers, investors and advisors requires understanding the needs of the firm as the outside advisors.  If you don’t trust your CFO to handle this responsibility, you don’t have a CFO.

The CFO is a leader on the executive team in implementing strategy and a planning process.  Converting from a simple annual budget to a strategic plan and multi-year budget requires someone to run the process.  Coordinating projects, assessing investments and developing workable plans is a balancing act frequented by “no’s”.  Good CFO’s build relationships across the organization to make those no’s understandable and the yes’s more likely to be successful.

A lot of planning includes thinking about the world outside the firm: customers, the environment and what is going on in the industry. Firms are often buffeted by economic storms that could be foreseen, for those who would look.  If the CFO is not facing outward, it is unlikely any other executive will be either.

CFO’s have to be thinking out a year or two and sometimes longer.  The quarterly earnings focus that the street demands is a false choice.  Great performances can’t be generated quarter after quarter (and year after year) if you are focused on closing transactions in the last two weeks of a quarter.

Capital allocation and investing in technology and capabilities requires thinking about how things will look in the future.  I’ve signed dozens (maybe hundreds) of leases with 20+ year life.  If you can’t think further ahead than next month you can’t make long term investments.

I am sure that there are great CFO’s and lousy CFO’s.  What separates them is the perspectives they bring and the actions they take.