“Risk is at the core of every critical decision we make,” said Kayla Davis, CFO, C&W Services, at an AFP Member Meet-Up on modern risk management.

During the meet-up, the community discussed behavioral biases and cultural considerations in risk management, how CFOs are constantly balancing risk versus reward, and how the treasury and FP&A functions each play critical roles in managing risk.

Risk can come from action ... or inaction

As we encounter new information or challenges, we are faced with a decision. Either we take action, or we do nothing. Each decision carries unknown consequences, either positive or negative. And our inclination is typically toward inaction. “That's how we're wired,” said Davis, however, “Sometimes the biggest risk is taking no action at all. In today’s fast-paced environment, leaders must recognize when the fear of change outweighs the potential benefits of action.”

Even though it sometimes makes sense to maintain the status quo, more often than not, it’s simply our default reaction. This is due to inherent biases, such as status quo bias, from which we are inclined to maintain the current state and resist change.

The Wharton School suggests three strategies to overcome status quo bias:

1. Learn to recognize it in yourself and others. How do you react when a change is suggested? Do you hesitate? Exploring the reasons for your concerns will help you decide if status quo bias is driving.
2. Weigh the advantages and disadvantages. This is where your pros and cons list comes in. We tend to default to the status quo because we don’t want to lose. Make a list of both the pros and the cons — and spend as much time thinking through the potential advantages as you do the disadvantages.
3. Frame the default option as a loss. What would you lose out on by not taking action? Let’s say you want to implement a new process, but it requires a significant investment in software. Flip it so that instead of looking at the upfront cost, you’re looking at the lost time and poorer quality of work that would result from maintaining the status quo.

Choosing inaction can be dangerous, especially in competitive environments. “If we don't take action, but our competitors do, then they’re taking advantage of whatever is driving the change,” said Davis. Our inactions can have negative and lasting implications for our business — we could lose the competitive advantage, creating greater risk for the business itself.

A culture of trust impacts risk

What role does trust play in fostering an effective risk management culture? Trust in processes is certainly important, but even more so, as emphasized by Bryan Lapidus, FPAC, Director of FP&A Practice at AFP, is the importance of psychological safety. When an organization has a culture where people feel safe speaking up — and admitting to messing up — then the impact of risk can be significantly reduced.

“You want your people to trust in you that they can talk about a problem before it arises instead of coming to you and saying, ‘By the way, I was afraid of saying this because we'd miss our numbers, but we lost our key supplier. We can't deliver product to market and sales are going to be down 10%,’” said Lapidus. “You want to get ahead of that, and trust is a key part of it.”

Another important piece of the trust environment is the postmortem. “When you encounter a hiccup, meaning something occurs that was unanticipated or from which you experience an adverse business result, make sure that you postmortem the hiccup,” said Robert Kane, Vice President and Corporate Treasurer for Neptune Retail Solutions.

After you complete a project or come through on the other side of a significant event (e.g., liquidity squeeze), it is important to hold a review or meeting with all key process stakeholders to analyze what went well and, on the flip side, what may not have gone well, with an eye toward identifying areas for improvement. An iterative feedback loop process will ensure that you learn from past experiences so you can apply those learnings to future projects.

Relative to the trust aspect of the question, the primary focus should be understanding the root causes rather than assigning blame. “We simply need to understand what has happened and what, if anything, we can do to prevent any missteps from occurring again,” said Kane.

“You want to fix the problem, not fix the blame,” added Lapidus.

Keeping an eye on external risk factors

Beyond understanding the internal drivers of your business, external factors need to be considered as well, such as geopolitical events (e.g., elections), International conflicts (e.g. wars, the implementation or relaxation of tariffs) or the effect of changes to regulatory controls that can cause tremendous shifts in the economy.

Kane specifically highlighted the looming credit maturity wall that is fast approaching. “Over the next 36 months, some $30 trillion in corporate debt will have to roll over, be replaced or paid down,” he said. “The potential counter-party risk that may arise from that may, by necessity, dramatically shift your view of supply chain requirements or your perspective of the health of your customer base. You literally may have suppliers, customers and/or competitors that suddenly become ‘risky’ simply because they can't roll over or pay down their debt. Given that, you need to be ready to act on a dime.”

Kane also brought up the example of the Silicon Valley Bank collapse, “which almost toppled the regional bank tier coming out of the first quarter of 2023,” as well as potential changes to the U.S. regulatory environment.

Resiliency and agility from the inside

While there is always a need for maintaining liquidity and managing long-term solvency, the meet-up discussion underscored the importance of organizational resiliency. Why? Because when an organization is resilient, it doesn’t simply maintain or even rebound from major challenges or disruptions — it moves forward.

“Resiliency is like building a muscle — the more you train your organization to adapt and respond to change, the stronger it becomes at navigating the unexpected,” said Davis. Resilient organizations are better equipped to quickly assess, pivot, reorient and make moves that keep their businesses going in a forward direction. “There's so much happening outside of the internal operation,” Davis added. “Sometimes there's not much we can do about external factors, but within whatever we can control, there's a lot of opportunity for us to build. Once you build that [resiliency] muscle, you become a lot better at navigating changes as they happen.”

Risk management is a collaborative exercise

Regardless of an organization’s leadership structure, i.e., whether there is a chief risk officer or that duty resides with the CFO, the fact is that in order to ensure the best outcomes for your organization, risk management should always be a shared responsibility.

“One person alone cannot possibly foresee all the risks that the organization could have,” said Davis. “Effective risk management requires collaboration across all functions. CFOs play a guiding role, but the real power lies in harnessing insights from treasury, FP&A and operational teams to see the full picture and act decisively.” By working together, organizations can bridge potential gaps in risk perception and ensure that no critical areas are overlooked. 

Kane agreed. “The danger of it [risk management] residing solely with the CFO is that it tends to limit the accountability reach across operations, sales and other departments,” he said. “Thinking of the role that treasury and FP&A can play in managing risk, I think that they are complementary. Treasury folks, by nature, are slam-dunk experts on the balance sheet, and FP&A knows the P&L inside and out. Put them both out there working on risk management, and I believe they will kind of meet where we need them to in that middle ground of the cash flow statement world.”

Related risk management reading

• Risk Management Requires Close Collaboration Between Treasury and FP&A
• 7 Steps to an Effective Risk Management Process
• Enterprise Risk Management