Risk Management in Two Steps: What Every CFO Needs to Know

"All Business is Risky Business"

In 1983 Tom Cruz starred in the hit movie “Risky Business.” The reality is that all business is risky business. This is even more true today than almost 30 years ago.

I once had a conversation with a senior manager for a specialty department store chain. I asked him what his number one priority would be for the last half of the year. He said, “minimize costs.” To that, my response was to lock the doors and walk away. That would only leave him with fixed costs. He responded that it was a stupid idea, and I told him he had a somewhat foolish goal. Well, as with costs, the only way to minimize risks is to lock the doors, or better yet, not go into business in the first place. Risks are pervasive in everything we do and don’t do. They follow us around at all times in our organizational roles and in our personal lives.

In this short piece, I will lay out what every CFO and senior leader should consider when analyzing risks. This all beings with making risk management not just a title on an organization chart; but a strategic focus.



 1. Risks you know about, think are addressed, and actually are.

These issues would include the common hazard risks such as the property risks of buildings, machinery, and vehicles. The key here is to have insurance policies and risk mitigation procedures in place, consistent with the assets’ value and covered with policies that do not include damaging exclusions.

2. Risks that you know about, think are covered, but are not.

The pandemic exposed risks where businesses were shut down, and due to a lack of physical property damage, business shutdowns and interruption were not covered. I am also aware of a situation where a condo remodeling firm had a liability policy that explicitly included condo remodeling. This situation is unfortunate but not rare. With the rising costs of building materials, many organizations and individuals find that their insured values have not kept pace with replacement costs and the time required to restore operations.

3. The Risks you don't even know exist.

This is the most dangerous category of the three. Many firms have believed that since their information is in the cloud, they do not have any cyber risks. This is simply not true as their data can be vulnerable via connections with vendors or customers. The ransom, disruption, and costs to restore operations have jumped through the roof.


1. Transfer the risk.

Shifting the risk from one person or entity to another is the option most people think of. As mentioned above, you can simply buy a property insurance policy from a highly-rated carrier that adequately covers the assets involved. Another form of risk transfer is via contracts. For example, changing a sales contract from FOB destination to FOD shipping point moves the risk of the goods in transit from the seller to the buyer. Salespeople looking to close a deal will often change the risk aspects of a contract without understanding the consequences of the risk costs involved.

2. Mitigate the risk.

With the costs of many insurance policies rapidly increasing over the last several years, many CFOs have been forced to look at reducing the frequency of risks events happening. For example, doing background checks on employees, particularly drivers, can reduce the number of claims. Using multifactor authentication minimizes the likelihood of a data breach, and the size of the premium increase for one’s cyber policy. It is increasingly mandatory to even secure coverage. This step, along with employee training, has become essential in managing this risk. Another mitigation example would be to improve the sprinkling system and water detection sensors in a building to mitigate damage from an event.

3. Assume the Risk.

Unknown risks in the first section automatically result in unintentional risk assumptions. One can also intentionally assume risks via higher deductibles or lower limits. When a firm’s risk performance is exceptional, it may decide not to, as we say, “trade dollars with an insurance company” and instead assume the risk. Another assumption tactic is to reallocate the insurance investment by moving dollars in one area, such as property, to more vulnerable areas where mitigation is less possible and the balance sheet impacts more severe. Assumption can also be done by joining a captive, which can have highly favorable cost impacts over the long haul in many instances.


It’s a given that risks are more prevalent and costly than ever before. The new risk management culture must start at the very top of the organization, with the CFO making it a primary focus. While financial risks have long been housed here, today, the buck must stop here for operational risks as well. It is frequently said that every member of an organization must be alert to risks.  Should you fly out of an airport, you will hear the following every time. “Report any unattended packages or luggage immediately. If you see something, say something.” Managing risks is no longer something to be delegated on an organization chart; it is a senior leadership must and part of everyone’s job.


How The $3.5 Trillion Budget Blueprint Could Impact Your Clients

The new reporting requirements on brokers are addressed in Section 80603 of the bill. “Broker,” by definition in Sec. 6045 (c)(1), is expanded to include “any other person who (for a consideration) regularly acts as a middleman with respect to property or services…A person shall not be treated as a broker with respect to activities consisting of managing a farm on behalf of another person.” In turn, the bill defines a “digital asset” as “any digital representation of value which is recorded on a cryptographically secured distributed ledger or any similar technology as specified by the Secretary.