Improving Your San Diego Company’s Financial Risk Management Strategy

An outsourced or part-time CFO, when hired by a San Diego venture-backed company, startup or private company has an unlimited amount of responsibilities.  This CFO has responsibility for:

  • Optimizing the company’s cash flow
  • Monitoring and communicating financial performance
  • Protecting organizational assets
  • Enabling growth
  • Formulating a strategic risk management plan to deal with risks such as:
      • Economic downturns
      • Disruptive technologies
      • Increased foreign competition
      • Decreasing commodity prices
      • Tax risk
      • Disasters (natural disasters or manmade disasters such as fires)      

Reputable, reliable, efficient and fractional CFO or management consultants need to be an asset to a company’s overall executive management team, while advising on all strategic operational discussions and large scale decisions.

Most major companies have risk management processes in place to identify, clarify and respond to ongoing and expected business risks.  However, many CFOs are discovering that some of these processes are outdated considering today’s volatile and uncertain global business environment which faces enterprises.
Today’s leaders are not only tasked with establishing sustainable infrastructures to manage the ever-changing regulatory and business environment, but they are also challenged to drive performance and results year over year.

Types of Risks that Organizations Face

  1. Preventable Risks- are internal risks, arising from within the organization, that are controllable and ought to be eliminated or avoided.  Examples are risks arising from employee and manager unauthorized, illegal, unethical or inappropriate actions.  This category would also include risks from breakdowns in routine operational processes.  Think about a rogue trader or an employee who is trying to bribe a local official. Monitoring operational processes is where a company should start when attempting to identifying and managing preventable risks.
  2. Strategy Risks – are risks that an organization voluntarily accepts, in order to generate highly lucrative returns from its strategy.  A bank assumes credit risk, for example, when it lends money; many companies take on risks through their research and development activities.  Since these bets are taken on purpose, how they are managed is a key driver in capturing potential gains. Some companies, will push the envelope of technological innovation, and face high intrinsic risk,  as they pursue long, complex and expensive product development project bets.  
  3. External Risks – can arise from events outside the company and are beyond the company’s influence or control.  Source’s of these risks include natural and political disasters and major macroeconomic shifts.  External risks require yet another approach;  because companies cannot prevent such events from occurring, their management must focus on identification and mitigation of their impact.
  4. Competitor Risks – include the emergence of disruptive technologies (such as the internet, smartphones and bar codes) and radical strategic moves by industry players (such as the entry of Amazon into book retailing or Apple’s entrance into the mobile phone and consumer electronics industries.)   


Conventional Risk Management Planning     

Companies, just like individuals, have to accept that risk taking is part of life.  The first line of defense against undesired or excessive risks is found in the decisions and actions of the company’s management. One of the problems is that risk management in  operational, financial, accounting  and strategic functions is all too often treated as a compliance issue that can solved by drawing up a bunch of rules and making sure that every employee follows them.  And, yes, it’s important to have these risk policies in place, so decisions are not made arbitrarily.  Especially when it comes to dealing with strategy risks and external risks, simply managing through a compliance rules-based control model will not be effective.

Companies require risk management systems designed to handle the high likelihood that the assumed risks will materialize. Your company needs to improve its ability to manage or contain the risk events should it incurs.

Below, you can reference Exhibit 1, which depicts a risk register system that often analyzes hundreds of items at the same time.  This system can identify and produce a comprehensive list of metrics for a business, which includes an assessment of severity, probability, ideally mitigating actions and employee responsibilities.   


This Approach has its Deficiencies When the Depiction Ends as it Does Above

Firstly, risks that are usually considered tend to be biased towards current operations and fail to include new potential risks affecting plans for future growth areas.  As an example, what will it take to win and deliver a gigantic project that currently only exists as plans on paper?  Similarly, what would it take to meet an ideal revenue or profitability target in a new market or uncertain economy?  This risk assessment bias is much more severe for long term plans than it is for current financial strategy.   

Secondly, this type of approach can miss important external factors of which people “inside the company or machine” may view as beyond their control.  Another example, could be a new regulatory change or an alteration in a key supplier’s performance.  In cases like this, it is of no consequence whether changes or warranted because, either way, these changes may be the most crucial risks that a for which a company will need to hedge against and prepare.

Thirdly, this whole process can feel like an utterly boring review of what everyone thinks they already know…but, trust us, it needs to be done.  

Fourthly, we come across the most profound risk management aspect.  This process kicks into gear too late sometimes; thus it is not considered a strategic or preventative risk.  Risks may come up for discussion only when plans have been approved and decisions have been made — it’s all about risk mitigation, which has very little to do with risk choices and trade-offs.   

The Role of the Outsourced CFO

In addition to managing financial and operational risks, such as liquidity and counterparty credit, outsourced CFOs can further expand the value of a company by acting as stewards of the company’s financial health, and using three solid steps in strategic risk management.  Below we will show examples of each step, using capital-intensive companies, which are usually at the forefront of adapting to risk because they face decisions which involve large commitments of capital and associated high reward bets.  These best practices can be applied equally to companies in many other industries.     

The Tighter Link Between Business Planning Processes and Risk Management    

The connection between having a proper risk management strategy incorporated into the business planning process is subpar at many companies.  Risk analysts all too often focus on the issues of today rather than attempting to predict predicting future issues.  Quantification is usually done at a high level for the purpose of prioritization, but what normally avoided is how business-performance metrics would be affected.  On the flip side of that coin, CFOs and business planners conduct regular ad hoc analysis of the upside of a risk venture or project.  Unfortunately, interim CFOs too often focus on a single scenario.  So, if the venture does not have a complete set of risk factors, then the potential upside vs. risk, will be based on assumptions.  A CFO can improve their business planning— and bring on strategic risk management improvement— by taking the following actions:    

  • Figure out how and where the risk will affect the business planAs an example, an executive management report chart below shows a basic materials company and its use of specific color key codes to highlight important metrics based on levels of potential risk exposure its business faced.  This material greatly helped the board and management team to focus on specific challenges and actions that were required to meet certain performance goals.  If the company’s management team was not privy to the aforementioned metrics, the team would have only viewed a typical likelihood risk heat map, which encourages risk-centric thinking instead of business-centric view about risks.   




  • Build in systematic stress testing as part of financial planninganother example (also demonstrated below), shows how a real estate firm, tests and forecasts how key financial metrics (such as interest coverage ratios) will perform in macroeconomic scenarios.  Key assumptions were bulit in at the market level. Using this approach can give the C-suite greater confidence that a business plan has been tested under a robust range of macroeconomic scenarios and their possible impacts to the business    


  • Apply probabilistic “financials at risk” modeling for major investment decisionsit is recommended to move past a single scenario focus, and use risk modeling instead, in order to gain insight into the probability of business success.  Companies that face many correlated and volatile risks are incorporating these types of modeling to evaluate the aggregate impact versus the potential upside return.  Another example shows how an airline was testing “what would happen macroeconomic situations” (such as changes in commodity prices, foreign exchange rates, demand and price sensitivity) and how these changes could force the airline to deviate from its baseline plan.  Also of special concern is the probability of not meeting cash requirements.  In the below graph, error bars show the 5th and 95th percentile confidence interval under reasonable assumptions about how these factors would behave together and affect the business available cash flow.  So, when testing extreme case macroeconomic scenarios, it is essential to exercise the company’s ability to manage specific risks.    


Focus a Corporate Level Risk Discussion Based on Which Risk Choices will Deliver Economic Profit for the Company

As a part time or permanent CFO, one of your principal responsibilities will include managing the company’s capital structure.  This includes acting as the custodian of the business’ ultimate capital risk: equity.  We know that risk taking is necessary for growth.  We know that it really comes down to which party offers the higher risk, higher reward payoff or higher “bang for the buck.”  The CFO can consult with management and offer advice on risk preferences, while given possible business implications. In the airline example, the industry standard of fuel hedging could be viewed as a purchasing issue. How does an airline lock in the most advantageous cost positions or protect itself from the most unfavorable one?  The complexities of industry over capacity, fuel cost volatility and even mergers has shifted the fuel strategy up to a higher fundamental corporate finance question.  What level of currency risk or unhedged fuel is tolerable given a company that has low operating margins and high cash needs?  What level of hedging is acceptable given the mark to market and collateral requirements for doing hedge positions? And how do you balance this with a potential windfall opportunity to capture profits or steal market share if one is hedged more effectively than competitors when fuel prices go up or down?   

Risk Analytics Can Help to Better Inform Strategic and Investment Decisions

CFO consultants already play a crucial role in the strategic and financial aspects of investments and evaluating other major business decisions.  They have influence over rival proposals and solutions, and making decisions on what gets presented to top management for debate.  We have seen all too often, companies having a significant projects with values at stake comparable to the total risk of the current company’s operations, which are discussed and decided on using a one page qualitative list of major risks involved.  Proactive CFOs can define a core set of financials and risk analytics to each option and ensure to make that the value at stake is discussed and brought to light.   

Another example would be for you to imagine you were a CFO of an oil company and you collaborated with portfolio managers to run “what if” scenario stress tests for a few aspirational future strategic portfolio projects.  These projects could include a proposed new investment in unconventional production assets vs growing a trading business, before the future growth strategy was finalized. A CFO might find, in running this process, that the proposed strategic direction initiatives could have implications that would put the company’s credit rating at risk.    

Some companies will optimize to get the right balance of lower-risk downstream vs upstream growth, so it can match it’s chosen risk appetite by modeling the implied cash flow at risk of multiple combinations.  An energy company CFO was contemplating a major generation capacity project build, which he tested and identified the right combinations of energy price hedging and project financing to find a way to build worthwhile solution on a standalone basis and for the company as a whole.  

Risk Related to Business Objectives: a Case Study       

it-california-riskA California IT company had identified that “growing client relationships” was a key revenue objective and it selected metrics to measure progress, such as the number of global clients with annual billings in excess of $20 million and the annual percentage increases in revenues from large clients.  By combining and analyzing the goal and the performance metrics, the management realized that its strategy had now introduced a new risk factor: client default.  So, when their IT consulting business had been based on billing many smaller clients, they discovered that a single client default would not jeopardize the company’s revenue strategy.  But, a default by a $20 million client would present a major cash flow set back. The company then started monitoring the credit default swap rate of every large client to use as a leading indicator of the likelihood of possible default. When a client’s rate increased, they would accelerate collection of receivables or request progress payments to reduce the likelihood or impact of default.     


I hope this article sheds some light on the steps to strengthen the typical deficiencies in strategic risk management planning that many companies are facing.  By focusing on the business plan instead of the current operations, a team is forced to keep a more forward looking view. A systematic assessment and analytical approach, which incorporates stress tests, can highlight the impact of important external factors.  By keeping the focus on investment and strategic decisions with an explicit aim of the process, along with deep linkage to the business plan and discussions of risk appetite, the overall relevance and engagement in the process with the executive team excels.

As growing San Diego startup companies are learning to navigate in today’s uncertain global environment, on demand CFOs play a much larger role advising strategic risk management, in the C-suite and across the whole company.  This type of role is particularly value added, especially in nonbanking companies who usually have a limited formal risk function or department.  Risk management is non-intuitive; it runs counter to many individual and organizational biases.  Rules and compliance can mitigate some critical risks but not all of them.  If you look back at the 2007 financial crisis, what were the factors that made some institutions fail while others survived?  The ones that failed had integrated risk management into compliance function, while routinely ignoring risk manager warnings about exposure to risky highly leveraged and concentrated positions.  

Final Food for Thought

Seizing new potential business opportunities is often heavily dependent on the CFO’s ability to identify, assess and manage risks. – Thomas Huckabee, CPA  

Recent Posts