Why CFOs are embracing an enterprise view of risk
Voice of the CFO: A holistic approach to optimizing risk management is the top focus of finance leaders, with three areas of emphasis.
Estimated read time: 3-4 minutes
CEOs say disruption from technologies like artificial intelligence (AI) and generative AI is the top risk for their companies.
Three-quarters of compliance leaders expect regulatory challenges to increase.1
And 9 in 10 chief risk officers want more budget to beef up their essential defenses.2
What do they all have in common? A direct line to the CFO as they work to translate a cascade of potential threats into actual funding for risk mitigation efforts that are clearly prioritized and deliver quantifiable results.
Indeed, as the KPMG surveys noted above demonstrate, managing risk has become an enterprise-wide responsibility, involving the board, the C-suite, and functional teams across the organization. Not surprisingly, then, ERM has rapidly climbed to the top of the CFO’s many job duties. A heavy focus on ERM was a dominant theme in our recent conversation with finance leaders as part of our ongoing Voice of the CFO series.
And with good reason: The CFO alone is uniquely positioned within the organization to connect high-level risk oversight from the board and executive team with the on-the-ground operational concerns of functional risk owners across the company.
Here are three key takeaways on risk management from our most recent discussions with CFOs.
1. Identify and prioritize
Identifying and prioritizing risks is a continuous, crucial process for companies. With potential threats multiplying, CFOs are being asked to fund an expanding wish list of mitigation efforts—from an expanding roster of business teams.
To help prioritize, many CFOs narrow their focus to a top 10 list, assigning risk owners and creating escalation paths for the most critical ones. Because risks are often multifaceted and have implications across the enterprise, ERM’s broader, holistic view enables the CFO to tightly manage risk-traffic control and adjust funding when needed.
The CFOs in our conversations agree on two other key points around prioritizing risk: Don’t overwhelm the board—focus on three to five top risks and ensure all top risks have owners and mitigation plans.
Real-world stories:
CFOs with highly regulated businesses must do double duty: compliance and risk management. A CFO for an insurance company devised a way to bridge that gap while accomplishing value creation. “We have a dual model—check-the-box for regulators, and then we have our ERM program that drives value for the company.”
2. Manage across the enterprise
Managing enterprise risk requires a mix of tools and strategies, including metrics, heat maps, bowtie analyses, tabletop exercises, and scenario planning. These are supported by governance, risk management, and compliance platforms.
In almost all cases, CFOs oversee the funding of these tools and resources, whether directly or by employing a chief risk officer—a role that tends to be more common in highly regulated industries. Regardless of the structure, CFOs armed with risk staff and tools are well-equipped to communicate about ongoing ERM health with the board and senior leadership.
The biggest challenge? is third-party risk exposure. The CFOs in our discussions were keenly aware that the increasing reliance on as-a-solution technology services and other external partners creates significant new risk considerations.
Real-world stories:
A CFO overhauled their company’s vendor management program. Instead of staffing a large team to manage vendors, they put the onus on vendors to meet the company’s standard for doing business as part of the engagement terms with the partner.
3. Stay on top of ESG
Climate reporting is a continuing concern for CFOs, especially with the Securities and Exchange Commission’s Climate Rule on pause. The big question is whether companies should start preparing now, or wait for more clarity on how the rule and its related reporting deadlines will evolve.
Our KPMG specialists advise keeping some key dates in mind: If the rule is reinstated, then the effective date might be pushed to January 2026, with first reports due in early 2027.
Subscribe to receive the KPMG Opportunity (In)sight Newsletter
Turn insight into opportunity with unique perspectives and actionable insights addressing the burning issues atop the C-suite agenda. Delivered monthly.
But CFOs dealing with global operations are already facing climate reporting demands. For businesses in the European Union, compliance with the Corporate Sustainability Reporting Directive (CSRD) may start by January 1, 2025. California’s emissions disclosure rules also take effect to start 2025, adding pressure for many organizations.
Real-world stories:
A CFO offered this view of climate reporting. “We’re just trying to create a process, make it as simple as possible, and try not to get sucked into details, because we’re not sure we’ll ever be able to deliver high quality doing it this way.”
Explore more insights and opportunities:
Insight
Be organizationally and operationally resilient when — and where — it matters
During an IT outage, cyber-attack, or any significant functional disruption, organizations must focus on restoring critical operations in minutes and hours, not days and weeks.
Insight
Navigating the fallout: Lessons from the Crowdstrike outage
Plus 7 key backup and recovery actions
Insight
KPMG Chief Risk Officer Survey
Data and insights on transforming risk management to seize the power of trust.
Meet our team
