On my previous deliveries I talked about what financial management is about and some of the internal threats we may face as a business; I briefly talk about fianncial management measures and methods which I'll revisit later on this series; The main purpose of this article is to explain and try to assess the external threats we may face and set up the starting point for a risk management article I'll deliver on a later data. External threats

As I mentioned on the second part of this series, the most common threats include among others: market trends, new technology development, socio-political realities, business stop due to acts of God, competitors behavior, changes on legislation, foreign trade barriers and fees, international or regional economic crisis; some of them may be anticipated and some of them are totally out of our control and we can visit several examples in history.

I remember back in the mid 2000's there was a major shortage on steel market due to the demand increase at China, therefore all of us who depend on steel to manufacture our products faced a big challenge due to the fact that there was not enough steel worldwide to satisfy market requierements, therefore we were forced to increase our delivery times and prices; which, naturally impacted our cash flows, inventory management and procurement processes; other example was in the mid 80's when the oil business had a boom; OPEC started to manage petroleum production in order to keep internatiional prices within their expected levels; nowadays as per instance the import duties over steel and aluminium the US impose to their business partners directly affected countries like Canada, China so they needed to adjust and look for different markets.

So external threats may come on different forms and shapes and we have to accept that business word is full of uncertainty, however we cannot and will not be subject to faith, therefore we have to implement measures to lower the risk involved on business; so I want to share the:

Risk Management decalogue

Business managers view risk management as helpful to the extent that it enables them to better manage the expectations of their key stakeholders. Accordingly, a thorough stakeholder analysis should always be the first step in any risk management process. The stated business objectives should reflect the choices made by senior management regarding the specific value they want to create for each stakeholder constituency. Risk assessments should be aimed primarily at estimating the likelihood and extent to which the stated objectives will be achieved.

Risk management activities should serve the continuous improvement of an organization’s predictive power, which hinges largely on the quality of the periodic forecasts prepared by the responsible business managers. Producing reliable forecasts requires that these managers be aware of the available opportunities, the levels of risk exposure, and the quality of internal control. The more realistic these forecasts are, the higher the level of control the managers achieve.

Following this approach shifts business managers’ attention from gauging actual results (versus plan, budget, etc.) to managing stakeholder expectations more proactively. Ultimately, improving the predictive power of an organization leads to a reduction in the overall uncertainty to which the entity is exposed. This, in turn, leads to enhanced confidence and trust in its senior management. And that is the best return leadership can receive from the time, effort, and money invested in risk management.

1. Ask the questions - Remaining “in control” is a relative concept in a largely unpredictable world. There are no risk-free organizations or error-free managers. When presenting strategies and plans, senior management should recognize that the future is inherently uncertain and that its endless possibilities are too complex. Instead of maintaining the illusion that the future can be fully understood or controlled, senior management should show courage and honesty when updating key stakeholders based on the latest forecasts.

2. Create the right culture - The organization’s culture will benefit from clarity on what is expected. Clear communication regarding what constitutes acceptable behavior and what doesn’t, as well as the bandwidths of acceptable deviations from stated objectives (i.e., the risk tolerances) must be provided. Management should initiate open discussions about the level of internal control required to manage key stakeholders’ expectations, and senior management should encourage learning from company errors rather than simply tearing down those responsible. Above all, senior management and the board should lead by example — a prerequisite for effective risk management.

3. Clarify responsibilities and rules - The organization will benefit from establishing a structured process for managing its policies and procedures; Senior managers should avoid giving “rules of the house”. They should also make clear what is decided at the corporate level versus what is left to the discretion of local management. Moreover, senior management should arrange “reality checks” from business managers when designing and implementing new rules for the organization, in an effort to prevent “rules obesity” from proliferating. Effective policy management eliminates gaps, overlaps, and inconsistencies in the organization, which effectively serves as its business control framework.

4. Use suitable reward systems - Adequate remuneration policies are necessary to steer people’s behaviors in the desired direction. Senior managers should lead by example and only accept compensation packages for themselves that are consistent with serving the long-term interests of the organization. Doing so will encourage managers and other employees to embrace the stated objectives and to commit to pursuing them.

5. Focus on the business objectives - The primary purpose of all risk management, internal control, internal audit, and other support functions’ activities is to contribute to the realization of the organizational objectives. Senior management should emphasize that these objectives, in turn, are aimed at creating and preserving value for key stakeholders. These stakeholders, after all, are essential to the entity’s continued existence.

6. Recognize the limitations of risk assessments - Risk assessments result in mere opinions about the future. These analysis are colored significantly by factors such as the personal preferences, knowledge, recent experiences, and character traits of those involved. Moreover, risk assessments should not be one-sided. To determine the extent to which the organization is ready to deal with the future, the analysis need to include matters that could help the realization of business objectives (the opportunities) in addition to those that potentially hamper the objectives (the risks). Furthermore, senior management should treat risk management (dealing with events that could happen) and incident management (dealing with events that have happened) in concert. They should ask questions such as: “How well trained is our organization to handle serious incidents when they occur?” and “How well established is our continuous improvement cycle?” They should also convince the business managers that a proactive, integrated approach for both risks and incidents is needed to keep the business control framework fit for purpose.

7. Put business managers in the driver’s seat - Risk analysis should provide the more balanced view of the future. Senior managers should explain that there are alternatives to fencing off the business processes with lots of preventive control measures and better ways to address risks than just adding more controls. Line managers should not feel as though risk management duties are an afterthought or a mere distraction from their “real job.” The board should orchestrate “pre-mortem” reviews of important strategies, plans, and projects to establish whether the existing business control system is robust enough to achieve the organization’s stated objectives reliably. The board should also ask senior management to explain the extent to which the achievement of its objectives (regarding quality, time, and money) is uncertain — a central issue for stakeholders. At the same time, senior management needs to encourage business managers to take advantage of risk managers’ and internal auditors’ risk and control expertise. These “generalists” should have a seat at the table when acquisitions are planned, new products are developed, or new markets are entered. Pursuit of new business opportunities should go hand in hand with serious discussions of the risks associated with the oftentimes crescendo projections of the promised results.

8. Demand integrated management information - Senior management should demand single integrated reports, thereby expecting the numerous functions providing this information to work together. Its aim should be to build a shared view of the extent to which the business objectives have been achieved in the previous period and the extent to which they are expected to be achieved in the next period. Senior management should insist that those providing the information use contemporary tools and techniques to analyze the available business data. They should monitor the effectiveness of the control framework not primarily based on checking samples, but on analyzing large transaction volumes. They should use continuous monitoring of transaction flows to spot irregularities and negative trends timely and develop robust business intelligence capabilities aimed at reducing uncertainty when making management decisions.

9. Make sure rules are enforceable - Organizational leaders should insist on having clear rules of the house that can be realistically executed in practice. The level of detail these rules contain depends on factors such as management philosophy, business process maturity, industry practices, expectations from regulators, and certification requirements. Senior managers should arrange support for the busy line managers when translating corporate policies into specific control measures in their business processes. If they want the rules to be taken seriously, they must also demonstrate that violations must be met with consequences.

10. Align internal audit with the business - The chief audit executive should be clear about the contributions he or she expects internal audit to make toward realization of the organization’s objectives. Senior management should involve the internal audit function as a trusted adviser to help establish the organization’s rules of the house. The more mature the rules become, the more efficiently internal audit can deliver independent assurance. Internal auditors should demonstrate that they understand which risks, if managed well, give their organization the greatest competitive advantages. They should gladly accept the challenge of actively managing information on how their organization earns the trust, respect, and financial support of key stakeholders.

On my next delivery of this series I'll talk about the cuantitative analysis requiered by financial management.