Risk Management: Educating your Board as the CFO

I am pleased to share what will be the 100th Blog I have posted on Proformative. 

The CFO Alliance hosted a CFO roundtable in Orange County which featured Andrew Tinseth, Assistant Professor of Clinical Accounting, USC Marshall School of Business and Leventhal School of Accounting. Andrew led an interactive discussion among CFOs focused on how to best define the role of the CFO in enterprise risk management. A key role that most CFOs are tasked to fill is to educate the company’s Board of Directors relative to how the company is mitigating and managing relative risks across the enterprise. Andrew shared 20 questions CFOs should be prepared to answer from their Boards.

The first set of questions Andrew shared are courtesy of a PwC Report, Insurance 2020 & Beyond: Reaping the Dividends of Cyber Resilience and are as follow:

1. Who are our adversaries, what are their targets and what would be the impact of an attack?
2. We can’t lock down everything, so what are the most important assets (‘crown jewels’) we need to protect?
3. How effective are our processes and assignment of responsibilities, as well as our systems safeguards?
4. Are we integrating threat intelligence and assessments into proactive cyber defense programs?
5. Do we assess vulnerabilities against known tactics and tools used by perpetrators who might target them?

The next set of questions are courtesy of Alert: Through the Eyes of the Board: Key Governance Issues for 2015 and are as follows:

1. Does our organization have a social media policy and what does it cover?
2. Is there a designated position in our organization to manage social media?
3. Does our organization monitor social media and, if so, for what?
4. Do we monitor social media internally, or is the function outsourced?
5. Does our organization have a crisis management and a cyber-incident response plan, not just a business or disaster recovery plan, to mitigate any reputational damage that may result from a cyber-incident or other failure?
6. Does the organization practice its response plan and simulate the decisions and actions that will need to be taken under different scenarios
7. Does the board have an opportunity to observe these simulated response plans as they are being practiced?
8. What role would the Board have in responding to a reputational incident, and is that role clearly defined?
9. When did the board last respond to a crisis, and was there an assessment of its performance?
10. Were the findings of this assessment built into the crisis response plans of the organization and the board?

The last set of questions shared were formulated by Andrew through his experiences in leading the development of an ERM program from the ground-up at Western Digital Corporation (WDC) :

1. Does the company monitor customer concentrations? How so? (by industry, geographic location, other)
2. How does the company monitor and metric customer retention? Who is responsible and how often does it occur?
3. What is the process the company utilizes to monitor the changes in customer’s needs and how does that flow through to the company innovations?
4. What is the process the company follows to evaluate individual customer profitability?