Tag Archives: cfo

10 Rules for CFOs, From the Fog of War

The fog of war can be an excellent metaphor for the CFO in today’s rapidly changing business environment. Nowhere is change more frantic than trying to manage multiple financial battlefronts: profit margins, SG&A, FP&A, EBITDA and free cash flow. One of the largest battles in business today is the war between organizations and the healthcare supply chain that their employees and team members access for medical treatment.

Investing millions of dollars in accessing the healthcare supply chain without actually knowing in advance the cost of almost all the services might as well be war, because it darn sure kills the income statements of companies and the standard of living for employees and families across America.

See also: Where Are All Our Thought Leaders?  

The recently released book titled “Extreme Ownership” delivers a how-to on managing multiple simultaneous risks across the organization. The lessons in the book provide a strategy outline on how to execute and eliminate risk when you have leaders and team members operating in hostile environments.

For instance, ask your internal healthcare manager what the mission of your healthcare program is and see if it matches your goals and intentions. Have you communicated to the healthcare manager and his operations team the “why” of the investment in healthcare, or is health care just OpEx?

As hard as it is to believe, some organizations allow non-P&L managers, or worse, operations-level administrators to dictate policy and strategy, and their decision supersedes the mission.

The annual renewal process can be very reactive, and not enough effort is applied to identifying priorities. The result is the equivalent of friendly fire because the tactical plan focuses on the wrong targets and has minor impact. The enemy, the healthcare supply chain, reverse-engineers every government regulation change and cost-shifts to private employers. Not understanding this fundamental principle loses you the war in the long run and the battle every renewal.

CFOs need to make sure they are not in a position where they are merely informed and not actually involved in healthcare strategy, because they will have limited situational awareness. Is there a formal process in place that requires the operations level staff to report all strategic and tactical options up to the C-suite and not just cherry pick what is disclosed? Is innovation preached but status quo and incrementalism actually reinforced? Are rate increases tolerated because they are lower than budgeted increases? CFOs need to honestly assess whether they abdicate their leadership role by avoiding the forced execution of strategic healthcare options, instead choosing to take the path of least resistance and defaulting to the ground forces that you pay to handle the details.

After all that, is the question ever asked, “What is the best way to execute the mission?”

Failed execution and badly supervised risk management can lose an organization millions of dollars, and now CFOs risk personal liability by not knowing the best way to execute the mission. There is a consequence for gambling with employee contributions in an ERISA plan, and not knowing with certainty that the organization’s healthcare claims will go down this year is the proof.

See also: A Simple Model to Assess Insurtechs  

CFOs have limited situational awareness of the unnecessary risks and poorly performing strategies being deployed by the people they believe they are paying to manage their healthcare investment. The C-suite must gain a new situational awareness of the healthcare budget risks, and ERISA compliance exposure facing the organization and potentially themselves individually.

My book notes that soldiers died because of mistakes. In business, healthcare strategy mistakes crush the employees’ standard of living, waste millions in lost profits and expose the CFO to fiduciary risk because of a lack of situational awareness, the conviction of forced execution and extreme ownership.

Global Insurance CRO Survey 2016

Risk functions have evolved from “check-the-box” compliance to being a key enabler for business decision-making. This change has provided chief risk officers (CROs) with a seat at the table in the highest levels of the organization.

2016 has been a year of black swans, characterized by prolonged low interest rates, political uncertainty in key markets and increasing competitive forces challenging insurers’ business models. Together with the rise of risk-based capital regimes across the globe, these factors are tending to align the CRO and CFO agendas, establishing a tighter link between risk, capital and value.

The CRO role will always have a strong regulatory-driven rationale. But as the role evolves, we see an opportunity in ERM to take stock of teams, toolkits and processes — and use them to achieve greater effectiveness.

See also: The Myth About Contractors and Risk  

This shift is occurring at different rates in different regions, but the direction is clear. Our survey explores five key themes around the risk function and CRO role:

1. There has been a high degree of operationalization in prudential regulation around the globe:

  • In Europe, in response to Solvency II demands
  • In the U.S., as a consequence of the NAIC’s ORSA requirement and for the larger insurers, SIFI demands from the Federal Reserve Board
  • In Asia-Pacific, with the implementation of risk-based capital regimes (e.g. C-ROSS in China, LAGIC in Australia, ORSA requirements in Singapore and ICAAP in Malaysia)

2. We are seeing a sharper focus on consumer-conduct regulation:

  • The U.S. Department of Labor is shaking up focus on the advice model.
  • The European Parliament is debating significant advances in policyholder communications, and various European home regulators are demanding redress for past failings in sales process, transparency of charges and continuing product suitability.
  • Depending on the region, it is more or less common for CROs to have compliance report through to them.

3. Governance models are now largely converging to reflect the three lines of defense principles.

Although differences exist across geographies, CROs are consistently seeking to strengthen risk accountability and understanding across the workforce. In particular, while we are seeing an increased awareness that risk ownership starts with the first line, there still are opportunities to strengthen risk accountability and improve communication to help everyone understand risk appetite and consequences.

4. Risk functions are becoming more involved in producing and monitoring risk metrics.

Larger insurers subject to Solvency II and now required to obtain approval of their internal economic capital models are partly behind this shift in risk functions.

Beyond Europe, other jurisdictions have a variety of approaches. For example, U.S. insurers subject to Federal Reserve regulation are required to use more extensive stress and scenario testing in their internal capital management processes (with the eventual requirement to publicly disclose the results).

See also: Minority-Contracting Compliance — Three Risks  

In general, even where there is no regulatory mandate, CROs and their risk teams are increasingly involved with stress testing and more advanced financial models to quantify risk.

5. CROs are aware of the potential for improvement in operational risk management.

While businesses generally understand the “known knowns,” risk plays an important role in emphasizing the need for a systematic approach to the full spectrum of exposures. Cyber risk in particular is one of the biggest areas of concern for most CROs, who consider it a key focus area of operational risk.

Download the full North American report here.

Download the full EMEIA report here.

How Technology Breaks Down Silos


New digital technologies and the data they are producing have forced collaboration among senior business leaders across all levels of all organizations. To obtain insights from data to drive decision-making and embed a data-driven approach within a company’s culture, it is critical for the C-suite to lead the way.

It’s easy to talk about collaboration, but much harder to act. Analyzing information, deriving insights and responding with effective strategies requires an understanding of the analytical tools themselves, as well as collaboration. As technologies get smarter and various functional groups collaborate, simply moving to single systems can give broader teams greater visibility to inefficiencies and broken processes.

But how does a business get to such a place? What tools and strategies bring about successful coordination of activities in such dynamic situations? And what are the challenges of working together that C-Suite executives should anticipate?

In Depth

Just about every functional group within an organization can now collect, connect and analyze data. But big data – from keyword searches, social sites, wearables, mobile devices, customer feedback and so on – presents challenges as well as opportunities for business leaders. One of the biggest is how to maximize the potential of this data by transcending organizational silos to unlock its true potential.

Technology is also transforming how businesses develop and deliver goods and services and is placing enormous new demands on those responsible for strategies to navigate the challenges. These are the people who need to apply institutional knowledge, implement changes and allocate resources toward new ways of working on a day-to-day basis.

Paul Mang, Global CEO of Analytics and leader of the Aon Center for Innovation and Analytics in Singapore, says there are two types of data analysis that can be leveraged to accomplish this: business analytics and enterprise analytics. Business analytics focus on the use of established tools and capabilities, while enterprise analytics “create new product or value propositions for existing clients or new client segments altogether.”  Short-term, enterprise analytics can lead to disruptive innovation while quickly contributing to improved long-term performance.

“Business and enterprise analytics should work side-by-side and complement each other” to support decision making, Mang says.

The Changing Role of the CIO

The need to become an effective data-driven organization has dramatically increased the importance of the chief information officer (CIO), a role that John Bruno, chief information officer at Aon, says is that of “an integrator – someone who works across the entire organization to embed data within the business.”  He sees the value that information technology (IT) brings, and notes that “IT is less about bits and bytes of data, but more about bringing them together to extract specific insights.”

The need to centralize and mine big data for market opportunities and to parse out weaknesses is also prompting some firms to create a C-suite level position of chief data officer (CDO). This role would be responsible for working with business managers to identify both internal and external data sets that they may not even realize exist, as well as continually looking for new ways to experiment and apply that data.

Equally critical to communicating changes in customer preferences and behaviors, and for their ability to leverage insights from customer purchase patterns into developing new products and services, is the chief marketing officer (CMO). Like the CMO, the effective CIO needs an intimate understanding of how current technology can increase the company’s sales.

However, Bruno says, “in any large organization, there are multiple leaders in different parts of the organization who address different elements of the same challenges. It’s the CEO who can see the whole view and works to have teams bring forward integrated solutions to distributed problems.” He sees the role of the CEO as one who looks beyond short-term disruptions and organizational adjustments to seize opportunities that ensure long-term growth.

This is why, increasingly, the role of the CIO/CDO is about balancing business needs against an incoming stream of opportunities – and risks. This broad cross-business knowledge can only come from constant and deliberate collaboration with the rest of the C-level executive suite. Above all, the CIO has to be able to effectively show how technology and the subsequent data it brings are assets rather than cost centers. For CIOs to really succeed, this means informing C-level colleagues about technology and the opportunities it can create.

Making Collaboration Count: Finance and HR

The role of the CFO is increasingly about analyzing data to give it meaning and partnering across the organization to make the information actionable. One area that is seeing CFOs use data to drive real results is in collaboration with the chief human resources officer (CHRO).

Eddie Short, Aon Hewitt’s managing director, Global Data & Analytics, says that in most organizations the C-Suite has not been getting sufficient insight into people-related business issues, typically owned by human resources (HR) teams. Today, with the CIO’s help, digital tools are increasingly being used by leading organizations to measure employee performance, reduce attrition and cultivate talent through a better understanding of the data about their workforce that they can gather and analyze.

“People analytics,” as this emerging field is known, attempts to bridge the gap between HR and the rest of the organization by providing specific insights into an organization’s talent. “People analytics is all about connecting the value of your people to the strategic goals and objectives of the business,” Short says. “This approach represents a major opportunity for HR and finance leaders to take a road centered on the greatest asset that organizations have – their people – and start to shape the value-add they will create for the business over the next five to 10 years using predictive analytics.”

With skills shortages an increasingly pressing issue for many organizations around the world, gaining this kind of insight can help a business to identify and meet its future talent needs.

Aligning for Agility

As technology continues to disrupt, CEOs and the C-Suite in general must accept that there may not be a set playbook to follow to adapt and evolve. Flexibility is paramount, and often organizations must invent and reinvent as they move forward. Intelligently applying analytics tools to derive value from big data can help them navigate this new terrain.

“Today, CXOs want predictive insights,” Short says. “They want answers to the predictive ‘what could I do?’ questions as well as prescriptive – ‘what should I do?’ — questions.” Yet most tools and programs currently available are merely descriptive – to derive true insight needs additional interpretations from people who really understand the business.

This is where C-Suite collaboration becomes so vital. Organizations thrive when there are diverse and complementary personnel and systems working together. Sharing insights from the analysis of big data across the C-suite and across functions can position businesses to draw valuable insights from this data, harmonize planning around it, align their actions and understand the full value this brings both to their own divisions and the organization as a whole. And the more that data is shared, the more leading businesses discover that they can find answers to today’s – and tomorrow’s – questions.

With the measurable business benefits this data sharing can bring, the business case for breaking down silos within organizations is stronger than ever. Where this may have once been a C-Suite aspiration, the make-or-break implications of insights drawn from this data has made it a business imperative.

Talking Points

“In every industry, our analysis and our work with clients would suggest technology at a minimum is going to be a tremendous accelerant. So if you have a a business model, the opportunity to scale it more effectively, grow it more effectively gets… amplified.” – Greg Case, CEO, Aon

“The way that big data pervades most organizations today creates a dynamic environment for C-level executives to explore how it can and should be used strategically to add business value.” –  Economist Intelligence Unit

Further Reading

4 Ways Risk Managers Can Engage on Cyber

Five years ago, a cyber-attack on your organization would likely have been a quick one-two punch to compromise your firewalls and obtain your customers’ personal data. As the risk manager, you would have been informed of the breach by IT staff, determined the severity of the incident and given an account to the company’s compliance staff.

Fast forward to today. An attack takes a subsidiary’s corporate network offline and threatens the entire firm’s email system. Critical product formulas or sales data may have been stolen. You are called to not only provide a report of the incident to the chief information security officer but also to the CFO and CEO. The media and shareholders are clamoring to know how it happened, and the board wants to know how you plan to prevent another one.

Prepared or not, your role has changed as cyber criminals have grown more sophisticated – and more menacing. You can no longer simply react to cyber events. You are a crucial member of cybersecurity task forces and cyber risk strategy teams and are increasingly relied on by the most senior corporate leadership.

You’re probably routinely called to be part of the team that develops best practices for assessing, managing and responding to cyber events, on top of ensuring that effective cyber insurance or other risk transfer mechanisms are in place. As regulators, shareholders, customers and others hold senior corporate leadership accountable for cybersecurity, you have to be diligent in identifying, analyzing and anticipating all of your organization’s risk exposures.

Four Steps to Cyber Risk Management

To help meet the increasingly difficult and complex challenge of cyber risk management, start with these four tactics:

  1. Create an operational risk working group around cyber that includes IT, information security, legal and others. As a risk manager, you’re probably uniquely positioned – for example, through risk committees – to pull together a cross section of key stakeholders around an issue such as cybersecurity.
  2. Quantify, as much as possible, the costs of a cyber event across all business units. Consider using analysis and assessment tools that quantify impacts by business, sector and other areas.
  3. Communicate the potential impact of risks to various stakeholders inside the organization as well as to third-party vendors.
  4. Deliver the cyber risk management strategy to the chief information officer or the C-suite/board in a timely manner – and be accountable for maintaining and amending the plan as required.

Heightened awareness of cyber events has enabled risk executives to play an ever-more critical role in their organization’s cybersecurity strategy, but only with the right risk management tools can you truly succeed.

This article is part of a series that discusses cyber awareness among key stakeholders. For access to the other cyber articles, please click here.

7 Stakeholders for Cyber Risk

Imagine you’re the CFO at a firm involved in sensitive M&A discussions with your bankers, and you receive an email asking for a small bit of non-public information on your company, the kind you’ve passed on before. You send the information – and later find you were the victim of a sophisticated cyber-attack.

Now imagine you’re in charge of operations at a manufacturing facility. Out of the blue, your employees report that they have lost control of key systems. It’s impossible to shut down a blast furnace correctly, endangering the safety of employees and others and threatening massive damage. You, too, have been the subject of a cyber-attack.

These events underscore the new reality in cyber risk management: It is no longer just an IT issue. Everyone – from individual employees to risk managers to your board of directors – now has a stake in managing cyber risk comprehensively, across the enterprise.

Following are seven key stakeholders to consider as you look at your cyber risk management strategy:

  1. Risk manager: Risk managers can ensure various stakeholders are connected in terms of assessing, managing and responding to cyber risk. Understanding the evolving cyber insurance market and overall risk finance options is also important.
  2. CFO: Concerns range from the potential costs of a cyber event and what the impact could be on the bottom line to the security of the office’s sensitive information.
  3. CEO/board of directors: Accountable for overall business and company performance, they have a fiduciary duty to assess and manage cyber risk. Regulators, including the Securities and Exchange Commission and Federal Trade Commission, have made clear they expect companies’ top leadership to be engaged on the issue.
  4. Legal/compliance: As regulations around cyber develop, legal and compliance roles become increasingly important in keeping other stakeholders informed and engaged. And, if a cyber incident occurs, lawsuits often follow within hours.
  5. Operations: Maintaining daily operations, business processes and workplace stability is critical during a cyber event.
  6. Human resources/employees: Simple errors – or deliberate actions – by employees can lead to costly cyber incidents. Training on best practices is critical, especially with the rise in sophisticated “spear phishing” attacks targeting specific employees.
  7. Customers/suppliers: Interactions with customers and vendors can open you up to an attack. You need to understand the protections they have in place so they don’t become the weak point in your cyber defenses.

Protecting your organization’s data and individuals’ privacy is becoming more difficult by the day. Successful cyber-defense strategies are comprehensive and multi-pronged. A critical component is understanding and defining the roles and responsibilities of all key stakeholders.

To participate in a webcast on how to assess cyber risk, click here.