Risk Management: The De-risk/Reward RatioChief financial officers are developing a new relationship with risk in today’s era of global business volatility, complexity and velocity. The risk-averse are being overtaken by the “risk-ready”—as in, ready to exploit risk for gain.

Risk today is top-of-mind for CFOS. A Duke University/CFO Magazine Global Business Outlook Survey identified “ability to forecast results” and “supply chain risk” among finance executives’ top five internal concerns; uncertain customer demand and financial regulation are the top two external concerns.1 Nearly 80% of CFOs and other top management say they have revised their approach to managing and responding to such risks over the past three years due to market volatility—and over 90% expect to reorganize and reprioritize risk management even more in the coming three years.2

White Paper

As CFOs redefine controllership—extracting strategic insight from the very core of finance and expanding visibility enterprise-wide—the Total Controllership Project, co-led by Tata Consultancy Services (TCS) and CFO Magazine, is building a network of CFOs and thought leaders for ongoing exploration of these innovations. The project explores Total Controllership’s increasingly critical contribution to three pivotal functions: planning, analysis and risk management. These three are the focal points of the project’s CFO roundtables, white paper series and ongoing dialogue about Total Controllership—its driving forces, component parts and the greater “whole” that is the potential sum of those parts. This paper, focusing on risk management, is the third in our Total Controllership white paper series.

2

But clearly, risk management isn’t only about regulatory compliance or protecting the enterprise against downside. Risk management can also drive growth (see Figure 1).

And as research from Ernst & Young demonstrates, effective risk management can also drive superior financial returns. Companies with more mature risk management practices outperform their peers: the top 20% in terms of risk management maturity generated three times the operating income (EBITDA) of the bottom 20% (see Figure 2).3

Figure 1: From Risk Averse to “Risk-Ready”

Adding Real Shareholder Value

Drive Growth

Mitigate Risks

RobustExecution

Risk ManagementProduct & Market Evaluation

Stakeholder CredibilityDecision Making Support

Trustworthy & Authentic DataRegulatory Compliance

Efficiency

Figure 2: Compound Annual Growth Rates 2004–11* by Risk Maturity Level

16.8%

8.3%10.6%

20.3%

9.5%

4.1%2.5% 2.1%

7.4%

Revenue EBITDA EBITDA/EV

* 2011 YTD reported as of 18 November, 2011.

Top 20%

Middle 60%

Bottom 20%

Source: EYGM Limited

“Turning Risk Into Results: How Leading Companies Use Risk Management to Fuel Better Performance” was authored by EYGM Limited, 2012, and the content indicated above is reprinted with permission. EYGM Limited is the owner of all copyrighted material contained herein and this material may not be reprinted without express permission from EYGM Limited.

3

Some companies’ exploits in turning risk into reward have become legendary. Southwest Airlines, called “the king of fuel hedging” in one news report, saved $3.5 billion on its fuel bill between 1999 and 2008 as oil prices were rising—even as some competitors raised rates, lost customers and went into bankruptcy.4

“Companies that can make the ability to preempt, detect and respond to risk a part of the institutional mind-set will hold a big edge in an increasingly volatile world,” writes McKinsey principal Mike Doheny.5

Total Controllership, with its robust execution of budgeting, planning, reporting and analysis, lays the essential foundation for risk management. Whatever the risk—strategic, financial, regulatory, operational—controllers and CFOs who quickly and proactively amass their financial information can manage it better. What is more, they can analyze their numbers more quickly, deeply and broadly in combination with operational information to turn risk into business advantage as well.

Through predictive insight and a strategic perspective, finance executives are transforming their roles from advisor to decision-maker, enabling more rapid response to shifting conditions for better business outcomes.

Regulatory Risk: Compliance Comes First

Historically, CFOs have focused risk management on financial controls and regulatory compliance.6 Even as risk management has become much more strategic, finance executives must first get compliance right or risk fines, protracted negotiations with regulators or, most problematic of all, reputational risk. Witness the following 2012 UK headline involving a scandal over alleged manipulation of interest rates: “Fines and Light Regulation Won’t Work—Let’s Boycott the Bank.”7

Today, not only is the business climate in flux, but the very standards for accounting are undergoing dramatic change while shareholder activism is on the rise. In industries such as financial services, “a significant upturn in regulatory enforcement actions over the past four years has affected nearly every industry player,” writes Treliant Risk Advisors Co-chair Mark W. Olson and Managing Director Susanna Tisa.8

Internally, top performers take an integrated approach to compliance, embedding controls into centralized databases and standardized, automated planning and reporting processes across the enterprise.

The Cost/Benefit of Compliance. The cost of compliance is high—but the total controllership approach puts compliance data to use for business gains as well—analyzing the numbers for any light they shed on underlying business operations.

4

Externally, the International Financial Reporting Standards (IFRS) effort at globalizing accounting practices is proceeding in fits and starts.9 “Hopefully sooner than later, everybody will agree to a common standard,” says Vijay Damle, Head, F&A Services, Tata Consultancy Services (TCS). Among the anticipated benefits: fewer country-specific books of accounts, greater transparency and more financial talent freed up to focus on real-world business analysis in different markets.

Business Gains from Better Compliance

Putting current regulatory uncertainty aside, though, “The mistake is to believe that risk and compliance management is ‘money down the drain.’ The reality is that if risk management is approached effectively, the output provides multiple usages, not only for the identification of fraud, risk and non-compliance, but also for enhanced profit making,” according to Laura Houston, Head of Investment Banking Solutions at Detica NetReveal.10

“A ton of data gets collected for compliance and it would be a waste if it is not used for something else,” says TCS’s Damle. For example, data reported for a tax credit in a particular country can be mined further—to see if the underlying business activity is valid as well.

Better governance, risk and compliance (GRC) management is already producing real business benefits for many enterprises, enabling global business development, the attraction of new customers and business partners and more aggressive business initiatives. In fact, 32% of top performing CFOs in a survey by the Aberdeen Group said the cost of compliance is lower than the additional revenue generated by being compliant.11 “Enabling new-market revenue through compliance, and securing new deals/partners/customers with lower corporate liability will ultimately lead to noticeable returns,” Aberdeen says.

For example, a company that demonstrates transparency and a strong record of compliance in the world’s strictest jurisdictions sets itself up in an excellent position to negotiate favorable terms with the government of a country it would like to enter. Companies not only mitigate risk but also establish their credibility as good partners and global corporate citizens by employing this type of “borderless compliance.”

5

Enterprise Risk Management: Avoiding Pain and Achieving Gains

Looking beyond regulatory risk, a rapid succession of negative events in recent years has pushed enterprise risk management up the CFO’s agenda, says Kate O’Sullivan, Editorial Director of CFO Publishing. To name just a few: the Japanese tsunami’s global supply chain repercussions, the disappearance of major banks thought “too big to fail,” the slowdown in emerging market growth, the disruption from new technologies such as the iPhone and social media. “CFOs nowadays try to cast a much wider net,” she says.

Global supply chain risks abound. Auto production was recently threatened at Ford when an explosion in Germany ravaged the chief supplier of a resin used in fuel lines. But Ford CFO Bob Shanks was already on the case, he told reporters in the spring of 2012, with alternative materials in development and testing.12 Perhaps he had learned a lesson the previous year, when sole sourcing from a supplier in tsunami-ravaged Japan forced US automakers to limit new orders on certain vehicles.

Non-payment represents a classic case of business risk. If receivables are climbing month after month, controllers must dig in and find the cause. If the problem is a particular company, they may consider shutting that customer off. They may find the customer is going bankrupt. “Only a controller who has clear visibility of what is happening can help,” according to Shyam Kerkar, Head, Marketing—BPO Services, TCS.

Currency fluctuations represent a growing risk in today’s interconnected economy. IBM, for instance, reported that it took a $1 billion hit to its revenue growth for the second quarter of 2012 due to currency turmoil in Europe.13

Finding the Upside in Risk Risk and strategy have become intertwined in the modern global economy.

“CFOs are turning risk management into insight and even into a growth function,” O’Sullivan says, as they assess the risk/reward ratio in mergers and acquisitions, new markets and other initiatives. They are also eking advantage out of volatility in their operations.

What is the potential upside? For instance, in the global supply chain, “companies aren’t just spotting and mitigating supply chain risks. They are also seeking ways to use volatility to gain advantages over rivals,” McKinsey’s Doheny says.14 Take the example in which an essential component of wind turbines was available only

The Rewards of Risk. Total controllership embraces the fact that risk is part of doing business, exploiting upside opportunities even while managing downside exposure.

6

from three suppliers worldwide. The turbine maker’s CFO took the deliberate step of ensuring predictably early payment to these suppliers. “We wanted to be at the head of the line when supply tightened,” explains one of the company’s former finance executives.

Geographically, Rio Tinto CFO Guy Elliot sees his company’s greatest opportunities in emerging markets. “But we need to think a bit more about the political risk and the management challenge of emerging markets versus what we might call ‘safer’ jurisdictions,” he points out.15

Doing granular analysis to identify risky customers will also shed light on opportunities to make big wins with good customers. “If I have a customer who pays on time no matter what, can I give them a discount and sell even more to them? What can I do to win a bigger share of their wallet?” TCS’s Damle says.

Currency risk can also have its rewards. For instance, CFOs are finding that “as Europe struggles, the currencies of countries such as Australia and Canada have become safe havens and behave differently than they have in the past,” says Rio Tinto’s Elliot.16

Managing Risk Through Organizational Change

Improving risk management involves aggressive action across the three classic organizational dimensions of people, processes and technologies, all across the enterprise. Again, Ernst & Young drive home the point, saying: “Embedding risk as the fourth dimension of business has the potential to fundamentally transform how organizations connect risk to reward.”17

“Organizations have to reinvent how they communicate and integrate risks between functional silos,” say Treliant’s Olson and Tisa. GRC systems and other tools are improving the ability to track and integrate enterprise-wide risks in large, far-flung and complex operations. “Of course, to benefit from such tools, companies must define their risk appetite and governance mechanisms, set in place the appropriate cultural and incentive structures, and communicate objectives and intentions broadly.”

Key risk indicators (KRIs) intelligently established, monitored and analyzed can keep a company’s operations in line with its risk appetite. Monitoring risk in silos or only on occasion can leave an enterprise exposed to unintended consequences. Finance executives should embed risk indicators in all business processes. For a pharmaceutical company, for instance, KRIs could include a single manufacturing site or supplier, quality issues, uncertain demand, commodity pricing/availability and IT issues.

Business relationships merit similar scrutiny. “Close partners have to be willing to open up each others’ operations with a view to collectively reducing risk,” says V.K. Raman, Global Head, Domain BPO Services, TCS. Such measures should always be taken in view of their own inherent risks, however. A study by the Ponemon Institute found that 39% of data breaches in 2010 involved third-party organizations.18

7

One organizational obstacle to improving risk management is cited again and again: The finance department’s staff constraints in the wake of recession-era headcount reductions is stymying progress, as transaction processing and day-to-day accounting fills their days. “We need to free the finance people up from this routine,” says Steve Player, North America Program Director of the Beyond Budgeting Round Table. Instead, the finance department should spend more time not only on operational aspects of the company, but gaining insight about the industry it serves.

At an individual level, if an accountant is not of the right mindset, patterns emerging from the data collected will go unheeded. Player warns of risk blindness: “We often see what we’re looking for and ignore huge signals that are blindingly obvious.”

Experience also helps. Home Depot CFO Carol Tomé, recently named by the Wall Street Journal to its first-ever “Best CFOs” list, says she was inoculated against fear of today’s market volatility by a previous job, managing through a bankruptcy proceeding. So during the U.S. recession, “I didn’t lose any sleep, because I had been through trouble before, and I knew we would be fine.”19 Startups are often seen looking for such experience when hiring CFOs, and companies across the board look to outside advisors steeped in their clients’ collective finance or industry experience.

Tooling Up for Risk Management

Total controllership means responding with faster, more robust execution—implementing enterprise-wide systems, automation and business intelligence to deliver greater transparency and analysis.

Process automation can provide a time advantage that “becomes a key plank in the effective risk management platform,” according to the American Productivity & Quality Center (APQC).20 Amanda Lam, Vice President of Finance Operations and Projects for insurance provider Aviva Canada , says automation efforts recently cut the time it takes her company to close the monthly financial report from 6 days per month to 3-1/2 days.21

Tools on hand for managing risk include scoring systems, demand-supply simulations and the eXtensible Business Reporting Language (XBRL), which has seen rapid uptake as a tool not only for financial compliance but for visibility and comparative analysis of data across the enterprise.

Getting Risk-Ready. Risk management should be embedded enterprise-wide, with clearly communicated leadership from finance across the organization’s people, processes and technologies.

8

Further, scenario and contingency planning represent best practice. “You need to do more than just worst and best-case scenarios—do five, six, seven or more. Really thinking through a wider range of possibilities is a big priority right now,” CFO Publishing’s O’Sullivan says.

With so many tools available, “It’s an absolutely ridiculous level of risk that companies take when they rely on an outmoded tool that prevents them from being agile in the face of fast-moving marketplace and capital market events,” says Mary C. Driscoll, APQC Senior Research Director, Financial Management.22 Take the example of a global business trying to establish to a single source of truth—especially if it has gone through acquisitions in various locations.

Introducing new information systems requires care—they introduce their own regulatory and enterprise risks. For instance, cloud computing is rapidly growing, but especially when operating across borders, an uncontrolled shift to the cloud could expose an organization to unacceptable long- and medium-term risks, reports CFO Magazine, citing intellectual property as just one gray area.23

In the end, “It’s all about having a set of consistent, transparent numbers with red flags at the right time,” says TCS’s Damle. “If you don’t know what’s going on, you don’t know what to do when it hits you—or you don’t even see it coming.”

Considerations: Keeping Up with a Shifting Risk Landscape

The risk landscape is a continually shifting one, with regulatory change a constant. One big change afoot, for instance: an International Integrated Reporting Committee of corporate, investment, accounting, regulatory, civil society and other actors has proposed standardized integrated reporting “that brings together material information about an organization’s strategy, governance, performance and prospects in a way that reflects the commercial, social and environmental context within which it operates.” If globally adopted, this will mean adding whole new sets of reports to regulators.

Entirely new business risks continually emerge. Latest among those cited by CFOs is social media as a potential source of reputational and other risks. Companies are doing online assessments and establishing policies ranging from the reactive (focused on risk) to the proactive (focused on the potential upside). Best practices include regular online audits of social networking across the multiple business units using social media for everything from marketing to customer relations to product development and more.24

Managing regulatory and enterprise risk comes with a high price tag in terms of technology and analytical skills. “But the other way of looking at it is this: What is the downside of not doing this—for example, not knowing what my receivables are from a country facing currency devaluation,” says TCS’s Damle. “CFOs must weigh the costs of robust risk management against the benefits, and then make the call.”

9

Conclusion: Risk and The “New Normal” Business volatility continues to increase as markets become more global, more complex—and operate even faster and faster. Growing risk is a natural partner to markets’ increasing speed and volatility, suggesting that the global

“winners” will be those companies who most effectively migrate from managing risk’s potential pain into their enterprise’s business gain (Figure 3).

Steady streams of good information can cushion risk—but they also can do much more than that. In the new normal of increased volatility, complexity and velocity, total controllership holds many of the keys to corporate confidence and agility of action.

Done correctly, risk management can help enterprises attract more partners, customers and suppliers and take bolder business initiatives.

Doing rigorous analysis of information on hand today, and integrating it with more forward-looking practices and predictive data, can position CFOs and their companies to grow and prosper.

Figure 3: Partnering for Growth

◼ Protecting Corporate Assets◼ Protecting Corporate Investments◼ Manage Cashflow

TO

FROM

◼ Explore Competitive Assets◼ Explore Optimal Investments◼ Optimise Cashflow

PARTNERING AS A LOVER

10

References

1. Quarterly CFO Survey, Duke University and CFO Magazine, June 2012, http://www.cfosurvey.org/

2. “Aftershock: Adjusting to the New World of Risk Management,” Deloitte, 2012, http://www.deloitte.com/view/en_US/us/Services/additional-services/governance-risk-management/0d65b82d81908310VgnVCM2000001b56f00aRCRD.htm#

3. “Turning Risk into Results,” Ernst & Young, 2012, http://www.ey.com/Publication/vwLUAssets/Turning_risk_into_results/$FILE/Turning%20risk%20into%20results_AU1082_1%20Feb%202012.pdf

4. “United May Not Be Alone with Fuel Hedge Losses,” AP, September 2008, http://www.msnbc.msn.com/id/26761843/

5. “Agile Operations for Volatile Times,” McKinsey Quarterly, May 2012, https://www.mckinseyquarterly.com/Agile_operations_for_volatile_times_2968

6. “Turning Risk into Results,” Ernst & Young, 2012, http://www.ey.com/Publication/vwLUAssets/Turning_risk_into_results/$FILE/Turning%20risk%20into%20results_AU1082_1%20Feb%202012.pdf

7. “Fines and Light Regulation Won’t Work—Let’s Boycott the Bank,” The Guardian, June 2012, http://www.guardian.co.uk/business/2012/jun/28/fines-regulation-boycott-barclays-bank?newsfeed=true

8. “Rebuilding the Financial Services Model in a Volatile Economic Environment,” Intelligent Risk magazine, July 2012, http://www.prmia.org/Weblogs/General/PRMIA_docs/IRisk_Vol.2.Iss.3_July2012.pdf

9. “U.S. accounting pushback seen as temporary delay,” Reuters, July 2012, http://in.reuters.com/article/2012/07/16/accounting-idINL6E8IG7IE20120716

10. “Risk Management for the Real World,” Tabb Forum, June 2012, http://tabbforum.com/opinions/risk-management-for-the-real-world?force_print=true&single=true

11. “Enterprise GRC Management and the Impact of Global Reporting Standards,” Aberdeen Group, 2011, http://www.infor.co.uk/company/registration/?requestedContent=%2Fcontent1%2Fanalyst%2FAberdeen-Enterprise-GRC-Management-and-the-Impact-of-Global-Reporting-Standards%2F

12. “Automakers May Have Dodged Resin Shortage Threat,” AP, April 2012, http://www.businessweek.com/ap/2012-04/D9UDF6EO0.htm

13. IBM press release, http://www.ibm.com/investor/2q12/press.phtml

14. “Agile Operations for Volatile Times,” McKinsey Quarterly, May 2012, https://www.mckinseyquarterly.com/Agile_operations_for_volatile_times_2968

15. “Breaking Strategic Inertia: Tips from Two Leaders,” CFO.com, April 2012, http://www.cfo.com/article.cfm/14636503?f=search

16. “Breaking Strategic Inertia: Tips from Two Leaders,” CFO.com, April 2012, http://www.cfo.com/article.cfm/14636503?f=search

17. “Turning Risk into Results,” Ernst & Young, 2012, http://www.ey.com/Publication/vwLUAssets/Turning_risk_into_results/$FILE/Turning%20risk%20into%20results_AU1082_1%20Feb%202012.pdf

18. “Ponemon Study Reveals That the Most Likely Threat to Data Security Is Not the Outsider, But Rather Negligent, Incompetent or Malicious Corporate Insiders,” April 2010, http://www.prnewswire.com/news-releases/leading-cause-of-data-security-breaches-are-due-to-insiders-not-outsiders-54002222.html

11

19. “Not Just Bean Counters,” Wall Street Journal, July 31, 2012, http://professional.wsj.com/article/SB10000872396390443477104577553052701709054.html?mod=ITP_marketplace_0&mg=reno-wsj#articleTabs=article

20. “The Benefits of Streamlining Financial Management Processes,” APQC, 2011, http://www.apqc.org/knowledge-base/download/227212/a%3A1%3A%7Bi%3A1%3Bi%3A2%3B%7D/inline.pdf

21. http://www.tcs-connect.com/index.php?id=5&L=0

22. “Empowering the Office of Finance to be Adaptable to Change,” CFO Research Center, June 7, 2012, http://www.cfo.com/webcasts/index.cfm/l_eventarchive/14639568

23. “Four Barriers to Cloud Due Diligence,” CFO Magazine, April 2012, http://www.cfo.com/article.cfm/14633558?f=search

24. “Social Media Strategy, Policy and Governance, Ernst & Young, February 2012, http://www2.eycom.ch/publications/items/other/2012_giss_social_media/2012_EY_social_media_strategy_policy_gov.pdf

All content/information present here is the exclusive property of Tata Consultancy Services Limited (TCS). The content/information contained here is correct at the time of publishing. No material from here may be copied, modified, reproduced, republished, uploaded, transmitted, posted or distributed in any form without prior written permission from TCS. Unauthorized use of the content/information appearing here may violate copyright, trademark and other applicable laws, and could result in criminal or civil penalties.

Copyright © 2012 Tata Consultancy Services Limited

Tata Consultancy Services is an IT services, consulting and business solutions organization that delivers real results to global business, ensuring a level of certainty no other firm can match. TCS offers a consulting-led, integrated portfolio of IT and IT-enabled infrastructure, engineering and assurance services. This is delivered through its unique Global Network Delivery ModelTM, recognized as the benchmark of excellence in software development. As a part of Tata Group, India’s largest industrial conglomerate, TCS has a global footprint and is listed on the National Stock Exchange and Bombay Stock Exchange in India.

For more information, visit us at www.tcs.com

About Tata Consultancy Services (TCS)

Contact For more information about TCS’ BPO contact bpo.imo@tcs.comFor more information about TCS’ consulting services contact na.marketing@TCS.com

Business Process Services (BPO) at TCS is about managing and executing business operations. Our domain expertise helps deliver core business processing across industries, analytics and insights, and support processes such as accounting, HR and supply chain management. TCS partners with customers to accelerate co-transformation, and generates business value for customers through delivery excellence, risk management and through innovative models such as Platform BPO which delivers process as a service. With over $1.1 billion in BPO revenues and 40,000+ employees across 11 countries delivering services to more than 200+ customers, TCS is one of the leading Global Domain based BPO providers.

About TCS BPO