“Today, the risks are considered separately. Each business manages its risks with its own methods and its own data (fire risks, financial risks, etc.), explains Sébastien Delmotte, educational manager of training in global risk management at the CentraleSupélec Exed school. However, the daf, due to the transversal nature of his function, can see all of his objectives impacted by all the business risks.
The Daf at the crossroads of business risks
It is a question of asking which risks are the most important, in order to prioritize them and allocate the necessary resources. “We have to ask ourselves which risks are acceptable or not, particularly in terms of economic losses. For this, the CFOs must issue strategic objectives and their requirements in order to guide the risk management policy of risk managers”, emphasizes Vincent Desroches, also head of education.
However, it is not a question of generalizing these risks with standard lists insofar as, “where each company (depending on its size, sector, environment, …) has its own risks and different objectives”, insists Sébastien Delmotte. All these risks must be taken into account by the Daf within a global mapping of the company’s risksbut they must be analyzed and prioritized in the light of the strategic objectives of the company and the context (political, environmental, social…) because their criticality varies from one company to another, from one country to another and from one period to another.
26 generic risk categories
It exists 26 generic categories of business hazards and threats : external to the company (environments, politics, insecurity, media, customers), internal linked to governance (commercial, legal, communication, human resources, strategy, ethics, etc.), internal linked to technical resources (infrastructure and buildings , materials and equipment) and internal related to production (studies and projects, human factor, physico-chemical, professional, operational, etc.).
We can nevertheless cite current critical risks (not ranked):
International political instabilitiessuch as Brexit, the war in Ukraine, the economic war between China and the United States which end in economic sanctions, or national ones such as social conflicts which can lead to changes of leaders at the different levels of the country (example recent attempt at independence in Spain)… These instabilities can create exchange rate crises, supply chain failures, tax increases, complexification of contractual relations, the need to move the headquarters and factories …;
Regulatory complexity and rapid regulatory change on products and substances: not all countries have the same regulations in terms of food additives, the use of phytosanitary products, safety… But also on data with the GDPR for example or on algorithms with regulations that will probably emerge in the years to come;
Forced digitalization, with a massive impact of digital companies on the modes of consumption, sale, work, influence, marketing, production… Traditional companies have no choice but to follow this digital transformation which is accompanied by cultural and technological upheaval. But it is not only a question of initiating a digital transformation, it must be successful (controlled in particular from a financial point of view). “ We see many cases where this transformation has a disproportionate cost because it is poorly supported in terms of project risk management impacting performance, costs and deadlines”, emphasizes Sébastien Delmotte.
The increasing pace of technological breakthroughs which is accompanied by financial bubbles that can destabilize the markets. Internet, Artificial Intelligence, NewSpace, quantum computer, new energies, connected health, biotechnologies… Each new breakthrough is accompanied by high expectations of gain, but also by more or less large scale frauds and scams;
Cybersecurity which has a very high cost for companies in terms of: losses linked to attacks; costs related to remediation following attacks; economic losses related to the loss of customers following attacks; protection and prevention against attacks; insurance costs that now include cyber risks
The economic war including actions of destabilization by competition (companies, countries) makes DAF prime targets for corruption, extortion or blackmail, data theft.
However, this awareness of exposure to risks does not seem self-evident. Because risk management is not an identifiable benefit for the company. “Even if it doesn’t bring in anything, it prevents you from losing. Take the case of Ferrero, how much will it cost them in terms of lost sales related to the health scandal or in advertising to restore their image”says Sébastien Delmotte.
A good temporality of risk management
A good temporality of risk management takes place in 3 stages. Before: it’s about anticipating, being creative but also imaginative and forward-looking. “You need a capacity for anticipation and decision-making with an approach like in the so-called army. OODA (for Observe, Orient, Decide, Act). You have to be able to simulate scenarios to direct the strategy accordingly,” explains Vincent Desroches. During: it is about knowing how to react and what decisions to make. Finally, afterwards, we must learn the lessons and find out what worked or not. At each stage, risk management must know what attitude to adopt. “You have to know your strengths and weaknesses and know how to show agility”, says Sébastien Delmotte.
There is also talk of risk appetite, which must be supported by managers and the Comex. It is also about soft skills. “A good risk manager must know how to question and doubt. Because thehe first enemy of risk management is certainty », emphasizes Vincent Desroches. But at the same time, beyond doubt, the good risk manager must also provide confidence.