Trending Topics summarizes news, information and perspectives on matters affecting businesses and business leaders today. This insight is being provided to keep you up to date on the latest developments and trends influencing these topics. These views do not necessarily represent the views and opinions of PNC. For additional research on these topics, please consult the sources cited in this article.

By definition, a finance department understands traditional business risks, such as fluctuating interest rates or cycling commodity prices. But in today's volatile business climate, your bottom line can suffer from external risk events and conditions so removed from day-to-day operations that you might not have given them a second thought. Let's get a handle on how to deal with it.

A risk is considered to be external when an organization has little or no control over if, when or how it might occur. When viewed in tandem with the related category of non-financial risk, this includes a wide range of potentially negative events such as:

  • Supply chain disruptions
  • Natural disasters
  • Cyber attacks
  • Regulatory changes
  • Geopolitical events
  • Viral social media incidents

“An escalating trade war, for example, could increase the cost of completing a project or contract costs to the point of making it uneconomic, or force a company to rethink key elements of its supply chain," said John Minor, U.S. National Practice Leader, Political Risk at Aon Benfield, in a public statement.[1]

Yet many organizations are far less proficient in identifying and preparing for external events than they should be. A worldwide survey of finance leaders from companies with between $250 million and more than $1 billion in revenues found that more than 60% are less than “highly confident” when it comes to managing their top risks.[2]

Insurance May Not Be Enough

In 2017, hurricanes Harvey, Irma and Maria devastated entire regions across the United States and caused an estimated $220 billion in economic losses.[3] In a survey of large companies with operations in affected areas conducted by FM Global, approximately four in ten reported “an adverse effect on operations" for which they were “not completely prepared."[4]

Of those $220 billion in losses, only $80 billion were insured.[5] Moreover, even if an organization is fully insured, policies don't normally cover less tangible losses due to operational disruptions, such as losses to market share, customer goodwill and investor confidence.[6-7]

That leaves it up to your organization to invest in its own internal mitigation methods. Think of it as the equivalent of self-insuring yourself. Investing funds to protect your structures from natural disasters can literally result in an ROI of over 10,000%, should such a disaster occur.[8]

“Investors want to know if you have a factory in a region prone to natural disasters that the resilience of the building is unquestioned," Courteney Keatinge, director of environment, social and governance research at proxy advisory firm Glass Lewis & Co was quoted as saying in the FM Global report. “If this is not the case, they want the board to find out why. Climate change risks are very much on the minds of investors, for obvious reasons. In this regard, the CFO is on the hot seat."[9]

Accountability Starts at the Top

While you might not be able to prevent the external events that create risk, you can take steps to mitigate those risks. On a basic level, the methods and attitudes necessary for effective external risk management are quite similar to overall risk management.

Effectiveness starts at the top of the organizational chart. For instance, efforts at vendor risk management (risks associated with doing business with vendors, such as IT providers) are “more than twice as likely" to be effective if the board of directors is deeply engaged in the process.[10] Yet all too often, the chief risk officer (CRO) is not even present at C-suite or board meetings.[11-12]

“The board has to fully back an organization's willingness to change its culture," said Keith Monson, Chief Risk Officer at Computer Services, Inc., which supplies regulatory compliance and core processing software to the banking industry. He spoke to PNC in preparation for this article.[13] “It is imperative that senior management supports the identification of risks that may be elevated within the organization."

The Challenges of Measuring External Risk

On another level, external risk management presents some unique challenges. For instance, CROs are often hesitant to work on large external risk issues.[14] Such risks are often difficult to quantify. While it's not rocket science to adapt to rising interest rates and lower sales, it can be very challenging to manage certain external risks, such as a consumer safety controversy involving products that you have been promoting in your stores.

“Metrics used to track non-financial risks within financial institutions simply are not as mature as those metrics used to monitor financial risks," said Monson. “In addition, with no industry standards being established, there is far less peer data that can be utilized to benchmark an institution's efforts in the non-financial risk arena as opposed to financial risks."[13]

Moreover, how do you manage such controversies, including the inevitable public calls for regulatory reform, without giving the appearance of involving your company in a political matter?

“Organizations can track proposed and newly created rules and regulations that affect their industry," said Monson. “In addition, organizations can track complaints logged internally and also those submitted against other institutions via the public database. Not only can you monitor complaints, but organizations can also identify enforcement actions and other monetary penalties associated with noncompliance."[13]

Of course, this is a double-edged sword. More tracking and logging means more valuable time spent on routine tasks. Risk managers spend most of their time identifying risks, when they would rather spend it on developing strategies to mitigate those risks.[15]

For deeper levels of analysis, a rapidly evolving set of new technologies, such as machine learning and predictive analytics, offers risk managers the ability to automate some of these processes. Some of the currently popular systems include cloud computing, predictive analytics, and robotic process automation.

Treating Risk Management as a Strategic Tool

When CROs say that they would rather spend more time on strategic planning, it's with good reason. Companies that treat risk management as an important strategic tool tend to enjoy better growth rates than those who don't.[16] Take advantage of its inherent ability to focus on “how things work" in the business environment to develop new, forward-thinking strategies that move your organization further toward its overall goals.

For instance, what if your manufacturing organization has identified a critical parts supplier as being prone to operational disruptions? A simple solution would be to increase inventory of that supplier's products or switch suppliers. A strategic solution would be to investigate bringing production capabilities in-house or redesigning your products to eventually avoid reliance on single-source components.

A strong risk management program also assures that everyone has a stake in the process, viewing risk management, not as an annoying “no you can't do that" speed bump, but as an exciting new way of refining and improving opportunities for growth, expansion and profitability.

Ready to Help

At PNC, we combine a wider range of financial resources with a deeper understanding of your business to help you achieve your goals. To learn more please contact your Relationship Manager or visit