Home » ERM - Enterprise Risk Management » Financial Risk Management

Achieving objectives in the complex interconnected risky world

In their paper on “What the CFO Needs to Know About External Risk” OCEG* observe that  “Most organizations today, the CFO plays a key role in ensuring that the organization can reliably achieve its objectives. Performance against objectives is not something that can be managed in isolation – it demands concurrent management of uncertainty and commitment to acting with integrity. This enables the achievement of what OCEG calls Principled Performance.”

Risks are deeply interconnected and increasingly complex. There are four key global risks that the World Economic Forum (WEF) report “The Global Risks Landscape 2018”:

  • Environmental risks including climate change, biodiversity loss, and pollution
  • Cybersecurity risks in both volume and disruptive potential such as attacks on infrastructure 
  • Economic risks increased global indebtedness, limited policy controls and disruption from automation 
  • Geopolitical risks weakened multilateral rules, rising tensions between nations and changing alliances, and rising nationalism.

What the CFO needs to know and understand

The CFO must know four things about managing externally driven risk:

  1. Does the organization adequately monitor and document information about external risk events and factors that have been identified as having a potential impact on objectives?
  2. Have those with responsibility for managing each risk or risk type and those in charge of business processes affected by such risks established a system of triggers, notices and reports to ensure that they respond to identified changes as needed to maintain strong risk management?
  3. Is there an effective method of mapping each risk to related objectives, related business processes, established controls and other relevant information?
  4. How can the organization best organize this critical information to ensure that it is agile and responsive to change in a way that enhances the reliability of the achievement of objectives?


The paper contains lists (which can be adapted to fit any organisation) of what to ask in four key areas:

  • Playsheet 1: External Risk Monitoring Questionnaire asks about methods of gaining information about external events/changes and current use of external services/software for each identified risk. This playsheet should be used to address the four key external risk areas of Economic, Environmental, Cyber and Geopolitical Risk. Users might also define additional or different risk categories and establish similar questionnaires.
  • Playsheet 2: External Risks Mapping Questionnaire asks about the mapping of each risk to related objectives, business processes, controls and notification triggers/methods. This may be used to gather information needed to maintain an overview, or to encourage such mapping activity in less mature entities.
  • Playsheet 3: Risk Monitoring Technology Selection Questionnaire asks about features to support external risk monitoring and analysis when reviewing software in use (internal or as a service) or evaluating new services/systems dedicated to one risk type or used across all risk types.
  • Playsheet 4: CFO External Risks Overview summarizes information gained from the two external risk questionnaires and additional information that the CFO should have to fully develop an overview of risk – sample data shows how the spreadsheet can be used to gain an overall view across the organization. This information might also be configured within a GRC risk management system.

* OCEG is a global, nonprofit think tank and community who invented the term governance, risk management, and compliance (GRC). 

CTMfile take Invaluable questions, which will be useful regardless of whether you follow the questionnaires precisely.

This item appears in the following sections:
ERM - Enterprise Risk Management
Financial Risk Management

Also see


No comment yet, why not be the first?

Add a comment