“What’s our biggest risk?” Why the answer is changing

Hosted by Neil Amato

Companies are still trying to find their way about 20 months after the onset of the COVID-19 pandemic. Their enterprise risk management (ERM) efforts were tested, as some risks were amplified and others emerged. Now, entities are trying to apply some of the lessons they learned along the way.

CPAs Mark Beasley and Paul Walker, professors who each direct ERM-focused centers at universities, discuss how risk management is changing, what organizations are worried about today, and how they can better manage risks moving forward.

Also, get updates on the formation of the International Sustainability Standards Board and these Journal of Accountancy headlines:

What you'll learn from this episode:

  • Details on the newly formed International Sustainability Standards Board.
  • The lessons organizations learned about risk management as a result of COVID-19.
  • How Heisenberg's uncertainty principle, created by a physicist, matters for risk management.
  • Why organizations' concern about talent goes beyond simply getting job openings filled.
  • News about inflation's effect on investment strategies and two FASB updates.

Play the episode below or read the edited transcript:

To comment on this episode or to suggest an idea for another episode, contact Neil Amato, a
JofA senior editor, at Neil.Amato@aicpa-cima.com.


Neil Amato: Welcome to the Journal of Accountancy podcast. We've got lots of information for you in this week's episode: News on a new global standards board, a conversation about key risks for organizations and advice about managing those risks, and more.

This is senior editor Neil Amato. We will get to that risk management conversation in a moment, but first is news from the COP26 conference, where the formation of the new International Sustainability Standards Board, or ISSB, announced Wednesday, is seen as a huge step forward in establishing reliable, consistent sustainability disclosures.

There are three key parts to this announcement in Glasgow, Scotland. First is the formation of the ISSB. Second is a commitment by organizations that focus on sustainability to consolidate into that newly formed board. Third is publication of prototype general and climate disclosure documents.

One of the leaders integral in the formation of the ISSB is Barry Melancon, president and CEO of the Association of International Certified Professional Accountants, representing AICPA & CIMA.

Melancon says establishing globally consistent standards signals "a new era in corporate reporting where the same level of rigor will be demanded for sustainability reporting as for financial information." That article will be linked in this episode's show notes, or you can learn more about it by visiting the custom link created just for our podcast listeners: tinyurl.com/ISSBJofA.

Next up is my interview with CPAs Mark Beasley and Paul Walker. Those may be familiar names to readers of our publications, as both have written recently on the topic of enterprise risk management, or ERM. We'll touch on those articles as well as a recent survey on ERM, and what Beasley and Walker are hearing from business leaders about the key risks they face and how they can better position themselves going forward.

Mark Beasley and Paul Walker, welcome to the podcast. Let's first talk about the roles that each of you have at your respective universities. I guess we'll go Mark first at North Carolina State and then Paul at St. John's.

Mark Beasley: Thank you and thanks for the opportunity to be on this. Again, I'm Mark Beasley, I'm KPMG Professor of Accounting and then director of the Enterprise Risk Management Initiative, which is a thought leadership center focused on ERM housed in the Poole College of Management at N.C. State.

Paul Walker: Excellent. Thank you, Neil, for having us on. My name is Paul Walker. I am the Jim Schiro/Zurich Chair of Enterprise Risk Management at St. John's University in Manhattan, in a great location in the village. I lead the masters and MBA in Enterprise Risk Management and also run a center for excellence in enterprise risk management there as well.

Amato: Yes, both of you run these risk-management-specific things as they relate to business, and that's one of the reasons that we're having you on today. Mark, your recent article for FM magazine, the headline, "Security Risk Management Wins From the Pandemic," makes some excellent points about the lessons that organizations can take and apply to business issues now, in 2022, and beyond. What are two or three of those key lessons?

Beasley: think most every organization has really learned some risk management lessons and we don't want them to leave the experience of 2020 and 2021 without really focusing in those and try to carry them forward as a benefit. A couple of them that come to mind is one, I think one of the things of the lessons of 2020, particularly early on, was the importance of pulling together multiple teams, getting multiple perspectives on an issue, that, when we first were dealing with the pandemic, it was all hands on deck.

Everybody had to come together to help us solve this. We needed functional areas coming together, so we broke down the silos. One of the things from an ERM perspective is to try to break down silos and get cross-functional conversations going about the business and the risks that we're facing. I think one of the benefits was we just brought multiple perspectives together quickly.

I think another thing we're trying to highlight there is to say there's been an element of communication, particularly just getting information. In a lot of cases, entities were particularly early on having daily calls of the management team, if not every other day, sometimes multiple times a day, but there's just a real flow of information, and it was a great exchange of information of what's happening in our business. That communication was there, which ties into my third benefit that's very related.

There was an element of transparency that I think we were more willing to talk about risk because we're all in this together and it was bizarre. I am saying was, it still is. That I think we're realizing that it's more complicated, that we've got to be open.

I think there was a willingness to share. Wow, we got a big issue here, and I don't know how to deal with it. We weren't hesitant to share that. It's bringing that multiple perspectives together, engaging in conversation and exchange of information, and then this cultural element of "I'm willing to reveal risk."

If we can preserve that going forward, it will have tremendous benefits if we can keep those pieces of the process in play that were forced upon us and happened by default maybe during the beginning parts, but have continued even through 2021 as we're still dealing with it.

Amato: Now, Paul, you've also written for publications. In the November issue of the Journal of Accountancy, you wrote about rethinking risk processes and employing newer tools. The first sentence to me says it all. "It is a noisy, risky world out there for organizations today." First, I'm guessing you probably could have written that statement before COVID-19 as well.

Walker: Yeah, let me just make a comment about that. I believe and I've been saying for a few years that we live in an incredibly risky and uncertain world. There's been hundreds of years of academic arguments, and not just academics but others, talking about is the world predictable, is the world completely uncertain?

Early people like John Knight, a famous economist at the University of Chicago, used to always say, "The world is completely uncertain." You get to modern-day area and right before what's going on now, we have this concept of big data, and AI, and machine learning. Everybody was telling me, "The world is totally predictable."

I think the reality is somewhere in between. It's still completely uncertain what we're learning more with new tools and new methods as well. But I tend to lean more towards it's uncertain, and there's a lot of evidence of that. Our good friends out of Cambridge also run a risk center. They do some really nice studies that show how wildly the market swings on a regular basis in different economies. There are a lot of things that say uncertainty is here; we don't always see it. As an example, Denise Garth has done this little graph that we used in a paper recently on the age of disruption.

What she puts together and we pick up on is, a lot of things have been happening in the last 10 years, right before COVID, that really set us up for disruption. You have dramatic cost of hardware and software following you, you had AI and machine learning, you had the iPhone exploding, we had the first platform businesses, you had the Twitter platform, etc.

But what happened in this age of disruption with all these little things creating this wave of disruption, we got hit with 2008. We got distracted for a while. We didn't realize there was all this disruption waiting to hit us again, and then we get ESG, and then we get COVID. Some of my board members say, COVID just amplified the risk we already had.

It may not have been a new risk. It amplified and accelerated all these weak business models and exposed risk that people really were dealing with, which is why I love Mark's comments, "We gotta break down these silos." Mark, I took notes. We've got to break down the silos. We've got to keep the communication going, keep the transparency going. I don't think we're done with living in a disruptive, uncertain world.

Beasley: I totally agree with what Paul is saying. And some of the data that we have. We've surveyed executives, and one of the questions we ask is, "To what extent is the volume and complexity of risks different today than five years ago?" We've asked that question for the last 12 years. Every single time, it's extremely, pre-COVID. COVID, it's still high, but to Paul's point, this has been an issue. COVID just revealed more of the exposure.

The other piece of that, too, you talked about innovation, Paul, the speed of that development, to me, the the accelerating, which triggers uncertainty even more so. Just the speed of change.

Walker: It's absolutely amazing. I did a talk not too long ago with a bunch of financial executives. I asked them, "What's your biggest risk?" This is just 400 people in a Zoom like this. I thought they were going to say COVID, but they actually said the business model, that we don't know the business model going forward. This was at the beginning of COVID they said that.

I think now we all understand what they're saying. People are still trying to figure out, are they coming back to the office? What's happening with the supply chain? What's happening in the macroeconomic world from one country to the other? The business model is the hardest thing and the biggest risk right now, at least that's what they're telling me.

Amato: What are some of the ways, this one for Paul, that organizations you think are getting better at managing all those risks that they face today?

Walker: Well, I think this is connected with what Mark said about the transparency, and the silos, and the conversation. There's Heisenberg's uncertainty principle that has been around from some brilliant person [physicist Werner Heisenberg] from maybe 80, 90 years ago now: You can't know a position of something and the momentum at the same time.

If the risk is moving, you can't really assess it. What you think it is if it's moving, is not what you think it is. I think COVID, and again, ESG as well, has made people realize we don't even know how big some of our risk are. Maybe we thought they were small, we thought they were moving slowly, but we don't even have some of the fundamentals of risk assessment down on some of the giant risks facing us.

We make an argument in one of our recent papers that we think this has implications for the chief risk officer, or the ERM leader, or the board trying to do risk oversight, and we argued that the toolset has to change. There's a certain set of tools you need to understand the wave of disruption and risks that are coming at you.

That's not the same toolset of "OK, now what risks do I have?" As I'm building my strategy and trying to build my next blue ocean or explore my next blue ocean, if I could pick up on that book, that's a different toolset. What we're saying is they're getting better by figuring out that it takes more and more sophisticated tools to understand and assess the risks and have the appropriate response.

Amato: Mark, you are the co-author of a survey report that the AICPA and N.C. State's ERM initiative have worked on, I guess for more than a decade now, and the most recent global version [has been] published. Perhaps you can give a sense of one or two of the high-level takeaways.

Beasley: Yeah, you're correct. We do the U.S. survey annually and then periodically every three years or so, we do it at a global level. This one highlighting that the state of risk management maturity, there's a lot of consistency and where we are around the globe for the most part.

But what is interesting is they're particularly struggling still to connect the risk thinking to their strategy thinking. From a strategy perspective, they're particularly trying to figure out how to better embed their risk and strategy together. That is true, particularly for organizations, even here in the U.S. as well as Europe and the U.K.

Sometimes we might think, well, maybe U.S. corporations are a little bit further along, and our data is not suggesting that. What the data is suggesting is, this is again perception of the survey respondents, but the impact of COVID has obviously impacted the world. But particularly, it's high for those outside the U.S.

There's a real noticeable bump-up of the perceived impact of how COVID has changed their risk environment and their business — it's strong for U.S. It's even stronger outside the U.S. But we're all trying to find a way to better connect how we integrate this risk process into our strategy decision-making, which is what you were saying, Paul, about the business model.

I think people are struggling. They're worried about their business model, but they're trying to connect, how do I think about it from a risk perspective? We see that consistent issue across groups.

Amato: For both of you, I'd like to hear your thoughts. Paul mentioned being on a Zoom and hearing the concerns about business model risk being a greater risk than COVID, but what are some of the other things you're hearing from CFOs, or chief risk officers, or other company leaders about the risks they expect to be facing in the next year and beyond?

Beasley: Well, I'll jump in with some starters, but clearly cyber is still on the list, and it will probably forever be on the list. It will just look differently as we move through time. But I do think what we are hearing is just the ability to be digitally savvy. I think that's where they're struggling because I think we've all now moved into this virtual world.

Those that were already digitally savvy had a head start at the beginning of COVID because they already had a pretty strong e-commerce platform. But there are others that are struggling to keep up with that, and they're really worried about talent. Talent specifically to help them manage technology and innovation.

Talent is a problem across the board. We're saying that all the time now, but we're hearing that talent risk, attracting people and retaining them as a challenge, is really a worry when they think about their ability to be innovative and technologically savvy and keeping that talent especially. And can they get people to think more out of the box?

Because, Paul, back to your innovation disruption that you were talking about earlier, I think that's the worry that we sometimes think we're the market leader in our industry and then we discover that my biggest threat is not even in the industry. It is some other player that's come up with this innovation that all of a sudden disrupts our industry. The innovation, the digitally savvy, and talent would be the ones that pop to the mind for me.

Walker: I'm going to agree with Mark on this. Right before COVID, we did a white paper on digital disruption. I think 90% of the people that participated in that project said digital disruption was one of their top three risks. Well, COVID hit us and just amplified and blew that up and made that such a reality.

I think that's what Mark and I are almost saying the same thing here. I've heard a slightly different look at it. I've heard some companies call it talent agility. Back to the first question, if I don't know the future and I'm not sure what it is, then I can't just tell everybody, "Go out and learn this digital skill." It may be a new digital skill.

I know one giant tech company that puts talent agility as far as their part of their annual evaluations. What did Mark learn that was new this year? Are we hiring people that have the ability to learn new skills rapidly because we don't know the future. I'm hearing a lot about talent. Certainly, COVID has made that more important, including even in the news today, digital disruption.

I'm going to get vague for a moment because I've just had some recent data on this. I'm hearing that boards are asking about legacy business models. They're bringing up, "Are we sure our business model is good?" I also saw that I think it's almost 90% of boards are asking about the unknown. That's cool.

Mark and I would say you should have been asking that question all along. But boards are now more open to not just the traditional risks, but they're asking about the emerging, they're asking about legacy models, and they're asking the unknown question, what are we missing? I heard someone say this a while ago, and it's so true. If you're 80% sure you know your risk, then you don't know your risk, I'm sorry. If you're 80% sure, that may sound good, but that means you really don't know what they are. I think everybody is trying to step it up. COVID, unfortunately or fortunately, has accelerated the pace at which they're trying to get better.

Amato: Mark, do you want to add anything to that?

Beasley: I was just going to add that the other thing I keep hearing a lot is we want better metrics. We're looking for better analytics. That's taking us into a more predictive, anticipatory radar system of all our risks. We've met key risk indicators for a really long time, but I think we're hearing now there's so much data capacity. We need to leverage this data more. I want to have a good information set that's forward looking. I think entities are still trying to figure out how to do that. But they would like to get there.

Walker: I think chief risk officers are probably underpaid then. I think they could be adding a lot more, and they probably will be as well.

Amato: I think that's a great spot to end on, but anything quick and closing you guys would like to add?

Mark Beasley: I guess the point I always like to end a presentation a lot of times is, risk management is not getting easier, it's getting more important. I think the more that we can get people to buy into that, the better.

Amato: Again, that was Mark Beasley and Paul Walker. We appreciate their time on the podcast. In other news, Paul Bonner has a personal financial planning article that addresses how investors can protect against inflation. The article shares how CPA financial planners feel about this year's nearly 6% inflation rate and what it could mean for investment portfolios.

Ken Tysiac writes about two FASB-related news items. First, FASB addresses contract assets and liabilities acquired in a business combination. Second, a proposal issued on Nov. 1 by FASB would amend interim disclosure requirements in financial statements. The proposal would update Topic 270, Interim Reporting. Comments on that proposal are due by Jan. 31, 2022.

That's our episode for this week. We will link to the articles mentioned in the show notes. A reminder to subscribe, rate, and review our show wherever you get your podcasts. Thank you for listening.