​​​​Deloitte Suggests Finance Needs to Consider Risk in Planning, Forecasting, and More

Comments Views

​A new piece from Deloitte, FP&A: What's risk got to do with it?, addresses a topic I have been pushing for quite as well — although not as well as I should have.

Deloitte suggests, correctly, that when the Finance team (specifically, the Financial Planning and Analysis team) develop budgets, forecasts, and more they are not paying sufficient attention to risk — the uncertainty inherent in their analyses.

They capture the essence of the issue:​

"Part of the problem is that financial planning and analysis (FP&A) has not changed fundamentally from the way it was done 10 years ago, despite the onslaught of new and more-strategic risks. Moreover, there still appears to be very little process integration across risk management, strategic planning, financial forecasting, and budgeting—integration often considered vital to addressing the speed and range of risks many companies face."

"…..current FP&A processes are often still woefully inadequate. Granted, many companies typically incorporate "safety buffers" into their forecasts. But safety buffers tend not to have been linked explicitly to the drivers of risk and volatility."

"In fact, some common problems in today's current FP&A processes include:

  1. Static view. Traditional forecasts and plans typically use single-point estimates and metrics with little or no discussion of risks and possible variances, and without showing correlations among multiple risks.
  2. Guesses rather than facts. Forecasts are often developed by aggregating best guesses from across an enterprise without focusing on risks that could have a major impact on performance, such as competitor actions, talent shortages, cost volatility, and regulatory pressures.
  3. Inadequate stress testing. Many companies don't normally stress test their forecasts, and when they do, the efforts tend to be limited and focused on a single generic parameter such as price, demand, or input costs."

Deloitte suggests "risk-adjusted forecasting." I would extend that to risk-adjusted everything.

The CAE of General Motors, Brian Thelen, told me that his CEO asked that his management team consider:

  • What has to happen to accomplish our goals?
  • What do we have to avoid or mitigate if we are to achieve our objectives?

If you took each of these questions and used risk management thinking to adjust your planning, I believe your results would be not only more certain but improved.

Another way of thinking about this is to consider that there are assumptions in every plan or forecast (good things will happen and bad things will not). Have we assessed the likelihood of that assumption being realized and the potential effect if it is not? What is the likelihood that it will be off by 10%, 15%, 20%, and so on.

Shouldn't we adjust our presentation of the forecast to reflect its uncertainty?

But we have to do more.

Deloitte stops at the risk-adjusted forecast. But, effective management means that we take each of the uncertainties and decide whether we need to act — either to increase the likelihood of a good thing happening (and/or its effect), or to reduce the likelihood of a bad thing happening (and/or its effect).

Risk management doesn't stop when you identify and assess a risk. It continues to include how you ensure risks are at and remain at acceptable levels.

I welcome your views and comments.

​The opinions expressed by Internal Auditor's bloggers may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers' employers or the editors of Internal Auditor. The magazine is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this article

comments powered by Disqus
  • Your-Voices-Recruitment-January-2022-Blog-1
    • IT-General-Controls-Certificate-January-2022-Blog-3





    A Risk Assessment Tool for Auditors and Risk Officershttps://iaonline.theiia.org/blogs/marks/archive/Pages/A-Risk-Assessment-Tool-for-Auditors-and-Risk-Officers.aspxA Risk Assessment Tool for Auditors and Risk Officers
    Audit Committee Priorities Remain Risk, Compliance, and Technologyhttps://iaonline.theiia.org/blogs/marks/archive/Pages/Audit-Committee-Priorities-Remain-Risk,-Compliance,-and-Technology.aspxAudit Committee Priorities Remain Risk, Compliance, and Technology
    Is There Value in the Term "GRC"?https://iaonline.theiia.org/blogs/marks/archive/Pages/Is-There-Value-in-the-Term--GRC.aspxIs There Value in the Term "GRC"?
    Building the Audit Plan Around Assurance on Governance, Risk Management, and Related Controlshttps://iaonline.theiia.org/blogs/marks/archive/Pages/Building-the-Audit-Plan-Around-Assurance-on-Governance,-Risk-Management,-and-Related-Controls.aspxBuilding the Audit Plan Around Assurance on Governance, Risk Management, and Related Controls