How much money should a CFO spend on risk management? The question is akin to an individual asking herself “How much insurance is enough?” or “How much should I be saving?”
The (unfortunate, unsatisfying, all-too-common) answer to these questions is: it depends.
Just like the individual thinking about her medical needs, her goals for retirement, etc., there are a whole slew of factors that the CFO needs to think about before approving the annual risk management budget.
One question can help frame thinking: “What is the cost of NOT managing risk appropriately?”
This question is unique to each business, so it can be helpful to consider several other questions to triangulate on a perspective:
What kind of business are we in?
What kind of personally identifiable information (PII) or sensitive data do we handle?
What is the regulatory landscape of our industry?
How complex are our risks?
What are the likelihood and impact scores of our risks, both individually and in aggregate?
And of course, these are just a start. The specific considerations will be unique to the company and industry. Identifying those considerations is the risk manager’s job, and it’s up to the CFO to hold him or her accountable. Every function and technology must undergo financial review, and the pressure to show ROI is immense. Yet many managers struggle to identify, articulate, and quantify returns—especially since risk management projects typically don’t have end dates or clear metrics for success.
The Critical Question
With these difficulties in mind, the most important question really becomes: “How do we, as an organization, go about determining how much to spend on risk management?”
The methods here are just as important as the results. The process enterprises undertake to identify and mitigate risk should incorporate business considerations from the very beginning, so proper analysis of the risk management program and associated expense can take place.
This step can begin with a review of strategic objectives, followed by analysis of how risk management tactics tie to them. Risk managers should think about real dollars and actual business impacts if they want to calculate both the costs and, more importantly, anticipated returns of projects they want to undertake. This is the way to keep expenditures in line with the goals of the program.
This exercise is critically important for the simple reason that many, many factors determine risk management spend. The method needs to allow for flexibility. Risks will emerge, expand, fluctuate, and disappear, all the time. Operational efficiencies should improve over time as well, but the bottom line is that effort and resources needed to stay ahead of risk will always be moving targets.
The method can be turned into a framework that helps put up some guide rails around the program and its expenses. Creators of the framework might start by breaking risk management down into technical needs, compliance policies and procedures, physical policies, and products necessary to run effectively—among other pertinent considerations.
Once a baseline framework is in place, it should include continuous monitoring against predetermined KPIs to ensure the program is having its intended effect. This helps the organization validate the intended benefits, or make a course correction as needed. It also allows for adjusting spend to account for levels of risk exposure that might be outside of what is deemed acceptable. Managers may even find they can spend less and still realize the same risk levels. The point remains: the level will not be static.
Benchmarking is Useful—But Only for Context
Given the inherent ambiguity, it’s natural to desire some reference points for determining level of spend. After all, the last thing CFOs and risk managers want is to lag their peers—and then experience some adverse event. It only compounds the pain.
Recent research reports provide some context in terms of how much organizations are actually spending on security and risk management. According to CIO.com’s 2019 State of the CIO survey, which polled 683 executives across a wide range of industries, nearly one quarter of organizations (23%) are devoting 20% or more of their IT budget to risk management and security measures. While these figures are specific to information technology, they’re illustrative of the larger trends in risk management spending.
The report also reveals the roles that outside influences play in spending decisions—which usually aren’t tied to some cost-benefit formula. Among the factors that determined spending are industry best practices (74%), compliance mandates (69%), responding to a security incident that happened to the organization (35%), mandates from the board of directors (33%), and responding to a security incident that happened to another organization (29%).
A caveat: simply plugging the preceding numbers into a risk management budget is a recipe for disaster. CFOs must consider their own circumstances and objectives, not some industry average. That said, few organizations have the luxury of deciding what to spend entirely on their own. Most companies face regulatory requirements, customer expectations, or partner demands that dictate spending to some degree.
Knowing When Enough is Enough
At some point, additional spending will yield diminishing returns, and throwing more dollars at risk management won’t do anything to actually affect risk exposure. Companies need to identify the point where additional expenditures yield a marginal return with respect to risk reduction.
In the end, it’s impossible to determine the exact payoff of risk management. After all, who is to know when millions of dollars are saved because one specific risk didn’t come to fruition? How can a company know when a data breach was avoided? It can’t, but it must rest on the belief that the money it spent on avoiding these was money well spent.
Check out our new eBook, Assessing the Costs and Benefits of ERM: An Inquisition