Finance Monthly December 2019 Edition

management strategy accounts for this need for flexibility. The bottom line is that risk is hard to predict, making it crucial to continuously improve the process. Create a Comprehensive Plan Deciding the dollar amount to spend on risk may seem like a guessing game, but breaking it down into categories establishes a clearer picture of where the highest potential risks are. A risk management budget may be broken down differently depending on the needs of the business, but it’s beneficial to first divide it based on technical needs, compliance policies and procedures, and products necessary to run effectively. Once this basic guideline has been established, more specific expenditures can be laid out. Any good risk management budget leaves room for regular monitoring and constant correction. The spending should be adjusted consistently to account for changing levels of risk exposure. Reference Points are Beneficial - But Only as Framework As a result of the immense uncertainty surrounding risk management, it’s understandable that many CFOs use benchmarks to compare their spending to others in their industry. This gives CFOs the framework they need to prevent the company from falling behind competitors or overlooking security risks that could easily be averted. While these reports can be helpful in getting a general idea of larger industry trends, it doesn’t provide sufficient information to create a plan unique to an individual business. As reported by CIO.com’ s 2019 State of the CIO survey, nearly one-quarter of organisations (23%) are alloting 20% or more of their IT budget to risk management and security measures. This report surveyed 683 executives across a variety of industries and breaks down how this budget is typically spent. The findings suggest that the majority of the budget is spent keeping up with industry best practices (74%), followed by compliance mandates (69%), responding to a security incident that happened to the organisation (35%), mandates from the board of directors (33%), and responding to a security incident that happened to another organisation (29%). Assessing industry reports can provide insight into how other companies are addressing their security risks, but basing numbers entirely off of industry averages is not an adequate method. CFOs must be aware of how their company may differ due to specific circumstances or goals. Many companies must abide by other factors such as regulatory requirements, customer expectations, and demands of partners. Don’t Overspend While it’s important to have a holistic budget that includes every area of potential risk, spending too much on risk management can do little to actually impact risk exposure. It’s crucial that companies identify the defining amount where additional money isn’t justifiable for reducing risk. This point where investing more results in minimal results can be difficult to determine for risk management. It’s impossible to know if a specific risk might be avoided one year but arise next year or in the following years. Not accounting for a specific risk is a costly mistake for any business. Rolling the dice and hoping that something is avoided isn’t a long-term strategy for risk management. Both under-budgeting and over-budgeting for risk can be detrimental. Finding a balance by preparing for the worst while also being careful not to overspend on unlikely scenarios is the best approach to feeling confident in your risk management strategy. About Kevin Jacobson Prior to his role as CFO of LogicGate, Kevin worked with innovative software companies in various contexts—as a VC investor, an investment banker and a software executive. Kevin is passionate about using his deep financial skillset to deliver value to LogicGate’s employees, customers, and investors. He prides himself on bringing a customer- and product-focused mindset to the back office. Website: https://www.logicgate.com/ 31 www.finance-monthly.com FINANCE & BUSINESS - RISK MANAGEMENT BUDGET