BeansTalk
BeansTalk: Where Expertise Meets Opportunity, Mauldin & Jenkins' podcast, where we are sharing and showcasing our areas of expertise through conversations with practice leaders on their knowledge and experience.
BeansTalk
Capitalizing on Risk: Turning Uncertainty into Strategic Advantage
Uncertainty isn’t just a threat, it’s an opportunity. In this episode, we explore how business leaders turn risk into strategic advantage, with practical insights on navigating change, uncovering hidden value, and building resilience.
About Our Guest
Craig Carter is a director with Mauldin & Jenkins, LLC. Craig is a business leader and advisor with 39+ years of experience, most recently leading Internal Audit Executive Services (IAES) to help organizations strengthen risk coverage and internal audit effectiveness.
About Our Host
Brandon Smith, CPA, is a Partner based in the Atlanta office and the Advisory Practice Leader.
Welcome to Beanstalk, M&J's podcast where we are sharing and showcasing our areas of expertise through conversations with practice leaders on their knowledge and experience. As business leaders, we're always mindful of managing risks, especially emerging risks that can impact our strategic plans. And that begs the question, how do we maintain growth in an environment of so much uncertainty? And that's the topic of today's episode. For today, I'm very excited to be joined by Craig Carter, who's the Managing Director of our Risk Advisory Practice. Craig, thank you so much for joining me today.
Speaker 02:Thanks for the opportunity, Brandon. I appreciate it.
Speaker 01:Now, Craig, for our listeners, will you do me a favor and just give some context around your background and experience.
Speaker 02:So I'm a recovering internal auditor who spent the first 20 years of his career on the industry side. And I was in roles that terminated and chief audit executive, vice president of quality, enterprise risk. So I was always in the risk advisory space and in the finance space. And then I switched over in the last 19 years to, I was in public accounting in the last few years and as an independent consultant, but in all the times is working with risk, primarily enterprise risk management and internal audit.
Speaker 01:Well, and Craig, your background and current experience is just going to be so critical to today's discussion where we're navigating just kind of a lot of uncertainty going on right now in the business world. So I'm curious, just out of the gate, kind of what you're hearing right now while interacting with business leaders as they're just trying to, you know, stay on top of their strategic plans, continue growth but also be mindful of just what's happening beyond their control?
Speaker 02:The most frequent quote I get is that I'm frozen in place. I do not know what to do next. There's so much uncertainty on so many levels. If you look, for example, in the nonprofit sector, threats, immediate threats to funding sources. If you look in the banking sector, financial services sector, you have ongoing consolidation. You're not sure of how the regulatory framework is going to change. You know what's going to change, but still you have an exam coming up that you have to address. So in my mind, when they say I'm frozen in place, what they're saying is I am faced with emerging risk. I don't have the answer to this in my strategic plan. I don't have the answer to this in my mind. I don't, nevertheless, do I have it rippled in to my processes, to the people, how it's going to affect my processes, my people, my technologies. And they're saying, all right, which way do I go? How do I respond to this and what is it going to do with my plan, my messaging, and how much of my strategic plan I'm going to be able to achieve to maintain the growth I have. So the first thing that comes to my mind is, do something. Staying frozen is not an option because we all know how that would work out.
Speaker 01:Yeah. And that's kind of an unfortunate reality, though, that, you know, business leaders are feeling that way, but it's completely understandable. So something I kind of wonder is, and I have that feeling that right now I'm frozen in place and I'm just trying to get, you know, a temperature on the room and just really a good sense of what's happening, largely beyond my control, but trying to bring that into what I can control and how that impacts my plans as a business leader going forward. You know, something I can't help but ask myself is, you know, was this because I failed at some point along the way to get to this stage? Or is this just a natural thing that's just going to happen and I need to experience and plan for next time? Or is this just something that is going to be a part of me being a business leader and to be mindful of? I guess, what's your sense on that? Am I frozen in place because I failed?
Speaker 02:No, you're not frozen in place before you failed. What has happened is that risk that you had not anticipated has entered the equation from the outside And now they're coming in and, you know, think of your business as producing fruit. Now some of your fruit is being damaged and is bruised. So how do I respond to that? What steps do I take? And in times of uncertainty, I think at the C-suite, you know, in my experience, the better CFOs, the better CEOs, chief operating officers, they do, they take a step back and they do what I would call a step back analysis and say, how are these current conditionings, additions, these factors, this emerging risk, going to impact my business? How is it going to impact my people? How is it going to impact my processes, the investments I had planned and the technology I was planning to put in or the technology I use to deliver now? So I think all of that is part of a step back analysis and whether they're doing it consciously or unconsciously, they are processing and coming up with strategies to adapt. Organizations that think through that in the most disciplined way. They're able to articulate that and adapt those needed changes into their vision, operationalize it through their strategic plan, and integrate it into their service delivery. Risk becomes a great advantage because it also creates the flip side of risk is opportunity.
Speaker 01:And I love, too, that idea of adaptability. Because I think that's something that, as business leaders, we're used to having to be adaptable. That's kind of something that we've been good at to get to where we are as business leaders. And this is another situation like that. The emerging risk is just another area where we need to be adaptable.
Speaker 02:Exactly right. The way I think it, and when I think about design principles about an organization, not that I get to design organizations, but one of the primary criteria I think about is organizational agility. So what does that mean? That means the ability to change And to adapt to changing circumstances, both from a strategy standpoint, from how I operationalize that strategy, all the way down to the foundational elements of my business processes, the people I hire and am trying to retain and create a good work environment for, and the technologies I use to deliver services. So to me, it's all now in a mix of metaphors, unconsciously and unforgivably. But to me, it's like a spider web. An organization is an organic thing that has to be sensitive to changes. And a change, an emerging risk, pings that spider web and the whole thing vibrates and the spiders respond to the vibration and take specific actions to maintain their cycle of life. And I think that's all it is for an organization. So no, CFO, CFO didn't invite this change. They couldn't anticipate this change. But what they are accountable for doing are the responses to that change. And in creating the capabilities of making that organization adaptable.
Speaker 01:Yeah. And so right now, when we're talking about just operating in the world of uncertainty, being mindful of risks, especially emerging risks, and then ensuring we're adaptable to that environment. I really like that example of the spider web. So what I'm kind of hearing is, you know, it's important that we adapt right now. And additionally, that we're creating and fostering an environment of adaptability at our enterprises.
Speaker 02:Yes.
Speaker 01:So how do we do that?
Speaker 02:Well, to me, that's a great question. Thank you for, I think you're setting me up with that question. From my standpoint, and this is an individual who has spent his career basically dealing with risk and thinking about risk and developing processes that optimize the opportunity to manage it. So that's who I am. That's what I do. I'm a recovering internal auditor at heart. When I think about risks, my mind goes to different categories of risks. And I'll talk about the COSO framework for a minute. You have strategic risk. And of course, that example is in your strategic plan. That's kind of the top of the pyramid associated with how you capture strategic risk and turn that risk into value for your organization. You have operational risk. That's your business. processes, the people that manage it. You have legal and regulatory risk because you've got to operate in a legal and regulatory environment, especially in your financial institution or even in a private institution where you're dependent upon state grants and are dependent upon other funding sources. And the last piece is financial risk. So I immediately think along those dimensions, and it starts in my mind with that strategic plan. And what changes do I need to make? Take a step back analysis. Look at where can I make the investments or where I can't make the investments now because of changed circumstances. How do I articulate to my organization how we prioritize this and how I refocus energy in maybe a different quadrant than I started with? And then how I embed that into my business processes and my customer touching processes.
Speaker 01:It's really helpful for me the way you kind of illustrate that to the different kind of dimensions of risk, the strategic to the financial. Now, when it comes to kind of thinking through that, what you were just getting to is it's not just about understanding the risks. It's about responding to them, bringing them into the institution. How are we reacting to these risks? So for me as a business leader, trying to kind of get my arms around this concept, what are some suggested first steps you have for me to kind of take this journey to ensure that I'm mindful of the risks of today from strategic through financial and adapting to those, but then further just kind of building that agile organization.
Speaker 02:Yeah, this takes me to ERM, which I view at a more strategic plane, if you will, because it's dealing with emerging risk, existing and known risk, and then define risk across that spectrum. And the first thing I have to do is analyze the threat, and then I have to evaluate that threat against my business plan and against my operations and against my people plan and my communication plan. I mean, that's the way that I think about it. Then I have to extend that to the regulatory environment, because it's obviously very important, has to be factored in and has to be address. So step back analysis, evaluation of the strategic plan. And then the next question I ask myself is, all right, now I've identified a risk. I've done some assessing. Who owns that risk within my organization? And in the current environment, because it's emerged, there are no assigned owners. And my experience is that what's not assigned, what's not identified, and what is not managed won't be managed. So I then have to say, all right, what resources are available to me in my organization to adapt to this? Who does it impact? I need a risk owner and I need somebody to think about how that risk articulates itself through my business processes, through how I manage my people and how I deliver my services. So to me, that process is operationalizing the strategic plan. And I just this week met with three or four business leaders that really came down to this question. How do I adapt my strategic plan? How do I redirect it? And then how do I operationalize it so I don't send panic through the organization, but give them focus and direction to deal in uncertain times? Knowing that it could still branch and move in two or three different ways as it continues to evolve and emerge.
Speaker 01:And that's something, you know, you introduced that concept of enterprise risk management, you know, ERM. And I think that's a term that most business leaders have encountered and experienced to some extent. And I think some ways when it gets introduced, it's kind of philosophical. Just, you know, sitting around a table as business leaders, thinking about what could go wrong scenarios and imagine risks. At the start of the conversation, you even kind of gave an example of my fruit's already been bruised. Yes. You know, I'm not just doing enterprise risk management for the sake of thinking about what could go wrong. Something's not going right currently.
Speaker 02:And what am I going to do about it? And how am I gonna mobilize my people, my organization, my processes to manage that risk because what's happened has been introduced in the environment. Like a spider's prey hitting the spider web, there has to be a response and it needs to be a measured response in the right direction that is consistent with my business purpose, my business mission, my value proposition, my brand promise, who I am as a business in my stakeholders' eyes, and how I then marshal those responses, those resources to respond. So, and again, I guess I'm a reductionist at heart, because when I think about it, I think, I'm an internal auditor. I think about Here's a risk. All right, how do I respond to that risk? How do I, what do I need to do, actions do I need to take to put a control in place that at least assesses its impact. T hose are the what can go wrongs and the controls address the one and mitigate those what can go wrongs. And then last, how do I embed it into my business processes, into my technology, into the actions of my people so that it's reflexive? So it moves like a muscle and not like a mechanical robot.
Speaker 01:And when it comes to kind of that response, the risk and developing those, you know, institutionalizing those best practices and the controls You know, we kind of start the conversation too about how our objective is to maintain growth in an uncertain environment. And when I think about, okay, going through and institutionalizing these practices to be able to monitor risks, respond to them. You know, you even used a term earlier about adding value to the organization. I want to be honest, I kind of just start thinking about dollar signs of costs of adding more bureaucracy to my organization.
Speaker 02:Which is the biggest impression that most of the C-suite have about ERM, because it can be perceived as being very process-driven and very mechanical, when in reality it's not. Because at the end of the day, a business strategy and a business operation is about being relevant. If you're not relevant, if you're not able to adapt to those changes in an organic way, you will not experience business growth, period. You'll grow static. Your business model will , once it becomes irrelevant, you are now renting videos along with the kids that are selling lemonade instead of having a business that continues to grow and introduces new channels, new revenue streams, new opportunities. So even in the internal audit side, you have a decision to make. Now, I'll talk a minute about how that affects internal audit plans and what C-Suite should be seeing. But the decision is this. Either I am going to, on one hand, it's a spectrum. On this hand, I'm going to protect stakeholder assets. So that really is a follow policy and procedure. Have the controls in place. Make sure that the what could go wrong about leaking money or not delivering services are covered. On here, it's value creation. How do I take my charter as an internal auditor or as an enterprise risk management leader, a chief risk officer, how do I create value so that I manage risk to capture the value side of the opportunity that comes with emerging risk. What does that look like? How does that get articulated? And how is that value creation captured and measured down to the bottom line? So as a chief audit executive in industry, as a case in point, I was worried about those emerging risk but not only about mitigating the risk, but how do I take advantage of those risks that become a strategic advantage to my business that is aligned against my value proposition. And I think the successful C-suite sees that, knows how to assess it, instinctively and some sort of mental algorithm are able to communicate that set of activities working with their leadership team and spread it through their organization. And the people that do that best maintain long careers in place and the business continues to thrive in sustainable ways.
Speaker 01:Well, and what you said moments ago, maintain relevancy. You know, I think that's something you know, on all of our minds, we should probably wake up every day and think about, am I relevant? Right? Yes. And what you were just describing in terms of understanding the risks and then turning that into your advantage.
Speaker 02:You know, that reminds me of a story. I've got to tell you this story. So I come from a rather rural background in Louisiana and Arkansas. And my great-grandfather, my father was a minister, and he, my great-grandfather went to see his graduation. And he was going to fly on his first plane into Dallas, Fort Worth area. And so my dad met him and said, well, you know, granddad, how was the flight? And he said, you know, the flight was good. They had coffee. But you know, Sonny, I never put my full weight down on that plane. And when I think about that story, that resonates to me because in the C-suite, you have no choice but to put your full weight down. You have to make a call, and you have to articulate that call, identify the resources that are going to deliver it, and figure out how it's going to be communicated to the organization and operationalized in the organization. So at times of uncertainty, at times of newness, in emerging risk, I keep in my head going back to my great-grandfather on the plane thinking that there's a way not to put your full weight down when he's sitting in that chair. And the reality is there's not. There's simply not. So better to admit it and then say, okay, I'm going to put my faith that the right processes and controls are in place that get this plane to the ground and then decide how I'm going to respond.
Speaker 01:And for those of us who are looking to do that, I guess when we're talking about sort of institutionalizing some of these practices and giving ourselves a position to where we have more confidence to put our full foot down, what size organization are we talking about here? Like, is this a big organization? Like I'm talking like a fortune one company who has a whole functioning internal department and ERM department, or, I mean, what's the right size for me to when I can really start thinking about these things and start to turn these risks into my own advantage and give me increased confidence to help pivot and impact my strategic plan.
Speaker 02:In my view, there is no size. In this case, two comments. Size doesn't matter. And one size doesn't fit all. But I think down to the very most entrepreneurial business that has the most ability to be agile because they don't have thousands of troops. But these risks occur whether you're running your family's plumbing business, which may only be three brothers and a set of cousins that are making the sales car or their HVAC business that would be similar, or you move up the size of business like a bank. That bank may have 500 million in assets. They're growing towards 750 in assets. They may have to worry at some point here in their future about Fidicia and other regulatory changes which create or demand a different governance structure and a different set of controls. So all of these businesses are being hit with current regulatory environment, your current way of doing business, and these existential threats to relevance, to value proposition, to dropping that down to the business line. So in my mind, it's not about, all right, I don't worry about this if I have a 50-person internal audit shop. I guarantee you that a CAE, chief audit executive of a 50-person audit shop, is thinking about emerging risk all the time and is an internal audit plan. And I'll give you an example. So in the internal audit world, you do a risk assessment at the beginning of the new, at the end of the fiscal year, going into the new fiscal year. It's really driven by the completion of the strategic plan. And what do you look at? You look at the strategic plan. Where am I going to make the investments? I look at the regulatory environment. What has changed or is changing on the next, the last time period since I've done a risk assessment? And what I'm doing is I'm creating a risk universe that I look at from inherent risk. Very simply, what can go wrong? Then I have to make a call. I say, what is my business? What are my processes? What are my people? What are my technology? I overlay that risk universe and I develop an audit universe. And that audit universe consists of where I have controls and I'm able to evaluate the residual risk. Now it's residual. And then I build an annual plan. And then I build the annual plan. I take the time to go sit with the audit committee, get it approved. I get my CEO on board. I get the C-suite on board, my process owners, my control operators. They're all aligned. And what happens next? COVID hits. What happens next? You have a 2000, what year was it? 2008 sea change. I believe what's happening in the current environment will continue to develop and may even be as significant as those two events. It may be more because we're talking about something global that's going on. And as a result, I'm going to have changed my plan. How much adaptability and flexibility did I build in my plan? Do I have, did I reserve enough audit hours that I can shift from what I had planned to do in my normal three years of exercising three annual plans in a row to be able to address that emerging risk, to look at our response, to look at how it impacted my business and keep that third line of defense relevant, because it has to be relevant to changing business environments. So it's not just about enterprise risk, which operates more at this highest aggregate risk level. And it has processes and risk owners. It's also about your independent, assurance, how that has to be adaptive to the situation and can be applied in my experience. And the people that do that best take advantage of maintaining their level of assurance, increasing their risk coverage while maintaining their cost of compliance. And that's an algorithm that you know, most CAEs have to think about because they're not going to say, hey, guess what? I'm going to give you a couple more million and have another 30 people. That just doesn't happen. And it doesn't happen operationally in the business either.
Speaker 01:That's exactly right. And I like how you kind of framed and illustrated that overarching environment where we have kind of our universe of risks, just what's out there facing us. And then already we kind of have what exists today in our enterprises in terms of how we're responding to those risks.
Speaker 02:Yes.
Speaker 01:And it's just kind of looking at that overlap. Look at the coverage. Where do we currently have coverage? Where do we lack coverage? Is that important? But being mindful of tomorrow might bring a new day and we need to revisit that. But that kind of concept applies to organizations of all shapes and sizes. But as you said earlier, it's not a one size fits all.
Speaker 02:And it can't be.
Speaker 01:The universe of risks is different for a very large company to a small company. Therefore, our response to it, it's fine that it's different, but still being mindful and proactive in thinking about it.
Speaker 02:Exactly right. For example, let's say that I'm successful and I gain for the firm a new client. I think I know what I want to do because I've done it several times, but I almost have to stop myself and say, wait a minute, I need to understand first their vision for this function. Really fundamental things. What is your vision for the function? What role do you want that function to play? Is it more tilted to the value creation side or is it more tilted to the value preservation side? How do you want it to function with your compliance group, with your legal group, with those processes, those second-line processes that are already in place? And I have to think through all the stakeholders and ask the right questions of the right stakeholders. Now I shift from a chief audit executive seat into a CEO seat, and I'm completely overwhelmed. Why? Because it's a broader array of stakeholders with a lot bigger stakes. I got a whole board that I need to work with and manage. I have my organization are part of my stakeholders. My financial institutions outside of my business are stakeholders because I've already borrowed money and I have stakeholders that have bought my stock. So when I... I imagine what's, and I haven't been the CEO of anything but my family, and my wife would correct me about that, but it's large in and of itself, but she's actually the CEO. But when I think about all those dimensions and what must be going through their mind, they have to be going through the filters of how is this going to affect my stakeholders? How are my actions going to be evaluated by those stakeholders? And who am I accountable for? And manage that process just as closely.
Speaker 01:Well, and as me, as the business leader at my organization, is this all on me? Is there– if I'm not big enough to where I have a separate internal audit department, you know, a second line, a third line, and I don't have a big ERM practice, and really getting a sense of these risks, making sure we're agile enough to respond to them, being mindful of pulling them into my strategic plan to turn them into opportunities and not just things that are going to make me irrelevant. What kind of help can potentially get in this area?
Speaker 02:I love that question. All right. And I'm going to go– Immediately to the smallest organization. I'm three brothers. I got an HVAC company and refrigeration as a side business. Maybe I do ice delivery and have a revenue stream associated with ice machines. I have a strategic plan, whether it's written down or not. So one of the things is to think through all the aspects of how you're running the business in the current environment. What's your value streams? Where are you looking for that cash? And whether it's written down or not, you've got to process any change that's impacting that environment. So my argument is you're dealing with risk. Whether you're writing it down in a formalized way, whether you have armies of CPAs and IAA certified internal auditors to go address it for you, it really is irrelevant because it's impacting your business and you have an accountability as a business owner to think through that. So in my mind, the formality of it, the size of it really doesn't matter. I view it more as a business mindset. And I'll give you another example. Let me switch over to the public sector. Right now, and I'm not the one that has coined this, I see a lot of noise in the journals that I read and the media about the blurring of the private and public sectors. And I think about that, you know, if I were, let's say I'm leading a nonprofit and I am dependent on a revenue flow that's coming through the state and maybe coming from the federal. I have to be thinking that there may be changes in that revenue flow. And I have to be thinking through that there has to be a response to that. And this dollar is going to have to be replaced with another dollar. And if there was one thing that I would say is that I believe that going forward, if there is a blurring, let's just take that as a hypothesis. If there is a blurring, then that business mindset of learning how to assess that risk, articulate that risk and respond to it, it's going to be need to be finer tuned. We can help you do that. Please call me and I will introduce you to wonderful subject matter professionals that know the inside out of your business sector, regardless of what it is. But in times of uncertainty, that tuning needs to be finer. That articulation needs to be finer and that agility becomes an advantage, becomes a strategic competitive advantage. And that's just based on my experience. The people that know that, master that, they're the ones that are gonna benefit. We all can't be sitting on hoards of money, like Berkshire Hathaway, and I'm poised to do anything with my dragon hoard that I want to do. That's just not the reality of most businesses.
Speaker 01:So as a business leader, I need to be thinking about these things. As a business owner, business leader, I need to be thinking about these things, but you can help me.
Speaker 02:Yes. Or I have friends that can help you that work in this firm. But that gets back to another, well, why am I here? I'm here because I have a certain value set and a certain business mentality, and I want to deliver value. And when I'm wearing my internal audit hat, I may have to major a little bit more in safeguarding assets and created assurance that the controls are working that I would normally like. But we work all the way up and down the spectrum, you know, to insurance that can be relied on by the financial markets, and here I'm talking about external auditor, to advisory services, which is looking for business, has services that help companies capture that value and optimize the opportunity. We play up and down that spectrum, but I will maintain, as my overriding hypothesis that is based on risk, controls, and underneath that, you've got process people and technology that deliver. And that's all in our kit bag.
Speaker 01:Because that's a critical component of even our teams out there doing strategic planning under our management consulting arm. It's important that these have been considered to drive that management.
Speaker 02:Yes.
Speaker 01:That strategic plan.
Speaker 02:Exactly.
Speaker 01:So Craig, something I've noticed as we've been discussing is you're not making very much of a distinction between enterprise risk management and internal audit. So just to kind of help me view this more in more practical terms in my experience and lens, if I were to look at, say, a community bank in the lower middle market, what are the things I need to be thinking about from the sense of enterprise risk management, internal audit, where are the overlaps, where are the differences? Just what needs to be top of mind for me?
Speaker 02:Well I'll start with this assertion. It's not a management assertion. This is a personal assertion. But it's all based on risk. It's risk. And how I categorize it as ERM or internal audit, the game or the objective, if you will, is to find a way to mitigate that risk and and wring out the opportunity on the flip side of it. So let's take a community bank. Let's talk about, they may have a compliance group. They may, let's say that they're, you know, 500 million in assets. They're just a little community bank, and they're not subject to fiducia. They may have an internal audit function, and that may be true up to a billion in assets. That's managed by a non-internal audit professional, and they outsource services just enough to be able to get some assurance that their processes are, that their procedures are being followed, that their processes are in place, that they can meet their regulatory commitments. Well, there's still an opportunity there. Because what is measured can be managed and what can be managed can be optimized. And what can be optimized takes you to the ability to say, do I have the right mix of value creation that is helping me to capture the value of the upside of risk as opposed to just the safeguarding of asset side, which is value preservation. To me, it's like... Whoever invented the dimmer switch is responsible for half of my metaphors. But it's just moving. It's the dimmer switch on what works for my business. And it doesn't have to be radical changes. It could be incremental changes because I'm also a big believer in continuous improvement. So in each organizational setting, regardless of size, when uncertainty hits, you're back looking to how you are capturing value, how you're perceived, how that value is perceived, whether my, we talked about cost of compliance, but my cost of existence, my relevancy to the organization. I believe all of that has to be rethought, recalculated, and then strategies applied.
Speaker 01:Well, Craig, thank you so much. I mean, you once again just nailed the answer to my question and you make all this challenging and complicated information seem very clear. So I appreciate that. And I enjoyed the discussion today really focusing in on risk, but not just risk as a philosophical concept, but rather risk as an opportunity for us, whether that's looking at it to help us preserve our value or add value and additionally using it to impact our strategic plans to be agile organizations and also just to help us be resilient and maintain relevancy. And I hope everybody else enjoyed my conversation with Craig as much as I did. If any of you have any follow up questions about the discussion items today or any other business challenges you're navigating, do not hesitate to contact us at www.mjcpa.com.