Effective chief risk officers are concerned with what the institution may not know. They must occasionally offer a contrarian point of view at crucial decision-making moments when a given strategy, transaction, or deal is under scrutiny or is likely to expose the organization to unacceptable risk. If they do not, who will?
In many organizations, board risk oversight is enhanced when the board and executive management are supported by an effective independent risk management function. Positioning the chief risk officer (CRO) (or equivalent executive) and the independent risk management function to deliver to expectations requires an understanding of how the CRO role can succeed. Let’s explore how to support this essential role.
While not all CROs are alike, there are factors that offer the board a discussion framework for positioning the CRO (and independent risk management) to succeed.
1.) Inculcate an “everyone is responsible for risk” culture. If the board, senior management, and operating personnel believe that the CRO is the only position within the organization concerned with risk, the game is over before it begins. Ideally, front-line business unit, process, and functional owners should also be risk owners, or the first line of defense when it comes to identifying, sourcing, managing, and monitoring risk.
2.) Integrate risk into opportunity pursuits and decision-making processes. Striking the appropriate balance between the organization’s market-making and control-related activities is fundamental to what a CRO attempts to achieve. It typically begins with formulating and documenting a risk appetite framework approved by executive management and the board, and integrating that framework into operations. From there, risk considerations are incorporated into decision-making processes, performance evaluations, compensation decisions, and the discipline of monitoring the impact of changes in the business environment on the risk profile.
3.) Clearly define the CRO position. Two distinct CRO roles exist in practice. While there are variants, an understanding of these two roles provides a context for framing the positioning conversation:
The “champion” CRO advances and enables the organization’s risk management framework (and supporting methodologies, tools, and techniques), and plays the roles of coordinator and integrator to ensure consistency in application across operating units and functions. The champion CRO plays such roles as educator (as a provider of insights); facilitator (of risk assessments and formalization of risk mitigation plans); and consultant, communicator, and reporter. The champion CRO supports evaluations of enterprise risks and provides transparency into the capabilities around managing the priority risks across the institution.
The “line of defense” CRO undertakes the activities of the champion, but also is authorized to play a combination of other roles. These roles include evaluator; initiator; approver (of policies and risk response design); escalator (of significant issues to executive management, including the CEO, and, through appropriate channels, the board); vetoer (of activities affecting compliance with established internal policies); and arbitrator (of disagreements between operating and functional units affecting risk management). The line of defense CRO may not be authorized to assume all of these roles, but clearly reaches beyond a champion CRO with escalatory and/or veto authority.
The key is for the board and CEO to have a mutual understanding of the CRO’s role and function. In heavily regulated industries, such as financial services, the line-of-defense CRO is likely the preferred option. If the focus is primarily on understanding and coordinating an organization’s fragmented risk management efforts and reporting on the state of risk management, a champion CRO might work.
4.) Position the CRO to deliver to expectations. To serve as a second line of defense, a CRO must have sufficient stature with business-line leaders and across the organization. Stature comes from the authority, compensation, and direct reporting lines that command respect. In short, for business-line leaders to collaborate effectively with the CRO, they must view the CRO as a peer. This positioning is accentuated if the CRO:
Reports to someone who has strong influence on the organization, such as the CEO or executive committee (with administrative reporting to an appropriate C-level executive);
Has direct access to a standing committee of the board (i.e., through dotted-line reporting); Engages in mandatory, regularly scheduled executive sessions with the board or a standing committee of the board;
Provides periodic reports and escalates issues to executive management and the board; Has influence on compensation practices incenting the desired risk management behaviors; and
Is sufficiently resourced with an adequate support staff.
5.) Undertake a strategic focus. Consistent with the premise that risks must be owned by the lines of business and functional activities that generate them, the CRO generally operates in a strategic oversight role with authority vested by the executive committee (or a designated risk management committee), the CEO, and/or the board (or a committee of the board). The CRO’s focus must be on understanding enterprise risk, monitoring changes in the risk profile, and aligning risk with tolerance. Therefore, the board needs to ensure that there is an appropriate risk focus. The CRO role should not be perceived as a check-the-box compliance function that forces the business to follow rules imposed on it, as opposed to linking risk and opportunity effectively when creating and protecting enterprise value.
6.) Foster effective board communication. The CRO should have open and free access to the appropriate board contact. For line of defense CROs, the board must be vigilant in ensuring that there is nothing constraining the CRO from reporting to it when significant risk issues arise. To that end, a formalized escalation process should exist, such as written procedures and agreements requiring escalation of any significant issues raised by the risk management function that are being argued by business-line executives, even in circumstances where the CEO resolves disputes between the first and second lines of defense.
In summary, there is no one-size-fits-all approach to the CRO role. Positioning the CRO function within the organization is more than defining the role itself. The depth and breadth of the CRO’s relationships with senior executives and business-line and functional leaders have a significant impact on the CRO’s effectiveness. The stronger these relationships, the more effective the CRO will be in realizing the intended value proposition. As expectations increase, the need for more sophisticated risk professionals grows.
Jim DeLoach is managing director with Protiviti, a global consulting firm.
While President-elect Donald Trump worked last week with his transition team from the Trump Tower, directors met just blocks away at the Harvard Club of New York City, to address how in the aftermath of his election boards should begin preparing for what could be sweeping regulatory, tax, and social change.
(Left to right) Robert Klatell, Steven Kreit, and Laurie Shahon
Leading the discussion were EisnerAmper’s Chief Risk Officer Peter Bible and Steven Kreit, an audit partner with the firm. While the directors disagreed on the order and priority of policy changes, there was consensus around one point: Uncertainty will rule. Bible and Kreit suggested directors focus on in the near term and shared recommendations directors might take to remain agile in the face of politically driven risks.
How can a director prepare? Boards must engage deeply in strategy in the coming months. Anthony Buonaguro, president of the New Jersey NACD chapter and director of Enclave Homeowners Association, ignited a debate on whether or not boards will develop investment strategies focused on continued investment abroad.
“It resonated with me that we’re facing several years of uncertainty,” Buonaguro said. “Is this going to make boards more conservative? Usually there are two ways that people handle uncertainty: forge ahead as usual, or freeze. If it’s the latter, it’s not good for the economy or stocks. What are boards supposed to do to revamp strategy?” Kreit answered: “You have to put pen to paper and identify scenarios, then plan for them. Will you hit the scenario that happens? Possibly—or not. But if boards don’t strategize, they’re not going to get anywhere.”
NACD Directorship Publisher Christopher Y. Clark asked participants to suggest calls to action. Shaun Higgins, director of Aryzta AG and Carmine Laboratories, reiterated the importance of establishing strong enterprise risk management (ERM) practices. “I think you go into the board meeting and make strategic planning your number one ERM priority,” Higgins said.
Andrea Bonime-Blanc, CEO, founder, and director of GEC Risk Advisory LLC, jumped in: “I think the answer is to know what your top strategic risks are that need to be focused on.” Regarding specific risks, Bonime-Blanc said that when assessing the election’s implications, “We must pick the top five risks to integrate into business planning and factor U.S. geopolitical risk into our own strategic planning in a way that we never have had to before.”
The EisnerAmper hosts shared their near-term advice. “I can’t find a better reason for your companies to have ERM systems and processes in place,” Kreit said, noting that this is not the time for “mail-in” board members.
“I think this is a great time to start thinking about whether the people you have in the boat with you are the people you want to have in the boat with you,” Kreit said.
To see the full list of participants, please click here.
What We Know
Kreit addressed what can be readily understood from the election. “There’s talk about what is going to happen, but no one really knows,” he said. “Board members should really be prepared for anything. Start thinking about some of the concepts Trump has been talking about, what some of his main areas of focus have been.” Work with management to address how the following, possible policy changes might impact business:
Anticipate inflation and its impact on cash flow and management, equity valuations, and borrowing abilities. While an initial jump in equity markets was seen, according to Bible, “the debt market got $1 trillion knocked out of it,” a sign of anticipation of inflation. Companies should begin scenario-planning for changes in borrowing ability.
Expect early review of tax policy. The dominance of the Republican party across Congress and the executive branch indicate the probability of perhaps even speedy tax reform.
Repeal or replacement of the Affordable Care Act. Some changes will come to the policy, and companies should be prepared to address its impact on their workforce.
De-regulation and repeal of the Dodd-Frank Act. Bible and Kreit anticipate the repeal of at least some Dodd-Frank provisions, and, at a minimum, a review of leadership at the Consumer Financial Protection Board.
Changes are coming to trade. One of the major planks in the Trump platform was a general desire to repeal trade agreements and impose tariffs on China and Mexico, as well as opposition to the Trans-Pacific Partnership. Bible and Kreit underscored the fact that one of the American executive branch’s unilateral powers is to control foreign commerce, which could lead to trade wars “that could trigger a recession,” Bible cautioned.
Kreit also outlined the timeline of key power changes in the White House and Congress:
December 19, 2016: The Electoral College convenes to vote.
January 3, 2017: The 115th United States Congress convenes.
January 6, 2017: Congress declares the president-elect.
January 20, 2017: Presidential inauguration marks the beginning of the Trump administration.
March-September 2017: Congress anticipated to debate raising the debt ceiling.
September 30, 2017: The U.S. government’s fiscal year ends, opening the door for Congress to address budgetary and fiscal matters.
These dates could serve as important milestones for developments impacting their companies.
“Back when we were determining a topic for this discussion, one thing I think we could all agree on was that this election could change the course of the country—and, potentially, the world,” Bible said in summation. “I felt very strongly that we should have this type of dialogue for one reason, and that’s because board leadership is essential for success. It’s a brave new world.”
A second post reporting from this roundtable addresses longer-term concerns raised by directors. To continue reading, click here.
NACD’s Research team, headed by Director of Research Friso Van der Oord, has been hard at work making changes to significantly enhance how you experience our content. We heard your feedback, and—with our members as our central focus—we’ve released new, practical types of content and reorganized our closets to help you find what you need, when you need it. Let’s begin with our reorganization.
NACD Resource Centers
We’ve curated the best NACD content on the most universal board governance topics in NACD Board Resource Centers. These resource centers include our best thought leadership, most practical tools, recent expert analysis, and upcoming events. Their content gets refreshed monthly. We now have resource centers available on the following topics, with more to come in the next 6 months:
In addition to Resource Centers, NACD also debuted its Board Insights Portal in the last year. Here, you can find our most recent publications, blogs and articles.
This page also features three drop-down menus that allow you to search for our research and insights by committee type (for the three traditional committees), by topic, or for benchmarking data by company type.
Among the publications you’ll find in our Resource Centers and Board Insights Portal are a new publication type called our Director Essentials series. This new series offers “essentials” guides for boards on key governance issues, outlining core responsibilities of boards, tactics they can adopt to strengthen oversight and questions they can ask to inform the dialogue with management
A cross-departmental team of NACD staff have also worked to improve our website’s search function. We cleared out our old or redundant pages and ensured that our most relevant content appears when you search your favorite governance terms on our site. So now, if we’ve published it, you can more easily find it.
What This Means for You
We hope that these changes will help you and your board to better identify specific resources to frame your boardroom discussions, diagnose an issue, and outline possible solutions. We only ask that you continue to provide us with feedback about your experience finding or using our content. Please offer your comments below, or send an email to me (AMOrme@NACDonline.org) or Friso (FVanderOord@NACDonline.org).
You may also click here for more information on how to gain access to NACD’s exclusive boardroom intelligence.