Tag Archive: allocation of risk oversight

Positioning Independent Risk Management to Succeed

Published by
Jim DeLoach

Jim DeLoach

Effective chief risk officers are concerned with what the institution may not know. They must occasionally offer a contrarian point of view at crucial decision-making moments when a given strategy, transaction, or deal is under scrutiny or is likely to expose the organization to unacceptable risk. If they do not, who will?

In many organizations, board risk oversight is enhanced when the board and executive management are supported by an effective independent risk management function. Positioning the chief risk officer (CRO) (or equivalent executive) and the independent risk management function to deliver to expectations requires an understanding of how the CRO role can succeed. Let’s explore how to support this essential role.

Key Considerations

While not all CROs are alike, there are factors that offer the board a discussion framework for positioning the CRO (and independent risk management) to succeed.

1.) Inculcate an “everyone is responsible for risk” culture.  If the board, senior management, and operating personnel believe that the CRO is the only position within the organization concerned with risk, the game is over before it begins. Ideally, front-line business unit, process, and functional owners should also be risk owners, or the first line of defense when it comes to identifying, sourcing, managing, and monitoring risk.

2.) Integrate risk into opportunity pursuits and decision-making processes. Striking the appropriate balance between the organization’s market-making and control-related activities is fundamental to what a CRO attempts to achieve. It typically begins with formulating and documenting a risk appetite framework approved by executive management and the board, and integrating that framework into operations. From there, risk considerations are incorporated into decision-making processes, performance evaluations, compensation decisions, and the discipline of monitoring the impact of changes in the business environment on the risk profile.

3.) Clearly define the CRO position. Two distinct CRO roles exist in practice. While there are variants, an understanding of these two roles provides a context for framing the positioning conversation:

  • The “champion” CRO advances and enables the organization’s risk management framework (and supporting methodologies, tools, and techniques), and plays the roles of coordinator and integrator to ensure consistency in application across operating units and functions. The champion CRO plays such roles as educator (as a provider of insights); facilitator (of risk assessments and formalization of risk mitigation plans); and consultant, communicator, and reporter. The champion CRO supports evaluations of enterprise risks and provides transparency into the capabilities around managing the priority risks across the institution.
  • The “line of defense” CRO undertakes the activities of the champion, but also is authorized to play a combination of other roles. These roles include evaluator; initiator; approver (of policies and risk response design); escalator (of significant issues to executive management, including the CEO, and, through appropriate channels, the board); vetoer (of activities affecting compliance with established internal policies); and arbitrator (of disagreements between operating and functional units affecting risk management). The line of defense CRO may not be authorized to assume all of these roles, but clearly reaches beyond a champion CRO with escalatory and/or veto authority.

The key is for the board and CEO to have a mutual understanding of the CRO’s role and function. In heavily regulated industries, such as financial services, the line-of-defense CRO is likely the preferred option. If the focus is primarily on understanding and coordinating an organization’s fragmented risk management efforts and reporting on the state of risk management, a champion CRO might work.

4.) Position the CRO to deliver to expectations. To serve as a second line of defense, a CRO must have sufficient stature with business-line leaders and across the organization. Stature comes from the authority, compensation, and direct reporting lines that command respect. In short, for business-line leaders to collabo­rate effectively with the CRO, they must view the CRO as a peer. This positioning is accentuated if the CRO:

  • Reports to someone who has strong influence on the organization, such as the CEO or executive committee (with administrative reporting to an appropriate C-level executive);
  • Has direct access to a standing committee of the board (i.e., through dotted-line reporting); Engages in mandatory, regularly scheduled executive sessions with the board or a standing committee of the board;
  • Provides periodic reports and escalates issues to executive management and the board; Has influence on compensation practices incenting the desired risk management behaviors; and
  • Is sufficiently resourced with an adequate support staff.

5.) Undertake a strategic focus. Consistent with the premise that risks must be owned by the lines of business and functional activities that generate them, the CRO generally operates in a strategic oversight role with authority vested by the executive committee (or a designated risk management committee), the CEO, and/or the board (or a committee of the board). The CRO’s focus must be on understanding enterprise risk, monitoring changes in the risk profile, and aligning risk with tolerance. Therefore, the board needs to ensure that there is an appropriate risk focus. The CRO role should not be perceived as a check-the-box compliance function that forces the business to follow rules imposed on it, as opposed to linking risk and opportunity effectively when creating and protecting enterprise value.

6.) Foster effective board communication. The CRO should have open and free access to the appropriate board contact. For line of defense CROs, the board must be vigilant in ensuring that there is nothing constraining the CRO from reporting to it when significant risk issues arise. To that end, a formalized escalation process should exist, such as written procedures and agreements requiring escalation of any significant issues raised by the risk management function that are being argued by business-line executives, even in circumstances where the CEO resolves disputes between the first and second lines of defense.

In summary, there is no one-size-fits-all approach to the CRO role. Positioning the CRO function within the organization is more than defining the role itself. The depth and breadth of the CRO’s relationships with senior executives and business-line and functional leaders have a significant impact on the CRO’s effectiveness. The stronger these relationships, the more effective the CRO will be in realizing the intended value proposition. As expectations increase, the need for more sophisticated risk professionals grows.


Jim DeLoach is managing director with Protiviti, a global consulting firm. 

Key Insights From the Audit Committee Chair Advisory Council

Published by

On June 19, NACD and partners KPMG’s Audit Committee Institute (ACI) and Sidley Austin LLP co-hosted the most recent meeting of the Audit Committee Chair Advisory Council, bringing together audit committee chairs from major U.S. corporations, key regulators and standard setters from the Securities and Exchange Commission (SEC), Public Company Accounting Oversight Board (PCAOB), and Financial Accounting Standards Board (FASB), and other audit experts for an open dialogue on the key issues and challenges impacting the audit committee agenda.

As detailed in the summary of proceedings, the forum provided timely insights into a number of issues that are top of mind for audit committees. Key insights from the dialogue include:

  • As the PCAOB continues to focus on enhancing auditor independence, skepticism, and objectivity, audit committees are wrestling with how to make the best use of PCAOB inspection reports, with some questioning the timeliness and relevance of the reports and the use of the term “audit failure.”
  • Audit committees continue to discuss the potential value of more robust reporting from the audit committee and external auditors to provide greater insight into their work. Most delegates agreed that the auditor’s statement is the right area of focus.
  • Companies should be preparing for the impact of FASB’s “big four” convergence projects—revenue recognition, leases, financial instruments, and insurance contracts—with a particular focus on the lead time IT departments will need to implement systems changes.
  • Under new leadership, the SEC is refocusing on corporate accounting fraud and the quality of financial disclosures, while moving ahead with its already heavy rule-making agenda resulting from Dodd-Frank mandates and the JOBS Act.
  • The allocation of risk oversight duties among the audit committee, full board, and other board committees is receiving increased attention, as the risk environment becomes more complex and audit committees reassess their risk oversight responsibilities.
  • In their oversight role, directors serve in a part-time capacity, while management is full time, resulting in executives having a much deeper knowledge of the operational aspects and risks of the company. To overcome this inherent imbalance, directors should apply a “healthy” level of skepticism to the information and assumptions management provides.
  • The audit committee’s effectiveness hinges not only on having the right mix of skills and backgrounds, but also having a robust onboarding process and commitment to continuing director education.

For the full day’s discussion and proposed council action items, click here to read the summary of proceedings.

Who Is Trying to Eat Your Lunch?

Published by

Last year, NACD launched its fourth Advisory Council on Risk Oversight—the first of our councils not dedicated to a specific key board committee. In fact, less than 10 percent of public companies even have a committee dedicated to risk oversight. This advisory council was formed as the result of a simple observation: the responsibility of risk oversight has expanded significantly in the last several years. This council is not lacking for discussion topics—the nature of potential risks to an organization is evolving seemingly by the day. Directors need to know the strategies in place to not only mitigate but capitalize on the risks currently facing the company, and those predicted to present challenges in the future.

But that just accounts for what is on the board’s radar. At the second meeting of NACD’s Advisory Council on Risk Oversight held in collaboration with PwC and Gibson Dunn, the discussion went beyond current and predicted risks to the challenges of disruptive technologies and innovation. Increasingly, the most severe shocks have been largely unpredictable: extreme weather, the confluence of multiple events, or innovation that upturns the industry. As one delegate observed: “We haven’t spent much time on the [risk of] ‘I will eat your lunch with a completely different approach.’ Companies don’t sit down and think about who is going to attack from a completely different angle.”

In their oversight capacity, directors cannot constantly monitor the more detailed aspects of the business. Nor can “you anticipate what you don’t know.” Nevertheless, several delegates suggested that the appropriate risk oversight processes in place, coupled with a resilient culture that efficiently reports risks up to the board, can support directors in mitigating known and unknown risks. The meeting, captured in the 2013 Advisory Council on Risk Oversight Summary of Proceedings, focused on areas critical to effective risk oversight processes. These include:

  • Board processes and people. It is critical that the board not only has the right talent, but engages it fully. Directors should have a “real and thorough” understanding of the business to be able to effectively discuss both strategy and risk with management.
  • Recognizing asymmetric information risk. While the board has to be comfortable with the reality of information asymmetry, directors should establish tolerance levels for the level of asymmetric risk they are willing to bear, and look for signs of when this risk has become too high.
  • Engaging with management involved in risk reporting. For companies with a chief risk officer (CRO), that person can keep an “inventory” of risks throughout the organization. Additionally, directors can ask internal audit to identify what it believes will be “hot-button” risk areas.
  • Linking strategy to risk. The board’s oversight of risk should begin with an assessment of the company’s strategy and its inherent risks, which necessitates understanding and agreeing on the risk appetite, or the amount of risk the company is willing to accept.
  • Allocating the work of risk oversight. The significant increase in risks facing the board necessitates defining who will act as an “air traffic controller”—allocating risk oversight responsibilities.

Leading practices for risk oversight—including allocation of work and the development of a risk strategy document—will continue to be the focus points not only for this advisory council but also NACD’s Directorship 2020 initiative. To download the full summary of proceedings, click here.