Effective chief risk officers are concerned with what the institution may not know. They must occasionally offer a contrarian point of view at crucial decision-making moments when a given strategy, transaction, or deal is under scrutiny or is likely to expose the organization to unacceptable risk. If they do not, who will?
In many organizations, board risk oversight is enhanced when the board and executive management are supported by an effective independent risk management function. Positioning the chief risk officer (CRO) (or equivalent executive) and the independent risk management function to deliver to expectations requires an understanding of how the CRO role can succeed. Let’s explore how to support this essential role.
While not all CROs are alike, there are factors that offer the board a discussion framework for positioning the CRO (and independent risk management) to succeed.
1.) Inculcate an “everyone is responsible for risk” culture. If the board, senior management, and operating personnel believe that the CRO is the only position within the organization concerned with risk, the game is over before it begins. Ideally, front-line business unit, process, and functional owners should also be risk owners, or the first line of defense when it comes to identifying, sourcing, managing, and monitoring risk.
2.) Integrate risk into opportunity pursuits and decision-making processes. Striking the appropriate balance between the organization’s market-making and control-related activities is fundamental to what a CRO attempts to achieve. It typically begins with formulating and documenting a risk appetite framework approved by executive management and the board, and integrating that framework into operations. From there, risk considerations are incorporated into decision-making processes, performance evaluations, compensation decisions, and the discipline of monitoring the impact of changes in the business environment on the risk profile.
3.) Clearly define the CRO position. Two distinct CRO roles exist in practice. While there are variants, an understanding of these two roles provides a context for framing the positioning conversation:
- The “champion” CRO advances and enables the organization’s risk management framework (and supporting methodologies, tools, and techniques), and plays the roles of coordinator and integrator to ensure consistency in application across operating units and functions. The champion CRO plays such roles as educator (as a provider of insights); facilitator (of risk assessments and formalization of risk mitigation plans); and consultant, communicator, and reporter. The champion CRO supports evaluations of enterprise risks and provides transparency into the capabilities around managing the priority risks across the institution.
- The “line of defense” CRO undertakes the activities of the champion, but also is authorized to play a combination of other roles. These roles include evaluator; initiator; approver (of policies and risk response design); escalator (of significant issues to executive management, including the CEO, and, through appropriate channels, the board); vetoer (of activities affecting compliance with established internal policies); and arbitrator (of disagreements between operating and functional units affecting risk management). The line of defense CRO may not be authorized to assume all of these roles, but clearly reaches beyond a champion CRO with escalatory and/or veto authority.
The key is for the board and CEO to have a mutual understanding of the CRO’s role and function. In heavily regulated industries, such as financial services, the line-of-defense CRO is likely the preferred option. If the focus is primarily on understanding and coordinating an organization’s fragmented risk management efforts and reporting on the state of risk management, a champion CRO might work.
4.) Position the CRO to deliver to expectations. To serve as a second line of defense, a CRO must have sufficient stature with business-line leaders and across the organization. Stature comes from the authority, compensation, and direct reporting lines that command respect. In short, for business-line leaders to collaborate effectively with the CRO, they must view the CRO as a peer. This positioning is accentuated if the CRO:
- Reports to someone who has strong influence on the organization, such as the CEO or executive committee (with administrative reporting to an appropriate C-level executive);
- Has direct access to a standing committee of the board (i.e., through dotted-line reporting); Engages in mandatory, regularly scheduled executive sessions with the board or a standing committee of the board;
- Provides periodic reports and escalates issues to executive management and the board; Has influence on compensation practices incenting the desired risk management behaviors; and
- Is sufficiently resourced with an adequate support staff.
5.) Undertake a strategic focus. Consistent with the premise that risks must be owned by the lines of business and functional activities that generate them, the CRO generally operates in a strategic oversight role with authority vested by the executive committee (or a designated risk management committee), the CEO, and/or the board (or a committee of the board). The CRO’s focus must be on understanding enterprise risk, monitoring changes in the risk profile, and aligning risk with tolerance. Therefore, the board needs to ensure that there is an appropriate risk focus. The CRO role should not be perceived as a check-the-box compliance function that forces the business to follow rules imposed on it, as opposed to linking risk and opportunity effectively when creating and protecting enterprise value.
6.) Foster effective board communication. The CRO should have open and free access to the appropriate board contact. For line of defense CROs, the board must be vigilant in ensuring that there is nothing constraining the CRO from reporting to it when significant risk issues arise. To that end, a formalized escalation process should exist, such as written procedures and agreements requiring escalation of any significant issues raised by the risk management function that are being argued by business-line executives, even in circumstances where the CEO resolves disputes between the first and second lines of defense.
In summary, there is no one-size-fits-all approach to the CRO role. Positioning the CRO function within the organization is more than defining the role itself. The depth and breadth of the CRO’s relationships with senior executives and business-line and functional leaders have a significant impact on the CRO’s effectiveness. The stronger these relationships, the more effective the CRO will be in realizing the intended value proposition. As expectations increase, the need for more sophisticated risk professionals grows.
Jim DeLoach is managing director with Protiviti, a global consulting firm.