In our last column, we discussed positioning of the chief risk officer (CRO) within the organization for success. We noted that a company’s decision around whether to appoint a CRO (or an equivalent senior risk executive) is driven by many factors, such as its industry, business model, structure and culture, not to mention the nature and complexity of its risks and the extent of any fragmented silo activity. Once management has committed to establishing the CRO role, a question we often hear is: What qualifications should the company be looking at when evaluating candidates for the position?
While there are many attributes to consider in conducting a search for the right person to serve as CRO, we explore the criteria below:
The role, responsibilities and expectations, as defined by management and the Board of Directors – The role, responsibilities and expectations of the CRO, as well as how he or she will be positioned, as we discussed last month, will have a significant impact on defining the talent pool from which to select candidates. To illustrate, will the CRO focus on strategic issues, such as the following?
- Establishing/communicating the entity’s risk appetite and risk management philosophy
- Implementing an appropriate infrastructure of policies, processes, personnel, reports and systems for managing and monitoring risk
- Integrating risk management with strategy setting, business planning and performance management processes
- Implementing appropriate risk reporting to executive management and the Board
Alternatively, will he or she have a functional, more tactical focus, such as on these areas?
- Compliance management
- Ownership of one or more risks
- Insurance procurement
- Fraud prevention and asset protection
- Environmental, health and safety matters
Another key question: Will he or she interface with line-of-business and operating unit leaders as a peer and be expected to dialogue effectively in the C-suite and boardroom?
Obviously, the nature and scope of the position has significant implications with regard to the type of individual needed. Answers to the above questions provide valuable context.
Experience requirements – If the organization is looking for someone to serve as a peer with operating unit and other leaders, search for seasoned executives with at least 15 to 20 years of experience. While previous experience in risk management and finance can be a plus, industry experience and demonstrated ability to work effectively with senior personnel to address issues in a comparable organization are vital attributes to consider. “Industry experience” covers a lot ground, including knowledge of how value is created for customers, the regulatory environment, relevant industry standards and best practices. Previous experience with the C-suite and reporting to Boards is desirable. Expertise in one or more of the risks of greatest importance to the enterprise is also desirable (e.g., market risk in trading operations or investment banks, credit risk in banks and commodity price risk in power companies).
Critical thinking skills – The CRO should be able to think strategically, work with operating units to disaggregate business plans and transactions into the component risks that the organization is taking on and recommend how to improve proposed plans and transactions by mitigating downside exposures. Effective analysis of significant amounts of data and information and distilling the key points that help executive management and the Board analyze risk in a given situation is part of the job.
Interpersonal skills – Exceptional interpersonal skills, including excellent oral and written communications and negotiation skills, support the CRO in interacting with senior management and the Board effectively, as well as with all levels of management, the investor community and regulatory authorities. The CRO should be able to organize and motivate others who, in many cases, may be in more senior positions.
Keen business acumen – Because the CRO’s authority is impacted by the questions he or she asks, this individual needs to be both a trusted adviser and a control authority that is able to articulate risk/reward trade-offs. Sound business and financial judgment combined with problem-solving abilities are vital prerequisites. An increasing use of models or quantitative data analytics across industries makes the need for core analytical skills crucial for a CRO. He or she must have the capability to accumulate, summarize and interpret risk reports from business, functional and assurance units and translate them into terms decision makers will understand. The objective is to improve proposed business plans and transactions so the company is more likely to succeed in creating enterprise value while also protecting it.
Strong process orientation – Often, the CRO is responsible for assisting the organization in developing and maintaining a comprehensive and sustainable process for identifying, prioritizing, monitoring, controlling and reporting key business risks that might impact the achievement of the enterprise’s objectives and performance goals. This requires a strong view of processes and how they interface with such core management activities as strategy setting, annual business planning, performance management and budgeting. Often, this capability is overlooked as the weighting in evaluating candidates is slanted towards technical-oriented people without considering process, policy or integration experience.
Cool under fire– The CRO must be truly objective and able to call the issues how he or she sees them, and if necessary, communicate what may be a contrarian message. Successful CROs should be concise and direct under fire in their communications with top management and directors. They must have the courage to speak to their convictions, even if they could be wrong, and must not be intimidated by hierarchy and position within the organization. Instead, they must draw influence through an active communicative and knowledge-sharing style. Their purpose is not to get along and form lasting workplace friendships. CROs need to have a thick skin, exercise healthy skepticism, question everything they do not understand and be forward-looking. One thing to look for is whether the candidate has experience managing a unit, a function or a team through a crisis.
In viewing the above attributes, the key question is often one of “fit;” that is, how well will the CRO candidate “fit in” within your organization?
Jim DeLoach, a founding 
