Historically, the Chief Risk Officer’s role has been to ensure that companies meet their regulatory and compliance obligations. Guy Underwood, CRO at Vital4, discusses how that is changing in the context of a global pandemic.
Nearly five years ago, I was awarded the Certified Chief Risk Officer (CCRO) certification by the Risk Management Institution of Australasia. As part of the application process, I was asked to answer a number of questions relating to elements of a Chief Risk Officer’s role. I was also interviewed by a panel as they sought to ascertain whether I had the necessary skills and experience to gain the CCRO accreditation.
My answers then have caused me to reflect on what they would be now in the context of the COVID pandemic and where the world is in 2020, as opposed to circa 2016 when I gained this certification.
Times are Changing, and Risk is Increasing
There are substantial penalties for organizations as well as individuals that don’t manage risk. Most businesses have programs and policies in place that are meant to ensure that they are compliant with relevant regulations.
Internal auditors go through the prescribed process and check off the items in the program, but checking off the boxes on an in-place program is not the same as effectively managing risk. Every check may “pass,” but if the program has not been implemented properly, has not been updated to reflect recent regulatory changes or has critical failings in data or process, the organizational risk may still be substantial.
Data and how you use it is key to any compliance program. Many organizations are “data rich” but “information poor.” Combing through mountains of data can lead to missing key information, and outdated data or poorly curated datasets can lead to false positives or other forms of risk.
Risk is not limited to substantial fines by regulators. Organizational risk also encompasses the reputation loss that can dramatically impact the ability of the business to operate normally, acquire new customers or retain existing accounts. It is critical that organizations ensure they are not engaging in operations with sanctioned countries or facilitating bad actors after ample information is available of their criminal actions.
Viewing risk only through the lens of accounting losses misses the larger picture of opportunity costs that surround a loss of trust or respect; these can be even more devastating for an entity than the fines themselves.
Historically, the role of the CRO was limited to ensuring that the organization met its regulatory and compliance obligations – a sort of failsafe to protect the business in the event of adverse scenarios. However, the modern CRO now appears to have more influence across organizations, although there is still some way to go in terms of getting the right seat at the table to ensure compliance processes are more than just ticking boxes.
Having been involved in the risk management industry for over 25 years, I have seen many changes, including a move away from the dominance of insurance professionals at risk-related events and a younger and more diverse number of risk professionals in the marketplace.
The rapid digitization of many industries during the COVID pandemic is only accelerating this trend. Yet as risk professionals, quite often we still have to justify our existence to the organization and demonstrate that we add value and are not just a cost center.
A Few Key Takeaways
The pandemic has provided an opportunity for companies to review their risk framework to ascertain whether they have captured the risks presented by the pandemic (e.g., teams working remotely, interruption of supply chain, dealing with clients remotely).
In my opinion, now is the perfect time to recast the role of risk management and the CRO in particular. With events such as the worldwide financial crisis, terrorism, political uncertainty and a global pandemic impacting society and changing how business is conducted, CROs have a crucial role in helping guide organizations in the right direction.
CROs have the opportunity to shape the future strategic direction of their organization through identifying new risks that have presented during the pandemic and designing strategies to ensure that the business takes advantage of the new risk environment.
Whether you are a not-for-profit seeking to remain relevant and financially viable or a fintech company seeking to become the next “unicorn” company, your organization will benefit from engaging closely with your CRO and members of the risk management team.
As a CRO, you must have a role in helping set the strategic direction for your organization. No entity can embark on a course of action without understanding the underlying risk exposure and rewards that the changes entail. Additionally, executives and senior management require your wise and knowledgeable counsel when making decisions that can impact the company and its key stakeholders, including staff and shareholders.
The post-pandemic world will favor organizations collaborating in a range of areas; therefore, it is important that any new collaborations are approached with an understanding of not only the opportunities that are present, but risks that may arise due to this new relationship.
It is important that, as CROs, we seek to continue to increase our profiles and demonstrate the value we can add to our employers and all their constituents. We must not only protect the organization and its management (including, sometimes, from itself), but also provide the expertise and skills required to deliver value for the business and the broader community.
I believe the way the world responds to the current pandemic – and the role we as Chief Risk Officers play in helping businesses in this response – will be a watershed for our profession. I look forward to seeing what the next generation of risk professionals can do for a post-pandemic society.