6 Ways to Support the CRO
There is no one-size-fits-all solution for successful risk management, but there are certainly commonalities between successful Chief Risk Officers and independent risk management professionals. Jim DeLoach outlines several strategies organizations can implement to position their risk management function (and by extension, the organization) for success.
The ultimate advocate for risk management in any enterprise is arguably the chief executive officer (CEO); however, the chief risk officer (or equivalent executive) and independent risk management professionals (hereinafter referred to collectively as the CRO) are unique in that they are often expected to provide a voice that champions the protection of enterprise value at crucial decision-making moments when a given strategy, transaction or deal is under scrutiny or is likely to expose the organization to unacceptable risk. If they do not, then who does?
Effective CROs are concerned with what the institution’s leaders may not know and, therefore, must occasionally offer a contrarian point of view; otherwise, the decision-making process may end up flawed with “group think.” In today’s environment, decision-making processes should be driven by objective assessments of the risk/reward balance, rather than by the emotional investment, management bias and short-termism that underlie dangerous organizational blind spots.
In many organizations, board risk oversight is enhanced when the board and executive management are supported by an effective independent risk management function. Positioning the CRO to deliver to expectations requires an understanding of what makes the role succeed. In practice, not all CROs are alike. There is no one-size-fits-all. However, there are success factors that offer a discussion framework for positioning the CRO to succeed. Below, we discuss six of them.
#1: Inculcate an “Everyone is Responsible for Risk” Philosophy
If the board, senior management and operating personnel believe that the CRO is the only person within the organization who is concerned with risk, the game is over before it begins. In these situations, there is a major source of dysfunction lying in the weeds, and it is merely a matter of time before the organization falls victim to it. Unless managing risk is an organizational imperative – and line personnel are aware of and own the risks their operating activities create – it is difficult for any CRO to be successful. Ideally, front-line business unit, process and functional owners should also be risk owners or the first line of defense when it comes to identifying, sourcing, managing and monitoring risk. The enterprise’s risk culture drives the “everyone is responsible” view. That view starts at the top.
#2: Integrate Risk into Opportunity Pursuits
The board needs to be assured that management has not allowed past successes to breed overconfidence. Tension within an institution between its market-making and control-related activities is inevitable and should be encouraged. Striking the appropriate balance between the two is fundamental to what a CRO attempts to achieve. It typically begins with formulating and documenting a risk appetite statement approved by executive management and the board. From there, risk considerations are incorporated into performance evaluations, compensation decisions, decision-making processes and the discipline of monitoring the impact of changes in the business environment on the risk profile. “What if” scenario planning, stress testing and other tools are baked into strategy setting, business planning and forecasting processes to visualize the effect of potential future events on the institution’s revenues, costs, profits, cash flow and market share, as well as how the organization can respond to or benefit from them. These activities require acknowledgment from the top that there should be prudent boundaries and limits to entrepreneurial value-creating activities and that high-risk ventures are pursued transparently with the full knowledge of executive management and the board.
#3: Clearly Define the CRO Position
Two distinct CRO roles exist in practice. While there are variants, an understanding of these two roles provides a context for framing the positioning conversation:
The “Champion” CRO advances and enables the organization’s risk management framework and plays the roles of coordinator and integrator (to ensure consistency across operating units and functions), educator (as a provider of insights), facilitator (of risk assessments and formalization of risk mitigation plans), consultant (regarding application and execution of the risk management framework), communicator and reporter. Champion CROs often establish, communicate and facilitate the use of appropriate risk management methodologies, tools and techniques; facilitate risk-related meetings; and work with risk owners to provide transparency into the capabilities around managing the priority risks across the institution.
The “Line of Defense” CRO undertakes the activities of the champion and, in addition, is authorized to play a combination of such roles as evaluator, initiator, approver (of policies and risk response design), escalator (of significant issues to executive management, including the CEO, and, through appropriate channels, the board), vetoer (of activities affecting compliance with the organization’s internal policies) and arbitrator (of disagreements between operating and functional units affecting risk management). In this broader role, the CRO establishes and communicates the organization’s risk management vision, designs and implements an appropriate risk management infrastructure, implements relevant action-oriented risk reporting to senior management and the board and reviews compensation plans to consider the possible impact of risk factors and compensation on behavior.
The line of defense CRO may not be authorized to perform all the above roles, but he or she clearly reaches beyond a champion because he or she has the teeth of approval, along with escalatory and/or veto authority. The key is that the board and the CEO must have mutual understanding of the CRO’s role and function. In heavily regulated industries, the line of defense CRO is likely the preferred option. If the focus is primarily on understanding and coordinating an organization’s fragmented risk management efforts and reporting on the state of risk management, a champion CRO might work.
#4: Position the CRO to Deliver to Expectations
To serve as a second line of defense, a CRO must have sufficient stature with business line leaders and across the organization. Stature comes from the authority, compensation and direct reporting lines that command respect. In short, for business line leaders to collaborate effectively with the CRO, they must view the CRO as a peer. This positioning is accentuated if the CRO:
- Reports to someone who has a strong influence on the organization, such as the CEO or the executive committee (with administrative reporting to another C-level executive);
- Has direct access to a standing committee of the board (i.e., through dotted-line reporting);
- Engages in mandatory, regularly scheduled executive sessions with the board or a standing committee of the board;
- Provides periodic reports and escalates issues to executive management and the board;
- Has influence on compensation practices incenting the desired risk management behaviors; and
- Is sufficiently resourced with an adequate support staff.
#5: Undertake a Strategic Focus
Consistent with the premise that risks must be owned by the lines of business and functional activities that generate them, the line of defense CRO generally operates in a strategic oversight role with authority vested by the executive committee (or a designated risk management committee), the CEO and/or the board (or a committee of the board). The line of defense CRO’s focus must be on understanding enterprise risk, monitoring changes in the risk profile and aligning risk with the desired tolerances for risk. Ideally, the line of defense CRO is accountable for enabling the efficient and effective governance of the truly significant enterprise risks and the related opportunities for the institution overall and its various lines of business. The executive team and board need to ensure there is an appropriate risk focus. For sure, the CRO role should not be perceived as a check-the-box compliance function that forces the business to follow rules imposed on it.
#6: Foster Effective Board Communications
The CRO should have open and free access to the board (or a board subcommittee). For line of defense CROs, the board must be vigilant in ensuring nothing constrains the CRO from reporting to it when significant risk issues arise. A formalized escalation process should exist (e.g., written procedures and agreements requiring escalation of any significant issues raised by the risk management function that are being argued by line of business executives, even in circumstances where the CEO resolves disputes between the first and second lines of defense).
With respect to the above success factors, it should be clear we are not talking about a one-size-fits-all approach. There are no hard-and-fast rules. Positioning the CRO function within the organization is about more than defining the role. The depth and breadth of the CRO’s relationships with senior executives and business line leaders have a significant impact on his or her effectiveness and the sustainability of the position as it is defined. The stronger those relationships, the more effective the CRO will be in realizing the intended value proposition. As expectations increase, the need for more sophisticated risk professionals grows.
Considerations for Executive Teams and Boards of Directors
If there isn’t a CRO (or equivalent executive) and/or an independent risk management function, executive management and the board of directors may want to inquire why, in the context of the nature of the entity’s risks inherent in its operations. If there is a CRO and/or an independent risk management function, the following are some suggested questions senior executives and directors may want to consider:
- Does the CRO role and independent risk management function constitute an effective second line of defense? If not, should it? Do they have access to the board or to a committee of the board?
- Are there signs of ineffective positioning of the CRO or the independent risk management function within the organization? Examples of signs could include but not be limited to the following:
- There is lack of clarity in the CRO role and how it interfaces with senior line and functional management.
- Risk management is not valued as a discipline equivalent to opportunity pursuit.
- The CRO is not viewed as a peer with line of business leaders.
- There is no direct reporting line to the board.
- The CRO is entangled in the minutiae of managing compliance and is seen as a blocker to getting things done.
- The CRO is constantly fighting turf wars with entrenched silos.
- Do the executive team and the board leverage the CRO in obtaining relevant and insightful risk reports?