CRO: hero or villain?

Recent events have thrust the issue of risk management into the limelight. The recent Société Générale scandal exposed the staggering impact of control failures on a company that previously had a good reputation for risk management. In light of the current climate, Morgan Stanley has hired a managing director to provide strategic oversight for risk, following its first-ever loss in the fourth quarter last year. Meanwhile, Swiss Re has appointed Raj Singh, a former investment banker, to become its chief risk officer.

It is little surprise that the significance attached to recruiting a chief risk officer (CRO) has escalated. The preponderance of the role has been increasing steadily over the last five years, and each corporate crisis creates its own spike of activity. For insurers and reinsurers across the whole of the EU, as with Basel II for banks, the proposed Solvency II legislation will create another wave of change. Firms must demonstrate that risk management and measurement are embedded throughout the organisation and establish a formal risk management function. This stance is echoed on a global scale by both regulators and rating agencies, which increasingly see good risk management as a necessary and indicative element of business strength within an overall enterprise risk management (ERM) framework.

As the latest member of the ‘C’ suite, the CRO has been elevated to a senior management position alongside the CFO, CEO and COO. However, since the concept is still relatively new, the CRO role has not yet established a generally accepted modus operandi within normal business culture. This presents a challenge to the accepted order and an opportunity to do things differently.

It is a challenge because there is no clear template on how a CRO operates, as there is with, for example, a CFO, and the position can also cut across already established roles, such as internal audit. The risks of getting it wrong, as shown by Société Générale, can be huge, and in today’s sensitive global financial markets, no financial institution can allow it to go awry. On the other hand, companies have the opportunity to create a new role that is effective for their culture and organisation, and delivers genuine added value.

There are three key questions organisations must consider when recruiting for the position of CRO:

What are we trying to achieve as a business?

What do we want and need from a CRO?

How does the role fit with our existing culture?

From these questions, the role profile can be determined: where should the CRO fit in the organisation and what skill base should we be seeking?

To consider these questions, it is important to understand the role of the CRO, its evolution, and how the task can differ from business to business.

What is the role about?

The role of the modern CRO emerged in the 1980s and 1990s in response to various corporate crises and emerging market issues. It was therefore primarily a policing role, putting a brake on activities that generated excess risk. This requirement has been reinforced by a combination of business failures, corporate scandals and new regulatory developments such as Sarbanes-Oxley and Basel II.

However, the role has matured in the 21st century, spreading its wings in various directions, despite some knee-jerk reactions to the Société Générale issue and the credit crunch.

In fact, there is real business value to be gained from the role of the CRO. This is perhaps best illustrated by the analogy of two racing cars, one with brakes, one without. Which goes faster? Answer: the one with brakes – the driver has the confidence of brakes for the corners and he will go faster down the straights.

The point is that brakes are not just about stopping, and similarly the role of the CRO is not just about removing risk but taking a broader view of risk through the organisation – ERM. The brief is to ensure risk is properly understood and translated into meaningful business requirements, objectives and metrics. This includes understanding ‘good risk’ that can lead to profits, and ‘bad risk’ that can lead to excessive cost. A crisis and regulatory driven approach to risk can lead organisations to take too narrow a view: that all risk is ‘bad’. But we know that this is not necessarily so.

The broader view

I believe the role of the modern day CRO has to combine four functions. They are police officer, teacher, counsellor and business leader.

The police officer role can be seen as the base function – the ability to apply the brake. This aspect provides the assurance that the business is following good systems and controls with respect to identifying, assessing, mitigating and reporting its risks, and that it can react accordingly if they are being breached. However, it is reactive and lags behind adverse indicators or events.

As a teacher, the CRO has a responsibility for educating the people within the business to ensure that risk is properly understood across the organisation. The CRO should also be certain that objectives, business procedures, controls, data and reporting reflect this understanding throughout the business. Good risk management is as much about culture as it is about systems and controls, and this education can proactively address cultural issues which may lead to unwanted risks.

The CRO also has to be a counsellor, acting as an adviser to the board and management, regularly commenting on the key risks to the business. The CRO will also be available in an advisory capacity across the organisation, providing oversight and co-ordination to ensure a consistent approach. This supports the day-to-day management of risk.

The final role is to fulfil the duty of a business leader with a commercial view of risk completely aligned to the business goals. The CRO needs to measure the impact of risk and how to balance cost and benefits. This is a key aspect of the CRO’s role and the one that adds the most value to the organisation. A more effective approach to measuring risk and reward enables the business to make better investment decisions.

Where does the CRO fit in?

The role of the CRO is not simply to tick boxes for risk management, but to add essential experience at a senior level. The CRO can add value to an organisation, but the role demands a disciplined and clear approach. It also requires board level authority and commitment from the outset.

It is a peculiar position. While the CRO is there to spearhead the drive to increase risk awareness within the company, the responsibility is not solely his own. Any employee can expose a business to risk and therefore all staff need to be responsible.

A number of different generic models have emerged, although there are variants within each. These models may include one or more of the facets which make up the modern CRO. The three main generic models are outlined below.

In the first model, the CRO is a fully paid up member of the executive committee, not only reporting directly to the CEO, but also being the risk management representative on the board. His role is to advise the board and operational business units on how to tackle risk. Within this model there are a number of variants, and the CRO may also have other responsibilities, such as compliance. He acts as both counsellor and police officer. However, the CRO’s team will tend to comprise a number of direct reports with specific responsibilities for group level risks. These are combined with representatives from other business units – especially for the likes of operational risk.

In this structure the organisation gives focus and weight to risk management with specific responsibilities defined for making it happen. Equal weight is given to the four roles of the CRO, although the business leader typically comes to the fore. This model tends to be favoured by organisations that allow a significant degree of autonomy across the organisation and therefore require a proactive and flexible approach to risk management.

In the second model, the CRO reports to the CFO as part of a combined finance and risk function with the main emphasis being on the police officer and teacher roles. This type of structure has been developed through an increasing need to integrate risk with financial data and processes as a result of regulation such as Basel II. It is likely to be popular with businesses that wish to take a compliance approach to regulation and have a more centralised control culture.

In the third model, the CRO focuses on the role of teacher and counsellor. The CRO tends to have few or no staff and achieves objectives through a mixture of education, persuasion and engagement within each business unit. This model tends to have a lower direct cost and suits smaller, closer-knit organisations. However, it relies heavily on the influence of the CRO, and requires a risk management culture to be firmly embedded across the whole company.

Meeting the challenge

The CRO’s role is very much a balancing act. This balance is affected by the company’s corporate aims, strategy and structure, as well as its ERM strategy. The first challenge may be to establish exactly what the role is, what the jobholder is accountable for and how it fits into the rest of the organisation.

One key element is how the CRO interacts with other group functions, such as finance, compliance, internal audit and actuarial. This needs to be articulated clearly, and practical approaches need to be established.

Also, structurally, an appropriate balance must be found within the risk management framework between group level, business unit, territory and subsidiaries. The models that exist are dependent upon the underlying culture of each organisation. For example, businesses with a strong centralised culture tend to have risk frameworks biased towards group functions. Those that encourage more local autonomy tend to place responsibility for risk management at the local level.

Appointing a CRO to provide leadership in risk management is an important development for any firm. It is a keystone in the building of its ERM strategy. It is also a wise business move. It enables firms to make better investment decisions through a more effective approach to measuring and balancing risk and reward.