Ferma dignitaries discuss how best to set up risk management
The role of the risk manager, CRO or not, was the subject of debate at this year’s Ferma risk Summit in London.
Speaking in the main presentation hall, Arnout van der Veer, chief risk officer (CRO) of information group Reed Elsevier, said that given the enhanced focus on risk issues there is a great opportunity for the profession to push their boards to take risk management seriously.
The global economic crisis has revealed four truths about risk, he said. Number one is that risks are greater than many people originally thought and secondly they are often unexpected. Third, is that they are often hidden deep in the organisation. And finally, risks are usually linked to human behaviour, which makes them hard to predict.
“A small issue somewhere in the world can spread quickly online and impact your reputation worldwide,” said van der Veer.
In this climate, what role should the risk manager play? The issue was investigated outside of the main auditorium in a break out session with Ferma directors.
Paul Taylor, a Ferma board member and director of risk assurance, Morgan Crucible Plc, was asked about whether (as is now becoming more frequently the case with banks) a CRO should have a seat on the board—to help it understand and deal with the major business risks.
He indicated that this might be the best solution for some organisations but he was inclined to think differently: “For me a risk manager is a driver of change who delivers results and has a supporting and facilitation role. It is not really about taking responsibility for and ownership over those risks.” The ultimate risk managers are all c-suite executives, he added.
Peter Den Dekker, Ferma’s president and corporate insurance risk manager for Dutch multinational Stork, agreed: “The CRO should not be part of the board, because they shouldn’t be part of the decision making. Risk managers are not yes or no sayers, in my view, they are literally facilitators.”
Some commentators believe that if a CRO sits on the board then they are more likely to be influenced by it and are less effective at restraining the excesses of the business. The three lines of defence model, whereby operational management is responsible for implementing internal controls, group level risk and compliance management sits above that, and internal audit sits on top, is becoming increasingly more popular as a basic risk governance framework.
The three lines of defence model was explored in more detail in a report by Ferma and the ECIIA, which was launched shortly before the conference, entitled: “Guidance on the 8th EU Company Law Directive”.