Are CROs and risk managers responding to the growing uncertainty facing corporates and the governance challenges of their boards?

View from the board

The business environment is becoming extremely complex and volatile, driven by economic and political instability, technology innovation and interconnectivity. Some would describe this as increased VUCA (volatility, uncertainty, complexity and ambiguity). We therefore see what were previously considered high-impact/low-probability events happening with increased frequency. Consequently, NEDs, EDs and risk managers/chief risk officers (CROs) are facing an environment that is putting pressure on existing capabilities and processes.

One of the key challenges for CROs, and also for boards, is how to approach these issues in the most effective manner in order to ensure that risk management:

  • Adds value by increasing resilience in a cost-effective manner
  • Delivers fit-for-purpose/cost-effective risk management
  • Delivers good governance

There is a real opportunity for CROs (and the risk organisation) to become more proactive and responsive, and shift the focus to forward-looking analysis that supports the business more effectively

in navigating the increased VUCA, while supporting the board in discharging its governance responsibilities.

In this article, we address these risk management challenges both from a governance and a functional perspective.

What is the core of the governance challenge?

The increasingly volatile, ambiguous and uncertain geopolitical and economic context means that investors put a premium on enhanced financial, operational and strategic resilience as it improves the quality of the cashflow/dividend streams.

The governance demands on organisations are becoming increasingly challenging in terms of the expectations of both the regulators and the investors. This is happening at the same time as the general market and economic outlook is becoming ever more complex. Hence, considered risk-taking to enhance and protect value is at the top of the board and management agenda – and as a consequence, there is also a need to ensure that risks are managed and controlled in line with risk appetite and strategic objectives.

The roles of the board and management are complex, and they need to ensure that they have a clear picture of:

  • The accountability and responsibility allocation between management, risk management, compliance and internal audit / assurance functions
  • The interaction between these functions and the oversight committees of the firm

A lack of clarity would be a key concern from a board perspective, as this would impact significantly on the board’s ability to discharge its risk management and governance responsibilities – both in terms of challenging exco and overseeing the allocation of accountability and responsibility between the various management, risk management, control and assurance functions.

How can we assess whether we are at risk from these governance and control issues?

In our experience, most organisations have multiple functions providing assurance to both executive management and the board. These include:

  • Internal audit
  • Technical assurance functions
  • H&SE
  • Management audits/peer review
  • CRO/risk management sign-off – including self-certification and feed-in to the overall exco sign-off to the board.

However, unless the responsibility and accountability of these functions are clearly defined, with well-articulated performance/quality standards for the deliverables, it is challenging for the board to get a clear picture of:

  • The reliance that can be placed on the assurance provided
  • The interfaces between the various processes and outputs.

We therefore often find that boards are addressing key questions such as:

  • Do we have the right delineation between management, risk & control functions, and assurance functions – or are any of the three deficient or overreaching outside its boundaries? For example, is internal audit performing risk and control or even management activities?
  • What reliance can we put on the outputs from risk and control and assurance functions?
  • What assurance/sign-off is provided by the risk function?
  • How is this tested/verified by internal audit?
  • Do we have a consistent assurance standard – including ratings criteria, analytical rigour and reporting?
  • Are we getting assurance that enables value protection and creation decisions at a reasonable cost?
  • Is the CRO and risk organisation providing the appropriate level of leadership and direction to the board and the business?

For some organisations, the answer to these challenges is a reallocation of the time allocated to proactive risk management rather than monitoring. This can involve changing the culture and the ownership for both the risks and the controls – and removing the sense that management can wait for internal audit or other assurance functions to spot whether there are any shortcomings.

This reaffirms that management is responsible for taking, managing and controlling the risks to protect and enhance value.

Equally, there is a key role for the CRO and risk organisation to play in providing the approaches, tools, probing questions and advice to support both the business and the board.

What is the core of the skills and competency challenge for the CRO and risk function?

The key questions to assess to determine whether a CRO/risk organisation is fit for purpose are:

  • Is there the right level of engagement with the exco and the board?
  • Do they bring the right expertise and insight to strategic and operational decisions?
  • Do they have the competencies and attitude to raise and address the business and risk challenges facing their organisations?
  • Are they addressing their mandate and interaction with the business from a value protection and value creation perspective?

The business world has changed and the risk management approach and tools need to reflect the increased VUCA. In order for CROs to have a voice at the executive table and to add value beyond reporting and compliance, a fundamental rethink is needed in order to align with these new and more demanding requirements.

This also needs to extend to the value that the CRO (and their organisation) adds to the board in supporting them in making the appropriate capital allocation decisions, as well as delivering value-adding governance and oversight.

The core of the challenges lies in the following:

  • Risk organisations have not fundamentally changed over the past 5 years and are often not equipped to deal with the new complexity and uncertainty. They are therefore often not at the heart of the business and typically focus on the risk process and reporting rather than supporting decision-making. There is now a pressing need to change that.
  • Risk organisations need skills to be built around the needs of the business and the expectations of the board. The role of the risk manager or CRO requires sufficient seniority, both in terms of skills and gravitas, to be able to challenge management and to be a trusted business partner.
  • Risk organisations are perceived to add little value in terms of helping management to manage risk and protect and enhance value.

How can a CRO become an integral part of the value management agenda?

It has been recognised for some time that many risk organisations have been overly focused on reporting and compliance. However, in order to increase the responsiveness to a more dynamic business and risk environment, and to provide forward-looking decision support, new risk management approaches are required. These approaches include proactive horizon scanning, use of scenario planning and simulation techniques, accessing deep subject matter expertise on specific risk topics (such as cyber, migration or political stability) and need to be embedded in the risk management framework and processes. The CRO needs to become more proactive and forward-looking, and be supported by internal and external data as well as analytics platforms that support as-is and predictive analysis.

The CRO is in a prime position to help the organisation to deal with the challenging and fast-changing business environment. The risk insight of the CRO can be leveraged in discussions with the businesses to test the viability of the business model as well as the potential for disruption and/or new opportunities. Scenario analysis can be a very helpful tool in such discussions, and we have seen great results being achieved when the strategy and risk functions work jointly with the business on these topics. The multi-disciplinary approach also extends to other functions including, for example, business planning and technology, and ensures that a holistic and integrated perspective on risk management is brought to the exco and board.

It is clear that CROs need to build a new set of skills that is more responsive to the needs of the business. This will be an ongoing process that will take time. However, we can foresee that the CRO and risk function of the future, wherever it reports, will have a different ‘look-feel’ to most existing corporate risk organisations.

In our experience, many risk processes are operating in silos without the required connection to other key processes within the organisation and as a consequence, the risk evaluation is ex-post, whether in the case of financial planning, capital investment decisions, M&A or portfolio reallocation. The multi-disciplinary approach described above, as well as the breaking down of the functional silos, are all steps to be taken to bring a clearer and forward-looking risk picture to the board. It should also alleviate the scope for lack of alignment between risks identified in relation to the budget, risks in strategy setting and risk identified through the ERM risk assessment process.

Although we have highlighted the importance of up-to-date and leading-edge skills, we have also observed the importance of the attitude and mindset of the CRO in operating effectively and having the capability to contribute to value creation. We see effective CROs as being able to balance asking the challenging and probing questions while also being a trusted advisor to the business. In our experience, business leaders are looking for solutions rather than roadblocks. The CRO can fulfil that role, provided they demonstrate the required integrity, independence and support to the business. Once trust and respect have been built through a positive and ongoing engagement, we have observed that the business will proactively seek out the challenge and advice, preferably from someone that can provide the outside-in perspective. This demonstrates how CROs can create lasting impact by balancing the review and challenge with a business partnering mindset.

Finally, the reporting line of the CRO can be a significant constraint on their impact. It is generally acknowledged that the CRO should report to an exco member, be that the CEO or CFO (or, as is the case in some organisations, the general counsel). However, by the same token, the CRO will not get this visibility and access unless they provide the insight and contribution that ‘move the dial’ on key strategic issues. We have seen many examples of good heads of risk/CROs being placed at too low a level within the organisation and therefore losing their presence, impact and credibility.

Conclusions

This article has addressed burning governance and risk management issues. CROs have an obligation to review critically the capabilities, processes and tools they apply in challenging and guiding the organisation in the heightened VUCA world that is the new reality, and grasp the opportunity to change.

At the same time, boards need to continue to monitor whether they are getting the right level of assurance to deliver value to the organisation and discharge their governance responsibilities. Boards also need to provide the CROs with a mandate that allows them to operate effectively and contribute to business success.

CROs will not gain the voice at the senior table without addressing the issues discussed in this article and fixing the gaps – nor will they be able to address the perception of low value-add and play a bigger part in the contribution to the success of the organisation. There is no silver bullet – the changes are likely to include process, methodology, data and mindset/culture. However, without these changes, CROs will be encumbered in delivering value to the board and exco.

The time for change is now: most organisations are on a journey. For many UK listed companies, this was prompted by the 2014 update to the corporate governance code. However, we have demonstrated that there is a compelling external environment and business need underpinning the changes we have recommended. The CRO needs to build a value proposition for the business, move away from only focusing on the risk process and reporting, and become the strategic partner helping the business to deal with the increased VUCA.

From a NED perspective, the key is to find a cost – risk effective model which allows management to operate and boards to govern. This is not necessarily a continuation of the status quo – however, it is a call for a measured and proportionate approach that delivers business value, compliance and good governance. The CRO can be a key ally on the journey.

Topics