White paper: The role of the CRO

DOWNLOAD THE FULL GUIDE HERE

Two of the striking advances in governance theory and practice are the establishment of risk management as a full-fledged discipline and risk management practitioners as risk management professionals.  These advances come none too soon, expectations for good governance are increasing and transformational change driven by in technology advances, have unleashed a flood of emerging, increasingly complex and often connected risks on top of the many more familiar ones. 

Organisations are still learning how to organise their approach to managing risk and how to handle a changing landscape of risks and opportunities. It’s common, even from companies with well-established risk management practices, to describe their state as “we’re on a journey.” The issues is to ensure the journey is progressing rapidly enough, especially in the context of business transformation in this Digital Age. 

The Challenge

So, the challenge is, if the business environment is becoming more complex, and connected and the pace of change is increasing with greater demands for risk disclosure, why would the board or C-Suite not want to share the corporate risk load with a person who would be charged with uniting business silos and achieving a view of risks across the business?  If organisations are serious about managing risk, Airmic believes they should consider a dedicated senior leadership role to spearhead the risk management programme. However, if this is the most appropriate way to ensure that risk management is fully embraced, why has the role of Chief Risk Officer (CRO) been slow to develop outside the world of financial institutions?  With the UK Financial Reporting Council (FRC) proposing a revised Corporate Governance Code, it is timely to stimulate discussion on this important question.

The questions

The questions we address in this paper are 

• “Where are the challenges in the management of risk?”
• “Is it essential to have a central risk leader?”
• “Should that central leader be a CRO?” 
• “Is improving risk management capability high on your board’s agenda?” 

Framing risk management in a new way

The concept that risk management is on a journey might be better phrased as “risk management is evolving into something new”. That new perspective is still in the process of being articulated, but it begins with accepting the fact that humans are not very good at assessing risks and often are not particularly interested in doing so. This is not a criticism; line managers need to be optimistic and focused on the tasks at hand - it’s only natural they’ll need help attending to, assessing, and mitigating risk.

Risk can be seen as a kind of shadow entity that sits beside everything we do. Just as we need marketing to look after customers, finance to look after money, and human resources to look after people; we need a risk leader to look after this strange entity of risk. In the absence of a risk leader, no one else has the time, inclination or skill set to develop a holist view of risk and how to manage it.

When we start seeing risk through this lens we see that it’s an essential element of resilience and sustainability. This is where risk management gets exciting and we begin to wonder whether it could become a new type of competitive advantage for organisations as we move deeper into a turbulent century.

This leads us to a forward-looking view of risk, one that considers risk as a tool for executing strategy, and to a forward-looking view of the risk leadership capability we need to build.

Would anyone on your board be excited by this view of risk? Is there anyone who is beginning to see how risk management might be evolving into an important discipline that is more akin to strategy than audit?What’s the consensus on how to approach risk management?

“The approach to managing risk should be fluid. The CRO could be a project role. It should not be perfunctory, but focus on driving change and inter-departmental collaboration. Supported by metrics, an objective of the CRO should be to consider how good or bad the organisation is. Following the project stage will come a process of fine-tuning by business leaders - probably deconstructing much of what has been built by the project”.  Nick Hedley, Partner, Hedley May

What’s the consensus on how to approach risk management?

Given the complexity of a comprehensive approach to risk management the natural step is to look for what is working well in other organisations. Unfortunately, there is no consensus on best practice. Risk is organised in many different ways, moreover some risk departments have such a narrow mandate that they are hardly comparable to those where risk management is charged with providing strategic insights.

This implies that each organisation will have to critically assess if the structure and approach it currently has to risk management is in fact working.  Who will do that assessment?  Ultimately the board and CEO, but they will probably need help—just possibly, help from a CRO.

What is clear is that it’s hard to imagine a large organisation without a central risk leader (whether or not they are a CRO) supported by a small team of risk specialists. There are many people involved in risk and the board needs someone pulling it all together

How much does the lack of established best practices concern you? Does this mean that organisations are stumbling along with poor practices or does it simply mean that there are many reasonable approaches to handling risk?

“Carrying out traditional risk management well is no longer enough. New risks have swung into view, senior-level demands are changing, and new capabilities are forming. It’s an exciting time for risk leaders to reframe the function for the new era”. Richard Smith-Bingham, Director, Global Risk Center, Marsh & McLennan Companies 

Critically assessing risk management capability

Before we look further at what a risk leader does, and if that leader should be a CRO, let’s consider why there might be a need to enhance risk management capability. Organisations can assess where the gaps are in their risk management practice by considering the following elements:

• Strategic overview
  Risk dives deep into every silo within the organisation and there needs to be a method for gathering intelligence, seeing the big picture, managing the cross-functional interactions and catching anything that might fall through the cracks. This strategic overview also needs to assess whether the other elements in this list are being adequately managed.
• Strategic challenge
  The risk function must include the ability to challenge leaders whose assessment of risk or actions to mitigate risk are inadequate.
• Accountability
  Throughout the organisation (starting with the board) it has to be clear who is responsible for various risks and risk management processes.
• Processes
  There have to be processes (again throughout the organisation) to ensure the risks are identified, assessed and managed. In particular, the processes must ensure that decisions made to mitigate risk are actually implemented.
• Expertise
  There are specific skill sets for risk management as a profession as well as specific skills needed to manage risk in each functional area.
• Crisis and continuity management
  The organsation must be able to react quickly and competently when risks materialize.
• Culture
  No amount of process will trump a culture that has a cavalier attitude towards risk.

Take a moment to consider which of these elements is weakest in your organisation. This may be harder than it first appears. The brevity of the list is misleading. Each element extends across the breadth and depth of the organisation. The exercise of identifying major gaps in risk management is difficult but make a note of what springs to mind.

“Ideally, within organisations there should be some separation between operational and strategic risks. Personally, I don’t think organisations, including board and risk and internal audit functions spend sufficient time focusing on strategic risks.  After all those risks are the ones most likely to bring the organisation to its knees and impact the bottom line.  Interestingly, there was some research done by CEB showing that something like 66% of loss of share value was caused by the materialization of strategic risk; whereas in general internal audit spends less than 6% of its time focussed on strategic risks.  Having some kind of risk leader at the board level might bring more attention to strategic risk and mitigate the impact of strategic risks materialising.” Elizabeth Sandwith, Chief Professional Practice Advisor, Chartered Institute of Internal Auditors

“The CRO should be seen as a role with a mission to be accomplished, not a job with responsibility for a set of tasks.” Michael H McInerney, President, Executive and Board Services Consulting Group

What does the risk leader need to do?

Assuming that there are some gaps in risk management capability it would be natural for the board to ask the risk leader to advise on a way to close those gaps. If they are to have the capability to close the gap they have to have the right mandate—and this is a topic with some competing perspectives.
Despite the title, risk managers never manage risk, they facilitate the management of risk.  It’s operating managers who make the actual day-to-day decisions about risk and it’s important the accountability for managing risk lies with them.  That leads to the question of how risk managers facilitate risk management. There are two main answers:

• Compliance: Risk management is mainly about compliance, in some ways it is analogous to internal audit.
• Strategic insight: While compliance is essential, the more interesting part of risk management is strategic insight into risk, working with other managers to get insight into risk they otherwise would not have had. In some ways this view of risk management is analogous to strategy.

To add some colour to this we might consider the two views of risk management on these dimensions:

No one doubts the necessity of the compliance-oriented focus on diligence and expertise; however, if the gaps in risk management capability lean towards more strategic or cultural issues then it’s hard to imagine closing those gaps without a strategic-insight orientation towards risk management.

Furthermore, there is a real tension between a compliance mind-set and the strategic insights mind-set. If the risk leader gets stuck in the compliance box, then the role can easily devolve into an unloved tick-the-box function. However, a risk leader can’t get immersed in the evolving strategic side of the work until compliance is under control.

Does your board emphasize the “strategic insight” view of risk management? No one would say that they don’t emphasize compliance, so the better question is whether the board also emphasizes the strategic insights on risk that a free ranging risk manager might bring to light.

“The risk leader must be able to challenge the board on how well it is handling the oversight of risk and challenge the executive team on how well they are handling risk as part of day to day management.” Jamie Lyon, Portfolio Head, ACCA

How a risk leader approaches their work

It’s a simplification, but one can see the compliance side of risk as deft management of a series of processes such as a risk identification process, preparation of risk registers, reporting and so on. The strategic side is better seen as a series of conversations. 

If a risk manager is talking to the right people at the right time about the right things, then they—along with the managers they are talking to—will uncover risks and appropriate ways to deal with them. Unlike processes which follow a clear structure, this kind of conversation is built around having an ear to the ground and a wide set of trusting relationships.

In this intelligence gathering mode the risk manager is working across boundaries, they are part of conversations that might be relevant to risk and in which they might be able to add insight. Also, they may have nothing to add to the conversation, but it may play a role in helping them eventually connect the dots and bring insights that couldn’t be seen from within any one silo. 

These two sides to the role are quite different: one nicely structured, the other highly fluid. When we think about the kind of person we need as risk leader and what they will do when they are there, we need to keep these two different roles in mind.

Is your organisation’s culture amenable to a free-ranging risk manager? If an organisation likes to keep things in clearly defined boxes or doesn’t have high trust, then it will be difficult for a risk manager to play the intelligence gathering role unless they have the authority that comes from being in the C-suite.

“As a risk leader, even where we have specialist functions overseeing particular risks, I need a good understanding of the area – it’s not just about facilitation.” Andre Katz, Director, Enterprise Risk Management, BT Group

What skills does the risk leader need to have?

Given what’s required of risk management, it’s likely that organisations will want a risk leader with a small risk team which acts as the hub for risk management. Presuming that this leader needs to encompass both the compliance and strategic insight view of risk, what skills do they need to have? 

Here are some of the elements commonly identified as important:

• Knowing the business and industry
  Risk is so context specific that it’s essential to have a deep understanding of the business.
• Building relationships within the organisation 
  Risk leaders, in effect, ask others to share “What might you do terribly wrong?” They won’t get answers without a trusting relationship.
• Soft skills in collaboration and education
  Risk leaders are constantly dealing with people who are much more expert in the operations than they are and need the skills and humility to facilitate a discussion of risk. 
• Technical expertise in risk management
  The risk leader will be expected to be the expert on risk management methodologies 
• Capable of connecting the dots
  The risk leader is ideally positioned to see how risk in different areas link together, they need to have the ability to connect the dots.
• Courage to push back against the executive team or board
  Sometimes gentle persuasion is insufficient, and the risk leader needs to push back against unsound decisions or practices.

What trade-offs would you accept in choosing someone for this role? For example, if someone had really good soft and hard skills would you accept lack of knowledge about the business?  If someone had really good soft skills and knew the business would you accept lack of hard skills in risk management?

Is it better if the risk leader is a CRO?

Considering the skills that a risk leader should have it’s clearly a big job. Can the risk leader sit a few levels down in the organisation or is it better if they are a CRO? Let’s review the main pros and cons.

To date that has been little appetite for creating a CRO role for corporations that are not financial institutions.  This is likely a result of seeing risk management as mainly a compliance function - and who wants more of that? All the pros and cons seem to revolve around these two factors:

• Do we embrace the evolving role of a risk leader as providing strategic value to helping the company achieve its goals?
• Do we think we could find an individual who would do the role appropriately and not fall into the traps outlined in the list of cons?

Is there clarity about which pro or con is driving your view about the CRO? Often having many pros and cons muddies the water when at heart there are just one or two factors that are really driving someone’s intuition on a controversial issue. Which factor is most salient to you?

“A potential danger for a CRO is that they are seen to become the risk owner and that the business operators walk away from their accountability to manage the risk.” Group risk leader, FTSE 100 Company 

Conditions that call for a CRO

Clearly there is more than one acceptable approach to risk management and whether an organisation needs a CRO will depend on the situation.  Here are various conditions where it’s likely that the organisation should elevate the risk leader job to being a CRO:

• If there is a need to bring cohesion and simplicity to global risk management practices
• If the risks the organisation faces are particularly complex or uncertain
• If the risk leader is stuck in a compliance role and is unable to play a strategic role
• If the risk issues revolve around culture and behaviour
• If there is a problem with risk oversight at the board level

Do you have any of these conditions? Are they pressing enough that you need someone in the C-suite to address them? There is no question that there are many ways to address risk management and the CRO is only one option, the issue to consider is whether the situation in your organisation causes you to lean towards or against having a CRO.

Recommendations

• Engage the Executive Committee in a comprehensive discussion of the current risk management capability. The demands on risk management and even the perspective of what risk management is (i.e. compliance oriented or strategic insight oriented) are changing.  The executive committee needs to consider if they’ve fallen behind.
• Don’t let regulation distract you from the goals of the organisation. The pressures of regulation may dominate a board’s view of risk. In discussing risk management capability, think in terms of helping the organisation reach its goals, not just in terms of complying with regulations.
• Evolve towards a solution. Given the dynamic risk environment and the lack of clear best practices, organisations should think about evolving towards increased risk management capability as opposed to figuring it all out in advance. The important thing is to be moving forward even though the final solution is not in sight.
• Assign owners of the top risks. Keeping in mind that a risk leader doesn’t own the risk, it can be helpful to explicit assign various business leaders with ownership of the top risks. 
• Count on the risk leader to create the environment they need. A strong risk leader will act so that they are seen as someone who helps business leaders achieve their goals. It helps if they are given the right mandate, it helps if the executive team supports them, but nothing matters more than the capability of the individual to genuinely be a leader.