Emergence of Chief Risk Officers

Three trends are driving multinational organizations to adopt an integrated approach to risk management.  These three trends are as follows:

• Broader dimension of risks—As a result of globalization, multinationals exposure to risk has increased.  A company that participates in the global market faces risks including political, foreign exchange, and terrorist exposure.  Advancements in information technology processing have also expanded risk.  Organizations are now able to operate in 24-hour virtual marketplaces and utilize complex financial instruments like derivatives.  Finally, risks are not necessarily independent.  Today organizations are linked to their business partners’ or vendors’ systems.  This dependency between organizations increases risk.
• Changing role of risk management—Some organizations advocate offensive risk management while others emphasize defensive risk management.  Offensive risk management is linked to comprehensive risk management programs.  It aims to leverage risk to determine if there is an opportunity to increase shareholder value.  Organizations are finding that offensive risk management is providing more positive effects on profits than defensive risk management.     
• Regulatory Oversight—Recently, senior management has increased its focus on corporate governance.  COSO’s internal framework has become a well accepted standard for how U.S. public companies manage and control risk.  Regulatory oversight has increased in Europe as well. 

Increased regulatory, executive, and shareholder oversight have placed a large emphasis on risk management.  In addition, the broadening dimensions of risk and evolving risk management techniques have created the need to centralize all risk management functions under a chief risk officer (CRO).  A CRO’s primary responsibility is to establish a company-wide risk management program.  Disconnected risk management can have devastating effects on an organization.  These effects can range from regulatory fines and unforeseen liabilities, to business failure. Therefore it is essential that a CRO integrate an organization’s risk management techniques. 

Organizations face many different types of risk such as business risk, operational risk, credit risk, market risk, and organizational risk.  The first step in managing these risks is the creation of a company-wide risk committee comprised of personnel involved with each type of risk.  The CRO is responsible for managing this cross-functional committee.  The committee’s goal is to identify risks and design strategies for controlling them. 

Fidelity Investments has created a Global Risk Management Group.  This group has created, based on certain principles, a risk management framework that serves as a guide for managing risk.  Fidelity’s R.I.S.K. framework is described below.

• Return:  Are we achieving an appropriate return for the risks we are taking?
• Immunization:  Do we have the controls in place to minimize losses?
• Systems:  Do we have the systems to measure?
• Knowledge:  Do we have the right people, skills, culture and values for effective risk management?

The establishment of a CRO, a company-wide risk committee, and this R.I.S.K. framework are the first steps toward integrated risk management.  This comprehensive risk management program will not be created overnight.  It takes a significant amount of effort from personnel at different levels and functions of an organization.  The increase in the amount risk organizations face today makes effective risk management a critical factor in achievement of business objectives.  As organizations move toward comprehensive risk management it is important that they create a CRO position to facilitate this change.