The complexity of the business environment and rapid changes in market place calls for stronger risk function and management. More and more organizations are appointing chief risk officers to help lead in these efforts. A recent Protiviti white paper highlights the importance of a risk function led by a chief risk officer (CRO). It highlights how organizations must realize that placing the CRO in the right springboard within the organizational structure is essential to the effectiveness of the role towards strategy setting and decision making process. Hence, the white paper provides six critical success factors that organizations should be aware of and promote to ensure the effectiveness of the CRO role.
Current State of Positioning
Following the recent financial crisis, there has been a transformation on the view that risk management is mainly a compliance tool. Protiviti’s review of the CRO function provides persuasive evidence that CROs have raised their stature within the organization and have developed clearer lines of communication and reporting with the CEO and a committee of the board of directors engaging in business and strategy setting. However, room for improvement still exists given one in four institutions still claim that the views of their risk functions are often overridden in their organization. This is attributed mainly due to poor communication between departments as a result of silo mentality.
However, the bar has been raised for engaging risk management. Hence, the current state of positioning for the risk function in an organization suggests that progress is being made in gaining a seat at the decision-making table for the risk function. And, windows of improvement opportunities are still open.
While executives must foster team work in an organization, the CRO must often be the devil’s advocate and offer alternative views to enrich discussions. Care must be taken in understanding the CRO’s role to sometimes be adversarial in order to provide diversity and avoid tunnel vision. Missing this point, the paper states, will limit the decision-making process by allowing groupthink to enter.
There are six key success factors for CROs to consider to effectively position the CRO to increase the value of risk management.
- 1. Viewed as a Peer with Business Line Leaders – In order to achieve the forward-looking risk perspective and its serious consideration, the CRO must be able to deliver those expectations through a collaborative relationship with business line leaders. Hence, the CRO must be viewed as a peer. Not doing so would hamper the ability for the CRO to function effectively and misplace the CRO’s direct reporting capability.
- 2. Board Reporting and Interactions – While the CRO is not an owner of specific risks, he or she has the task of executing a strategic oversight of the entire risk management focus that mandates free access to the board for conveyance and reporting. Not providing such access would cause disconnect in communication and the loss of resolutions to various strategic problems.
- 3. Managing Risks is Everyone’s Job – The board, senior management and other line managers must remove the misconception that the CRO is the only person responsible for risk. Risk has to be an enterprise-wide concern. Thus, raising awareness and owning risks within operations to establish a risk-aware culture is imperative to a successful implementation of a CRO’s function.
- 4. Risk is Equal to Opportunity Pursuit – Risk management functions to preserve value as well as create value. The best interests of the organizations are kept while pursuing these strategies to improve the organization. Nevertheless, organizations must realize limits in engaging in value-creating activities against value preservations controls. The CRO attempts to strike this balance through decision making and risk appetite formulation. An imbalance may raise the level of risk for the less proportionate aspect and create a setback to the organizations.
- 5. Broaden Focus Beyond Compliance – It cannot be stressed more than the fact that the focus of the CRO should be on the enterprise risks, risk profile and aligning strategy based on risks. This goes beyond compliance risks and raises the bar for the CRO. While the CRO has to be in compliance with the laws and regulations, expanding the focus will make it easier for the CRO to have the desired impact in managing risks.
- 6. Clearly Defined CRO Position – Clearly defined CRO position should be in place in order to enhance the CRO’s objectivity in fact and appearance. Setting the right expectation about the CRO’s responsibility for promoting effective governance of significant risks is crucial in furthering the role of the CRO. Not having clear definitions may cause the CRO to lose focus and extend resources in less important matters lowering the overall effectiveness of the CRO.
The importance of the depth and extent of the relationship the CRO has with senior executives and the board will enable the CRO to be in a stronger and more effective role to manage the overall risks instrumentally protecting the value that organizations have taken years to build.