The emerging role of the CRO
| by Peter Atrill 18 Oct 2006 Diploma in Financial Management Relevant to Module B |
|
In recent years, organisations have taken a more proactive and systematic approach to the ways in which they deal with risk. Within large businesses, risk frameworks, such as enterprise risk management (ERM), have been increasingly adopted to provide a properly integrated approach to managing risk. The need to take a more serious and considered approach to the way in which risks are managed reflects the increasingly complex environment within which modern organisations must operate. Factors such as the greater regulatory burdens placed on business, the increasing use of new financial instruments and the recent spate of corporate governance scandals have given particular impetus to this trend. It is worth remembering, however, that risk management is not simply about protecting a business from possible adverse consequences; it can help identify opportunities with the required risk/return relationships, which in turn can help add value to the business.
Adopting an ERM framework means that risks are no longer regarded as being within the domain of managers of particular business segments. A more integrated and comprehensive view is taken, which considers risk within a strategic context. This approach can help in establishing common priorities and systems for dealing with risk. It can also help in recognising risk interdependencies and in identifying risks that do not fall clearly within the realm of a particular business segment. If, however, an integrated approach to risk management is taken, an obvious question to ask is ‘who has overall responsibility for managing risk?’ For many large organisations, the answer is the CRO.
What does the CRO do?
The key role for the CRO is to take a lead in embedding a culture of risk awareness within the business. The role will involve:
- developing appropriate training programmes in risk awareness and risk management
- ensuring that risk is properly considered in strategic planning, particularly when capital is to be allocated
- developing risk management policies that take account of the risk appetite of the organisation
- developing appropriate risk measures and risk reports, which identify losses, key risks to be managed, incidents etc
- developing appropriate information systems for risk measurement and reporting.
It is important to emphasise that the role of CRO is not primarily concerned with technical issues relating to the management of particular risks. Rather it is concerned with coordinating the response to risks among managers. Individual managers will still retain the responsibility of dealing with risks falling within their domain, but this will be carried out within an agreed framework. The role of CRO will usually involve facilitating communication between managers to ensure appropriate responses to particular risks and with providing advice where necessary.
To be effective in carrying out the above role, the CRO must be able to work closely with others. Thus, good interpersonal and communication skills are essential. The CRO must be persuasive and must be able to convince others of the importance of identifying and managing risks for all those connected with the organisation. To do this, risks and their consequences must be explained in a way that resonates with the particular individual or group being addressed.
To be effective the CRO must also possess a thorough knowledge of the organisation. It is vitally important to identify emergent risks and to ensure there is an appropriate response. This does not, however, mean that a detailed understanding is required of all aspects of the particular risks facing the organisation. In a large business, this would be too much to ask of anyone. Instead, the CRO, like other senior managers, must be able to take a broader view. Acting as coordinator and facilitator of the risk management process, as mentioned earlier, is much more important than a high degree of technical expertise in particular risk management areas.
To whom does the CRO report?
To reflect the importance of risk management to the business, the CRO is normally given senior manager status. Thus, the person who occupies this role will usually report directly to the chief financial officer (CFO) or the chief executive officer (CEO). Nowadays, many large organisations also have a board committee that is charged with ensuring that the risks confronting the business are properly identified, evaluated and managed. There may be a separate risk committee or these tasks may be undertaken by the audit committee.
The CRO will normally report directly to whichever of these committees is charged with risk management issues. Such direct access to the CEO or CFO and to a board committee gives the CRO considerable influence within the business, which can be extremely helpful in overcoming resistance to the role. Thus, managers who may be sceptical of the role of CRO and who may resent any interference in the way in which they manage their particular domain may, nevertheless, find it in their own interests to develop a good working relationship with someone who has the ear of top management.
In very large organisations the CRO may have staff based within particular business segments who report to the head of the particular business segment as well as to the CRO. However, it is often the case that the CRO will have no staff and will, instead, monitor and evaluate risk, through meetings and discussions with managers from each business segment. In small organisations, the role of CRO may be a luxury that simply cannot be afforded. There should still be, however, someone within the business who is prepared to act as a champion for risk management and who is actively supported by top management (ref 1).
Key issues
One way of finding out how CROs spend their time is to look at the priorities that they have established and the problems that occupy their minds. Some insight to these issues have been provided by a recent study, which was based on a survey of 137 senior risk managers as well as interviews with CROs from both financial sector and non-financial sector businesses.
The study asked respondents to identify the main priorities that currently exist and the extent to which these are likely to change in three-years’ time. Chart 1 sets out the findings.
| CHART 1 How much of a priority are the following risk management activities in your company? | ||
| All sectors | Now | Three years from now |
|---|---|---|
| Ensuring that the organisation is in full compliance with regulations | 1 | 1 |
| Informing the board of significant risk issues | 2 | 5 |
| Assuring business continuity | 3 | 7 |
| Delivering an integrated picture of risk across the enterprise | 5 | 4 |
| Monitoring and identifying emergent risks | 4 | 2 |
| Training and communicating with the workforce on risk management policies and structures | 8 | 11 |
| Extending risk principles into the wider business strategy (eg new product development, development of new markets) | 7 | 3 |
| Developing the data strategy required to build an accurate picture of operational risk | 6 | 10 |
| Educating the investment community on the organisation’s risk management strategy | 9 | 9 |
| Developing alternative risk transfer strategies | 11 | 8 |
| Evaluating insurance coverage | 10 | 6 |
Source: Economist Intelligence Unit survey, April 2005
We can see that regulatory compliance is the main concern for risk managers and that this is likely to be their main concern in three years’ time. The welter of new regulations arising from sources such as the Basel II or Sarbanes–Oxley Act, have no doubt helped to ensure that this area will remain at the forefront of risk managers’ minds. We can also see from Chart 1, however, that some risks are likely to take on greater importance in the future. Monitoring and identifying emergent risks will rise to the second most important priority in three-years’ time, probably reflecting further uncertainty and risk within the business environment, and extending risk principles will rise to the third most important priority, perhaps reflecting a broadening role for the CRO2.
The study also asked risk managers to identify the main obstacles that have to be overcome in carrying out their tasks. Chart 2 sets out the findings.
CHART 2
Main obstacles for risk managers
Average % score given by respondents for each obstacle*
Source: Economist Intelligence Unit survey, April 2005
* % of survey respondents who say this issue is a major obstacle minus those who believe it is not a major obstacle.
From this we can see that consolidating risk systems and processes, often to deal with compliance reporting issues, provide the biggest headache for risk managers in the financial sector.
We can see that consolidating risk systems and processes, often to deal with compliance reporting issues, provide the biggest headache for risk managers in financial sector businesses. Managing globally-dispersed operations is, on the other hand, the biggest problem for risk managers in non-financial sector businesses.
Conclusions
Although the role of CRO is relatively new, it is rapidly gaining acceptance among large organisations. The growing complexity of the business environment, and the dangers lying in wait for the unwary, appear to have provided the main impetus for this acceptance. The key role for the CRO is to ensure that a culture of risk awareness is fully embedded within the business. To achieve this, the broad-based business skills of leadership, coordination and facilitation are more important attributes for the CRO than the narrow technical skills associated with day-to-day risk management.
As a senior member of the management team, the CRO will normally report directly to the CEO or CFO as well as to the relevant board committee responsible for risk management. This reporting relationship enables the CRO to exercise considerable influence within the business and can help in ensuring acceptance of the role among other managers. The survey evidence shows that regulatory compliance is the main concern for CROs and that this is likely to remain the case for the medium term. Monitoring and identifying emerging risk and extending risk principles, however, are also likely to become high priority issues in the future. The main obstacles to be overcome are those of consolidating risk systems for CROs in the financial sector and managing globally dispersed operations for those in the non-financial sector.
REFERENCES
1 Is it time to consider a chief risk officer for your company?, RSM McGadrey Inc Advantage, January 2005, Vol. 1 Issue No 9
2 The evolving role of the CRO, Economist Intelligence Unit, The Economist, 2005.
Peter Atrill is examiner for Module B