Roles & Responsibilities of the CRO

This is Part 8 of my blog series: The Art & Science of Risk Management

Photo courtesy of Google

I mentioned here that risk manager must know everything about the business since the risk manager is one of the few employees who operates across all functions of the business. Remember, enterprise risk management (ERM) is all about integration and part of a risk manager’s job is to ensure that there is integrated thinking across the business about risk. It is easy to see therefore how the risk manager must understand the whole business to do so. The chief risk officer (CRO), as the phrase suggests, oversees the ERM function in the business and is responsible for developing and implementing an ERM strategy including all aspects of risk. Approximately 4 in 5 financial institutions have a chief risk officer, while approximately 1 in 10 businesses have a chief risk officer overall. However, this statistic is growing rapidly, given the recent global economic meltdowns and I’m certain there will be more.

I mentioned here that there are seven components to manage within the ERM function: corporate governance, line management (i.e. operations), portfolio management (i.e. integrating business functions), risk transfer (e.g. insurance), risk (data) analytics, data and technology resources, stakeholder’s management (e.g. employees, customers, regulators). The CRO must ensure that each is up and running effectively to ensure business optimization. Specifically, the CRO is responsible for:

• Providing the overall leadership, vision, and direction for ERM.
• Establishing an integrated risk management framework for all aspects of risks across the organization.
• Developing risk management policies, including quantification of the firm’s risk appetite through specific risk limits.
• Implementing a set of risk indicators and reports, including losses and incidents, key risk exposures, and early warning indicators.
• Allocating economic capital to business activities based on risk, and optimizing the company’s risk portfolio through business activities and risk transfer strategies.
• Communicating the company’s risk profile to key stakeholders such as the board of directors (BoD), regulators, business partners, rating agencies, and stock analysts.
• Developing the analytical, systems, and data management capabilities to support the risk management program.

In today’s modern environment, the CRO works independently of the CEO or CFO, i.e. it’s not necessary for the CRO to report to other C-level executives, and has at least a dotted line to the audit & risk committee or the BoD. This increases the chance that those that have independent oversight of the company receive reliable and timely information. This is only one of the benefits of a CRO. There are many more which have elevated the risk management profession to where it is now: a highly sought for profession in the market. These other benefits are:

• It becomes easy for the BoD to delegate responsibilities to the CRO to lead and drive ERM in the organization.
• Having a CRO ensures that the full breadth of risk management is exposed to the senior management team.
• ERM requires centralization and integration and in large organizations, there needs to be a figure head that channels all the risk information into a succinct reporting mechanism. As an example, the business may have a risk manager for every business line and the CRO would act as the aggregator of information received by all of them. This makes reporting more efficient and pleases the BoD in this regard.
• It is more efficient for the CRO to have the final say on all risk management decisions in the risk department.

What should a company look for in a CRO? An ideal CRO would have superb skills in five areas. The first would be the leadership skills to hire and retain talented risk professionals and establish the overall vision for ERM. The second would be the evangelical skills to convert skeptics into believers, particularly when it comes to overcoming natural resistance from the business units. Third would be stewardship to safeguard the company’s financial and reputational assets. Fourth would be to have the technical skills in strategic, business, credit, market, and operational risks. And, finally, fifth would be to have the consulting skills in educating the BoD and senior management, as well as helping business units implement risk management at the enterprise level.

One final thought if you’re thinking of employing a CRO, the employment of a CRO is necessary if:

• your business is highly regulated (e.g banks, insurance).
• your business lines are well diversified or you have a holding company of several businesses with controlling stakes.
• your business has an Audit & Risk Committee.
• your business is mandate by government (e.g. through the national code of corporate governance) to implement ERM.

Many thanks to James Lam for contributing to this post.

Next up – The Risk Appetite
Your Risk Connoisseur
J-MLN