Not long ago, the principal questions that senior managers had about enterprise risk management were: “Is there a good reason for my organization to consider an ERM program?” and “If I do, will I have to create a new executive position to run it?” Over the last five years, however, two major trends have given rise to new, richer, organizational questions.
First, it is now clear that ERM has moved from being an interesting management concept to an important management practice. Organizations are giving enterprise risk management increasing attention, high-level accountability and clear responsibilities as befitting a legitimate strategic discipline. They are doing so because the managers we surveyed believe that ERM helps them create and improve shareholder value through risk-based decision making and capital allocation.
Second, it is now equally clear that in order to implement ERM as a management practice, organizations are creating ERM-specific roles, responsibilities and structures, in particular the chief risk officer, a position that has risen dramatically in prominence over the last few years. The reason for this rise is simple: as companies practice integrated risk management, they are realizing that having multiple risk officers makes no more sense to well-managed companies than it would to have multiple CEOs, CFOs or chief marketing officers.
The new questions about the CRO for leading companies, then, are: “What should the CRO do?” “What should the CRO look like?” “Where, exactly, does the CRO fit in the organization?” And the question for risk management practitioners is: “How do I become a chief risk officer?”
Duties and Responsibilities
As a strategic function, the CRO and his or her team play a critical part in the organization’s winning strategy. While just a few years ago that part may have been largely operational to provide technical input to the decisions of the organization’s policy-makers, today the CRO in leading companies participates in policy making and decision making. In particular, the CRO is becoming instrumental in two policy-making areas.
The first is assuring that the organization has processes in place so that it complies with the very much heightened risk management expectations of shareholders, regulators, and even elected officials and attorneys general. The second is developing and introducing an integrative risk management framework. The purpose of the framework should be twofold: to help the organization mitigate risks, and to help it allocate capital to build shareholder value with a full understanding of both the positive and negative potential of the risks involved.
In playing these broad, policy-level roles, the CRO helps senior managers understand the interrelationships of various types of risk. With that understanding, management can maximize value by relating its decisions on the risks it takes to its decisions on the capital used to finance its business. By managing a well-considered ERM strategy, CROs can balance the enterprise’s portfolio of identified and quantified risks with a portfolio of capital resources to derive real value to the organization.
CROs generally have a set of specific responsibilities that amount to creating a risk-aware culture in the organization. These include central oversight of the organization’s risk assessment and risk appetite; familiarizing the organization, its shareholders, regulators and rating agencies with the ERM program; implementing a consistent, integrated risk management framework throughout the company; managing that program with a particular emphasis on operational risks; and developing ways to mitigate and finance risk within the organization’s larger business strategies.
Obviously, the CRO cannot carry out these responsibilities alone. The CRO works with, and through, the other risk managers in the organization. But given how comprehensive the role is, the CRO also works with every part of the organization: senior management, operating groups, finance, legal, human resources and the like. We are also finding that most successful CROs tap into two valuable resource groups: internal audit and strategic planning. The audit function provides important lessons from its hindsight/compliance views. The planning function offers the opportunity to include a risk assessment and management aspect to all future strategies the organization intends to pursue.
Competencies of the CRO
Clearly, the role of the CRO is far different from the often-misunderstood function of risk manager. As the catalog of responsibilities above suggests, the work of the CRO in managing the company’s ERM program touches all aspects of the organization and requires input from several disciplines, some of which are very complex and detailed.
Does that mean the CRO needs to be the “analysts’ analyst,” the master of a wide variety of technical disciplines? When we began tracking ERM, that seemed to be the assumption for companies considering a CRO. The CRO, in those relatively early days, was, in fact, viewed as the master technician of an arcane craft.
But as the role has developed and companies have gained greater experience with it, the profile of the ideal CRO has shifted. Leading-edge companies agree that the CRO should be analytical and bright. He or she must, after all, assimilate and understand a mass of information from a variety of sources in the organization. And the CRO in many companies both guides the usage and understands the output of highly sophisticated modeling tools.
Nonetheless, those are not actually the critical competencies of the effective CRO. The CRO, above all else, is a leader, project manager, synthesizer and communicator. From the moment that the CRO and his or her team embark upon the formal risk assessment process, all the way through risk measurement, mitigation, optimization and monitoring, the effectiveness of communication will dictate how successful the overall process will be.
But in addition to that, the CRO must be an integrative thinker with a thorough knowledge of all aspects of the business. He or she must be able to build strong partnerships with business and corporate staffs, communicate to a wide variety of audiences in clear, understandable language, and be a skilled facilitator of group action more than simply a technical manager of risk.
Structure and Relationships
While companies are reaching a consensus on the need for a CRO, including the position’s responsibilities and many of the necessary competencies, there seems to be less of a consensus on the place of the CRO in the structure of the organization. The CRO may report to the CEO (as do about 49% of those managers primarily responsible for risk) or the CRO may report to the CFO (as do about 28% of those managers primarily responsible for risk, according to our recent survey) or the CRO may report directly to the board, or even the chief operating officer.
Ultimately, the question of reporting relationship actually may be less important than three other attributes or critical success factors for the position: unfettered access to the CEO and board of directors; leadership of an enterprisewide risk management committee; and a mutually supportive working relationship with the chief financial officer and the chief administrative executive (CAE) of the organization.
One of the leading barriers to the successful implementation of ERM is the seemingly inevitable upper-level turf war it generates. Often the turf being fought over has belonged to either the CFO or the CAE. The CRO position breaks new ground in organizations, some of which may have been the responsibility of these two other senior positions. A CRO may be tempted to stake out that ground for himself or herself and battle to keep the claim. But that kind of belligerent, elbows-out-and-ready stance will more than likely doom ERM and the CRO in the organization.
Successful CROs acknowledge the possible tension with their new peers and look for opportunities to show that their position can complement what the CFO and CAE already do, take some of the load off their already full plates, and create synergies that benefit the organization and the CFO and CAE. What does the new CRO get from taking this cooperative and conciliatory approach? The CRO gains two strong allies and proponents for ERM and support for creating a risk aware culture, as well as the insights he or she will need to do the job most effectively.
Becoming the CRO
As the CRO position has begun to take shape, traditional property and casualty risk managers have to be wondering if it is reasonable for them to aspire to the CRO position. Current practice suggests that senior managers do not automatically conclude that the CRO must come from the ranks of existing risk managers. In fact, management looks for a CRO from a wide variety of disciplines: internal audit, strategic planning, finance, actuarial and risk management.
In principle, risk managers should possess many of the skills that go into making a good CRO. As much as anyone in the organization, effective risk managers understand all the important aspects of the business. To recommend the best risk management and financing approaches, they must have a strong working knowledge of the business’s operations, finances, legal issues, buyers, suppliers, raw material inputs, finished products—in short, the value chain of the entire organization. They also need this comprehensive understanding to deal with all the organization’s internal and external constituents, including underwriters, claimants, contract holders and many, many more.
Moreover, risk managers have always had the difficult tasks of assimilating, analyzing and communicating sometimes complex concepts to leaders and managers who—while generally well-informed on financial and technical issues—often do not possess a strong risk management foundation.
Nonetheless, at present risk managers are not necessarily the first choice for chief risk officer. Despite their breadth of experience, risk managers often tend to present themselves as technical experts rather than as communicators, facilitators and leaders. If risk managers are to rise to this new position, those are the skills and attributes they need to develop and demonstrate. That is the clearest path to becoming the chief risk officer.
Charles R. Lee, managing principal, specializes in strategic risk financing consulting for the Tillinghast business of Towers Perrin.
Prakash Shimpi, practice leader, has global responsibility for leading the ERM practice for the Tillinghast business of Towers Perrin.