In 1993, James Lam set up a new risk framework at GE Capital. At the time, he was responsible for the middle office, which dealt with credit risk, market risk, risk transfer and hedging risks. He was also responsible for the back office, which was responsible for operational risk. In reviewing his responsibilities, he went to his boss and said, ‘I'm getting ready to order business cards. What is my title?’ “He didn't have one for me. So he told me to come up with one on my own,” says Lam, who is now president of James Lam & Associates and author of Enterprise Risk Management: From Incentives to Controls. At that point, GE Capital and other companies were just starting to create the position of chief information officer (CIO), which involved elevating information technology to a C-level agenda item. “Since I was responsible for integrating all of the risks of the company, I came up with the title of chief risk officer,” he says. The concept caught on, and today, according to Lam, there are probably over 1,000 CROs around the world.
In the mid-1990s, only a small number of companies had CROs, and most of them worked for large banks. A 2005 report by Forrester Research found that almost all companies with at least $1 billion in revenue and that are classified as “critical infrastructure” firms (e.g., financial institutions, energy companies, transportation companies, telecommunication providers and healthcare providers) have a CRO position. By 2007, the report went on to say, three-fourths of all large, critical infrastructure companies will have a formal enterprise risk management (ERM) office, being led by a CRO or equivalent title.
One reason for the growth of the CRO position has been the requirements of Sarbanes-Oxley (accounting oversight) and Basel II (measurement of international banking capital). In such situations, the CRO’s job is to coordinate the management of risk by being a single point person for all risks to which an organization might be exposed. This covers everything from accounting policies and procedures to technology networks. In sum, one of the main responsibilities of the CRO is to make sure that the company functions as it should, and that preventable disasters of any and all kinds (financial and otherwise) do not occur.
While an auditor’s responsibility is to discover things amiss, a CRO’s responsibility is to make sure nothing goes amiss in the first place. But it is not all prevention. A good CRO can create structures and practices that help a company improve its competitive position, such as implementing strategic technologies for the most effective and secure management of data. While the job requires a somewhat detailed knowledge of technology, the overriding responsibilities tend to be integrative and analytical in nature. Above all else, communication skills are critical. CROs commonly report directly to the CEO, while traditional risk managers or vice presidents of risk report to the CFO or COO.
A good CRO is someone who understands policies and procedures, as well as the nuances and details of technology and its implications. This person also needs to be able to coordinate all of the different elements of risks into a comprehensive and organized structure that operates seamlessly. This is why so many CROs oversee ERM strategies.
So what industries should consider having CRO positions? According to Lam, the decision should be made more on a matter of the size and complexity of the company, specifically in terms of the risk profile, rather than by the industry the company is in. However, he does believe that the CRO role should be seriously considered in the financial services, energy, pharmaceutical, healthcare, telecommunications and transportation industries. In addition, all companies with over $1 billion in revenue in any industry should probably have a CRO.
Having been a CRO and also having written a book on ERM, Lam is intimately familiar with both concepts and how they can dovetail. “ERM and [the] CRO go hand-in-hand, although they may not start out at the same time,” he says. In some companies, the link begins with a “revolution.” That is, a crisis occurs and management says, “Never again.” “At this point, they appoint someone to become the CRO, who then introduces ERM,” he says. In other organizations, it is more of an “evolution,” in that the company begins with an ERM committee and a champion at the board or executive level. “Then, over time, they realize it makes sense to hire a CRO to continue the leadership and development of the ERM program,” he says.
To those interested in becoming a CRO, Lam offers two recommendations. First, it is important to develop cross-functional skills and knowledge, including strong backgrounds in credit risk, market risk, operational risk and business risk. “Ideally, you should have experience in all four before becoming a CRO,” he says, “but at a minimum, you should have experience in three of the four.”
Second, you also need to take a broader view of your company’s business as a whole, and understand how the company needs to be integrating risk management into business management processes, so that you can help to improve overall business performance of the organization.
Currently, Lam sees the role of the CRO splitting into two distinct positions. In some organizations, the CRO is a genuine partner in business management, playing a critical role in growth strategy, product strategy and mergers/acquisitions. “This involves integrating different aspects of risk and different business processes,” he says. “The goal is for the CRO to be part of the solution, to implement different strategies, and to be part of policy and business decisions.” In some highly-regulated businesses, though, such as financial services and pharmaceutical, companies tend to opt for an independent compliance and audit function. These organizations often employ a “chief compliance officer,” who is responsible for corporate level reporting, operational risk and regulatory compliance (such as SOX and Basel II).
How do CROs themselves see their roles and the future of the profession in general?
In discussing the history of the CRO position, Joanne Berkowitz, chief enterprise risk officer for PMI Group, a provider of private mortgage insurance and other financial products in Walnut Creek, California, notes that, “Financial services took the lead with the concept of the CRO in terms of becoming more sophisticated and focusing more on risk management. It has since spread to other industries, such as energy, because of the trading activity in which they are involved.” In deciding whether a company needs a CRO, Berkowitz agrees with Lam, in that the decision should be based moreso on the size and structure of the organization itself, rather than on the industry it is in.
PMI Group takes a 360-degree view of risk, in that it identifies the risks at the unit levels and then aggregates them at the group level. As CRO, Berkowitz coordinates risk issues at the group level. At PMI, these risk issues cross country lines, company boundary lines and other lines.
In order to be able to best coordinate risk issues within PMI, one of Berkowitz’s areas of responsibility is ERM. “The role of CRO and an ERM program go hand in hand for us,” she says. Berkowitz introduced an initial framework of ERM when she came to PMI, and since that time the concept has continued to grow and evolve. “In fact, I think it would be difficult to have an ERM program without also having a CRO to manage it,” she says.
In terms of the future, Berkowitz believes that the risk management profession will continue to grow as a result of the advent of the CRO position, as well as the introduction of other tools, methodologies and models.
In other words, while the CRO position has become an important launching pad for the growth in importance of the profession, it cannot be expected to shoulder the growth on its own. Tools, methodologies and models, such as ERM, are also key players in the growth and evolution of risk management in an organization.
According to Jeffrey Driver, CRO at Stanford University Medical Center in Palo Alto, California, the CRO position provides a much broader view of risk throughout the enterprise than the traditional risk manager. In the past, and even in many organizations today, risk managers had a narrow scope of practice. “In hospitals, for example, most risk managers focus almost all of their attention on medical malpractice,” he says. Driver covers this, as well as other forms of insurable risk at Stanford, such as property, workers compensation and general liability. He also addresses the areas of reputational risk and financial risk.
Like the PMI Group, Stanford University Medical Center has an ERM program, which was introduced by the organization’s internal audit department. and brings a unique perspective to ERM. “For example, we are planning to quantify the criticality of our risk assessment process,” he says. The medical center currently uses technology to help it understand the various risks across the enterprise, but this information is currently very subjective. “Later this year, we will begin attaching a number to each type of risk, using a risk management model developed from failure mode analysis,” he says.
According to Michael Hofmann, CRO for Wichita, Kansas-based Koch Industries, a privately held owner of companies across many industries, the role of the CRO has evolved over the past 10 years or so, and is becoming more of a senior management function, with responsibilities that have broadened to cover other areas of risk. “This is very encouraging,” he says. “In talking with my peers in other organizations, they report that they are more and more focused on the broader perspective, including providing assistance in decision making, as well as working to create a culture of risk awareness.”
He sees the future as being very bright, not only for CROs in specific, but for the risk management profession in general. However, progress will not occur on its own. Risk professionals must keep things moving in the right direction and must continue to suggest and implement creative strategies designed to protect the company and facilitate its strength and growth. “The key is for CROs to develop the right skill sets and not to be too narrowly focused,” he says. “Here at Koch Industries, for example, we utilize two risk management strategies—defensive and offensive.” This has involved separating the group into two functions: One focuses on understanding the risks that exist and making sure that the company is willing to take those risks, and the other focuses on deciding which are the advantageous risks to take so that the company can profit.
According to James Lam, research shows that, when companies experience a major decline in market value, 60% of the time the problem is related to failures or glitches with strategic and business risk. “This is where risk management can play a very important role now and in the future,” he says. “This is also where the role of the CRO has a lot of potential, because you have the opportunity to integrate risk management thinking into strategic planning and execution.”
William Atkinson is a freelance writer based in Carterville, Illinois and a frequent contributor to RM.