In Issue 6, we discussed positioning of the chief risk officer (CRO) for success within the organization. We noted that the decision around whether to appoint a CRO (or an equivalent senior risk executive) is driven by factors such as the company’s industry, business model, structure, culture and risks, as well as the extent of fragmented silo activity. Once management has committed to establishing the role, the question becomes: What qualifications should the company consider when evaluating CRO candidates?
There are many points to deliberate when conducting a search for the right person to serve as CRO:
Role and expectations, as defined by management and the board – The role and expectations of the CRO, as well as how the individual will be positioned, will have a significant impact on defining the candidate pool. Will the CRO focus on strategic issues, such as: establish/communicate the entity’s risk appetite and risk management philosophy; implement an appropriate infrastructure of policies, processes, personnel, reports and systems for managing and monitoring risk; integrate risk management with strategy-setting and business planning; and/or implement appropriate risk reporting to senior management and the board? Alternatively, will the CRO have a more tactical focus, such as on compliance management, ownership of one or more risks, insurance procurement, fraud prevention and asset protection, and/or environmental, health and safety matters? While we believe a strategic role is preferable in many situations, both approaches occur in practice. The nature and scope of the position have significant implications for the type of individual needed.
Experience requirements – If the organization is looking for someone to serve as a peer with operating unit and other leaders, it should identify executives with at least 15 years of experience. While previous experience in risk management and finance is a plus, industry experience and a demonstrated ability to work effectively to address issues in a comparable organization are vital attributes. “Industry experience” includes knowledge of how value is created for customers, the regulatory environment, relevant industry standards and best practices. Previous experience with the C-suite and reporting to boards is desirable, as is expertise in the risk of greatest importance to the enterprise (e.g., market risk in trading shops or investment banks, credit risk in banks, and commodity price risk in power companies).
Critical thinking skills – The CRO should be able to think strategically, work with operating units to disaggregate business plans and transactions into component risks the organization is taking on, and recommend how to improve proposed plans and transactions by mitigating the risks. Other key parts of the job include effective analysis of significant amounts of data and distilling key points that help senior management and the board analyze risk in a given situation.
Interpersonal skills – Exceptional verbal and written communication and negotiation skills support the CRO in interacting effectively with others, including regulators. CROs should be able to organize and motivate others – many of whom may be in more senior positions.
Keen business acumen – The CRO needs to be both a trusted adviser and a control authority who can articulate risk/reward trade-offs. Sound business and financial judgment combined with problem-solving abilities are vital prerequisites. An increasing use of models or quantitative analytics across industries makes the need for core analytical skills crucial. The CRO must have the capability to accumulate, summarize and interpret risk reports from business, functional and assurance units and translate them into terms decision-makers will understand. The objective is to improve proposed business plans and transactions so the company is more likely to succeed in creating enterprise value while also protecting it.
Strong process orientation – Often, the CRO is responsible for assisting the organization in developing and maintaining a comprehensive and sustainable process for identifying, prioritizing, monitoring, controlling and reporting key business risks that might impact the achievement of the enterprise’s objectives and performance goals. This requires a strong view of processes and how they interface with the company’s core management activities. Often, this capability is overlooked, as organizations favor technical-oriented candidates over those with process or policy experience.
Cool under fire – CROs must be objective, be able to call issues how they see them, and, if necessary, communicate what may be a contrarian message. Successful CROs should be concise and direct under fire in their communications. They must have the courage to speak to their convictions, even if they may be wrong, and must not be intimidated by organizational hierarchy and position. They must draw their influence through an active communication and knowledge-sharing style. One key criterion: whether the candidate has experience managing a unit, function or team through a crisis.
Above all, the key question is often one of “fit”: How well will this candidate mesh with the organization?
Questions for directors
Following are suggested questions that boards may consider if, in the context of the nature of the risks inherent in the entity’s operations, there has been a determination to appoint a CRO (or equivalent executive):
- Is the board satisfied with the business case for appointing a CRO? Is there a clear view as to a CRO’s expected contribution (e.g., clear reporting lines, stature of position, compensation aligned with protecting long-term enterprise value, etc.)?
- Is there a job description setting forth experience and performance expectations and personal attributes?
- Has the board considered how a CRO position might facilitate or enhance its risk oversight process? Is there an understanding of how the CRO’s responsibilities will be delineated from the responsibilities of other existing risk management functions?
How Protiviti Can Help
Protiviti assists public and private companies with identifying and managing their key risks. We provide an experienced, unbiased perspective in helping companies define the CRO function/role and organizational structure.
Board Perspectives: Risk Oversight (Issue 17)