When it is appropriate for a chief risk officer (CRO) or an equivalent senior risk executive to be in place, both the board of directors and management – not to mention the company’s shareholders – have a stake in that executive’s success. Now is the time for the organization to consider a fundamental question: Is that executive, as well as risk management in general, positioned to be successful within the organization?
Like all C-suite executives, the CRO has a difficult job. To be effective, he or she must have a prominent and meaningful voice in the C-level dialogue. At the crucial moment when someone must play a contrarian role to protect the shareholders’ interests, how can a CRO go against a CEO who holds all the cards relative to the CRO’s career – progression, salary, bonus, etc.? And if the CEO doesn’t believe in the value of risk management – as was the case with some leaders of financial institutions with a business model that was all about volume and growth leading up to the
financial crisis – it’s game over. Poor positioning of the CRO leads to a risk management failure.
Several elements of ineffective positioning of the CRO are listed in the sidebar. One or more of these elements may signify a red flag that the CRO is unable to fulfill the strategic demands of the job and lacks real authority or influence.
Often, the CRO is the ultimate champion of the risk management process as it is applied in all units and divisions of the enterprise. Typically, the CRO does not directly own responsibility for managing specific risks, but operates in a consultative and collaborative role, with authority vested by the executive committee (or a designated risk management committee), the CEO or the board (or a committee of the board).
Elements of Ineffective CRO Positioning
- Not viewed as a peer with line-of-business leaders in ALL respects
- No direct reporting line to the board
- Belief by board, senior management and operations personnel that managing risk falls to a single person or function (versus an organizational imperative)
- Entangled in the minutiae of managing compliance
- Constantly fighting turf issues with entrenched silos
- Risk management not valued as an equal discipline to opportunity pursuit
- Risk management compensated based on line-of-business results
- Risk management seen as a compliance function, or worse, as a blocker to getting things done
- Lack of clarity in the CRO role and how it interfaces with senior line and functional management
There is no one-size-fits-all model to positioning the CRO within the organization. We see at least four basic models:
- A committee structure approach in which the CRO chairs or reports to a management risk committee as well as to a C-level executive
- Dual reporting to the executive team and board
- Direct report to the CEO or another senior executive (e.g., the CFO) with dual reporting to the board
- Direct reporting solely to the board
The conventional model of having a CRO report to either the CEO or lower in the organization may pose a dilemma in situations where there are serious differences of views regarding the firm’s risks and profit-generation model. The potential inherent conflict of interest that can exist between dealmakers and risk managers has caused some to question whether more formalized reporting to the board is a better option. In alternatives (2), (3) and (4) above, there are variations in terms of reporting to the board, i.e., to the full board, to the audit committee or to a risk committee. In any of these approaches, more formalized reporting of the CRO to the board results in directors having the option of meeting with the CRO in executive session. If the board wants unvarnished reporting from the CRO, the best practice is a direct reporting line to the full board or to a standing committee of the board.
Questions for Boards
If there is a CRO (or equivalent executive), following are some suggested questions that boards of directors may consider, in the context of the nature of the entity’s risks inherent in its operations:
- Is he or she viewed as a peer with line-of-business leaders in terms of compensation, authority, CEO access, etc.?
- Are any of the elements of ineffective positioning, as listed on the previous page, present in the organization? Is the board satisfied that the CRO can be an effective voice in the C-level dialogue?
- Does the board leverage the CRO in obtaining relevant and insightful risk reports? Does the CRO have a direct reporting line to the board?
How Protiviti Can Help
Protiviti assists boards and executive management with assessing the risks inherent in the enterprise’s strategy and business plans, either across the entity or at various operating units, and the capabilities for managing those risks. We help organizations identify and prioritize the risks that can impair their reputation and brand image and lead to failure in the successful execution of corporate strategy. We also assist CROs with improving capabilities for managing more complex market, credit, model validation and commodity price risks.
Board Perspectives: Risk Oversight (Issue 6)