The rise of the chief risk officer: the financial crisis is drawing greater attention to the CRO's evolving role and its implica

OVER THE PAST DECADE, MORE AND more companies have created a new role within their senior management team dedicated to risk management--the chief risk officer (CRO). Previously, risk management had been a discipline relegated to various pockets of an organization such as insurance, legal, compliance, and physical security functions. In some cases internal auditing became the focal point for risk management activities due to its expertise and willingness to assist senior management.

However, 15 years ago GE Capital appointed the first CRO to lead the integration of risk management activities across multiple business units and functions. At that time the company recognized the need to understand its risk profile from several perspectives, including credit, market, and operational risk. It also wanted someone who could synthesize the potential risk exposure with the firm's strategic goals.

Since then, risks have taken on new forms and new magnitude. With the creation of new financial products, rapid advances in IT, increased global interrelationships, shifting regulatory regimes, and fragmented geopolitical forces, organizations have seen the need for an integrated risk management approach increase dramatically. Most internal auditors recognize this need, given their unique perspective of the organization and risk-related professional backgrounds. However, because independence requirements prohibit the internal audit function from mandating this integration, auditors can only advise senior management on its importance. Thus, to successfully implement an integrated risk management approach, a full-time champion within the executive suite, such as the CRO, is often required.

THE NEED FOR A TRUE CRO

All of the new risk factors that gave rise to the CRO came to a head with the financial crisis of 2008. Companies suffered astonishing losses as a result of poor decisions leading to excessive risk taking. Massive gaps in both the understanding and communication of a company's risk appetite and exposure have been identified in post-mortem reviews.

So, in a matter of 15 years, organizations have come full circle. What they need now more than ever is a CRO in the truest sense. To understand what the role of the CRO should be, auditors should focus on the objective of the position--to integrate risk management activities across an organization. The de facto standard for such an objective is The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Enterprise Risk Management-Integrated Framework, published in 2004. The publication defines enterprise risk management (ERM) as:

The true CRO should be the champion and ultimate sponsor of ERM within an organization. To succeed in achieving this objective, the role requires the commitment and full support of both the board of directors and CEO. In addition, the role requires a unique skill set that combines a deep understanding of the business, an appreciation for risk management principles, strong leadership capabilities, and a strategic mind-set. This is a tall order for most organizations, especially when budgets are tight and short-term earnings pressures are so acute.

The challenges do not end there. At the core, the organization's culture must align with and support the ERM program. This means that its managers and employees must have a certain level of risk awareness as well as a willingness to own the risks they take. This is created by leadership emphasis from the CEO, CRO, and other senior management members. However, more importantly, the compensation and performance management structure must be designed to provide incentives for appropriate behavior within an organization's risk appetite.

HOW THE CAE CAN HELP

With so many challenges to address, where does a CRO turn for help? The most likely and effective partner is an organization's chief audit executive (CAE). These leaders share a common goal to provide reasonable assurance regarding the achievement of entity objectives. In addition, more than anyone else in a company, the CAE understands and fully appreciates the need for strong corporate governance and risk management practices. To create a successful partnership, the CRO and CAE should work to develop an open, candid relationship that relies on continuous communication. This communication begins with sharing plans as well as views on emerging risks. Focusing on these areas as the basis of communication will ensure that the two leaders remain forward-looking and proactive, rather than simply reactive to the issue of the moment.

In addition, the CRO and CAE should craft common methodology, terminology, and infrastructure as it relates to providing assurance. At the same time, roles and responsibilities of risk management versus internal auditing must be defined and communicated clearly. This will reduce confusion about each leader's unique mission--the CRO's mission to facilitate effective, prudent risk-taking to achieve the company's strategic objectives and the CAE's mission to evaluate independently the level of risk management effectiveness throughout the enterprise.

POSSIBLE PITFALLS

While each leader has a unique mission, a fine line exists between how those missions are executed. A common pitfall is having the CAE and internal auditing assume responsibility for creating and maintaining risk management-related processes such as performing a risk assessment or implementing risk controls. Taking this path is easy and most times well intended, because internal auditing typically possesses the skills needed to perform these activities. However, the path becomes a slippery slope that ultimately leads to a shift in accountability for the risks from the business units to internal auditing. The Role of Internal Auditing in Enterprise-wide Risk Management, an IIA position paper incorporated in the recently updated International Professional Practices Framework, identifies specific activities that a CAE and internal auditing should not undertake:

* Setting the risk appetite.

* Imposing risk management processes.

* Management assurance on risks.

* Taking decisions on risk responses.

* Implementing risk responses on management's behalf.

* Accountability for risk management.

Another possible pitfall is having political forces adversely impact the relationship between the CRO and CAE. In this case, a CRO may be tempted to influence the CAE's plans to evaluate certain areas of the company. If this influence is politically motivated to benefit certain individuals at the expense of the company, then the shared ERM objective will be destroyed.

THE CRO IS HERE TO STAY

As the recent crisis has demonstrated, the need for a holistic and integrated approach to risk management is critical as risks become more complex and interrelated. For senior management at major corporations, this job is simply too big to be addressed by a member of the team on a part-time basis. In addition, the job requires a unique skill set and special focus to enhance risk awareness and understanding throughout the organization.

To be successful in this mission, the CRO must play an active role in both the strategic and tactical levels of the organization. For example, the CRO should take the lead in ensuring that the performance management systems and compensation plan design not only encourage the appropriate level of risk taking, but also allocate capital in ways that reward intelligent risk management. In addition, the CRO cannot blindly accept the results of quantitative risk models, such as Value-at-Risk, without applying well-articulated, qualitative business judgment.

The CAE needs to be equally active and involved throughout the organization to complement the CRO's efforts. A strong CAE can provide an unbiased view of the effectiveness and efficiency of risk management practices using methods such as benchmarking against peers and competitors. Also, the CAE can challenge both high- and poor-performing business units to determine the underlying risk impacts of their results. Finally, the CAE should have the full authority to investigate any potential scheme--fraud or otherwise--that may not be known by the CRO and ultimately may not be captured fully as a risk to the organization.

As companies become more complex and reliant upon external organizations such as outsourcing/offshoring firms and counterparties, the need for integrated risk management likely will increase. Thus, the CRO's role will continue to evolve and remain an essential member of the senior management team. However, without a CAE who is a strong partner and proponent of an integrated risk management program, the CRO will not achieve the ERM objective required for a company's long-term success.

JOHN A. WHEELER is managing principal with Wheelhouse Advisors LLC, an ERM, compliance, and internal control firm in Atlanta.

To comment on this article, e-mail the author at john.wheeler@theiia.org.

EDITED BY PAUL SOBELS