As organisations seek to strengthen the robustness of their risk management processes, many of them are rethinking how they are providing leadership for their risk management efforts. While key stakeholders might view the CEO as the chief risk officer, practically speaking, it makes sense for someone else to lead the risk management process.
Larger organisations tend to be more likely to appoint individuals to serve as a chief risk officer (CRO) or in positions with other titles but equivalent responsibilities to facilitate the strengthening of risk management processes and to co-ordinate ongoing risk identification and reporting efforts. Recent annual surveys conducted by the ERM Initiative and the AICPA (see the eighth edition of The State of Risk Oversight: An Overview of Enterprise Risk Management Practices) find that just over 42% of organisations surveyed indicate that they have designated an individual to serve as the CRO or equivalent. That percentage increases to 63% for publicly traded companies and large companies and to 66% for financial services institutions (see the table, "Companies Designating a CRO").
As organisations launch their enterprise risk management (ERM) efforts, most choose their ERM leader from individuals who are already a part of the management team. Generally, organisations do not begin by hiring a CRO through the creation of a new full-time position. Instead, most organisations begin by adding CRO responsibilities to someone such as the CFO or the chief audit executive. Assigning someone that dual role makes sense in the early phases of an ERM launch, when the process can gain initial traction and not become overcomplicated at the outset. By keeping ERM efforts simple to start, the workload can be handled internally. Then, as ERM processes mature, the organisation may add a new position to ensure someone is handling day-to-day leadership of risk management efforts.
A growing number of organisations are creating management-level risk committees that consist of a number of their key business leaders, who meet regularly to discuss ongoing risk issues and the organisation's response. Typically risk committees are composed of senior leaders who represent a variety of business functions and who set strategy. By assembling a group of executives with an explicit charge for understanding and digesting information about key risks across the enterprise, those leaders begin to have a more enterprise versus siloed view of the risk horizon.
The presence of risk committees has been increasing over time, with higher percentages of organisations having a management-level risk committee in 2016 relative to prior years (see the chart, "Percentage of Organisations With a Management-Level Risk Committee").
The presence of risk committees is especially high for publicly traded companies (83%), large firms (80%), and financial services firms (79%). In fact, 58% of entities we surveyed have a management-level risk committee; that increases to 83% for publicly traded companies (see the table, "Firms With a Management-Level Risk Committee"). The typical risk committee meets monthly or quarterly, according to survey respondents.
In addition to these ERM leadership functions, most organisations are also appointing different members of management across the enterprise to serve as "risk owners" for each of the top risks presented to the board. While those aren't official "appointments" with explicit job titles, informal accountabilities are being placed on business unit leaders across the organisation for them to "own" the risks within their areas of responsibility.
Risk owners are responsible for conducting a deep-dive analysis of their assigned risks to understand root-cause drivers of the risk and to assess the adequacy of the entity's response to each risk to prevent its occurrence or to minimise the impact of the risk should it occur. Risk owners are often the ones responsible for updating senior management and the board about the current and expected state of their assigned risk. In some organisations, risk ownership is becoming an explicit component of the individual's performance goals that are used for performance and compensation evaluations.
Finally, boards of directors are explicitly assigning risk oversight responsibilities to a specific subcommittee of the board. While the board of directors is ultimately responsible for the oversight of top risks, the board often assigns responsibility for understanding and approving the organisation's risk management process to one of its committees. For most entities, the audit committee assumes this responsibility.
Who should lead enterprise-wide risk management?
Organisations achieve the greatest success in strengthening their risk management processes when they pick leaders who have a deep understanding of the business and who are highly regarded within the organisation (for a list of key questions to ask of a CRO candidate, see the sidebar, "What to Consider When Selecting a Risk Management Leader").
Because the goal of an ERM process is to help management and the board identify and manage those risks most likely to affect the achievement of the organisation's objectives, it is important that the risk management leader be high enough in the organisation's leadership team to be knowledgeable and heavily involved in strategic planning and strategy execution. That generally suggests that the individual with risk management leadership responsibilities be a member of the C-suite or have direct access to the C-suite, including the CEO. Risk management champions who are buried too deep within an organisation often struggle to garner the attention of individuals at the enterprise level, and they often fail to help integrate risk management with strategy.
Often those chosen to lead an enterprise-wide risk management process are in financial reporting roles, such as the CFO or chief audit executive, because of their enterprise view of the organisation and their interaction with the audit committee of the board, which often assumes risk oversight responsibilities for the full board. Organisations sometimes tap individuals who serve in other roles, such as the COO or general counsel. Ideally, however, organisations may find the greatest value in their risk management efforts if they shift ERM leadership to individuals who oversee strategic planning. Some organisations are assigning risk leadership to the chief strategy officer of the enterprise.
What is a CRO's role?
Whether an organisation formally gives an executive the explicit title of "chief risk officer" is a matter of preference. But it is important for the organisation to explicitly assign responsibility to an individual who leads other executives through processes to identify, assess, manage, monitor, and communicate key risk information to the board and key stakeholders. Without accountability and ownership, risk management changes may not occur, or other business leaders may not understand the process.
Business executives across all kinds of industries and types of organisations are notably concerned that their organisation's approach to risk management may not be sufficient to encourage the timely escalation of risk issues to top management and the board, according to the ERM Initiative surveys. This finding suggests that leadership should evaluate and redesign how risks are managed in the enterprise to ensure the culture supports the risk management efforts. Having someone with explicit responsibility for risk leadership makes it possible to educate and train business leaders about the risk management process, and the risk leader may play a vital role in helping design and implement processes for escalating risk information to the top.
One thing risk leaders need to make clear is that they are not the owners of all risks affecting the enterprise. Most CROs view their roles as "internal consultants" who help coach and guide risk owners across the organisation in their management of risks. Risk leaders are there to help facilitate that process and to provide consultation to other business leaders who are primarily responsible for risks.
CROs also play a major role in the aggregation of risk information provided from business unit leaders so that they can help develop and communicate a more holistic view of risks affecting the enterprise. Thus, they play a significant role in preparing risk dashboards and board information packets. While CROs often participate in board-level meetings to discuss risks, most of the detailed discussion of risks and the related risk management strategies are the responsibilities of the business leaders who are assigned ownership of particular risks.
Don't overlook a risk leadership void
Some executives may question whether there is a need to appoint an individual to formally lead an ERM process. We sometimes hear an executive resist any change in risk management leadership with this statement: "Management talks about risks all the time." While that may be true, there is value in formally engaging management in the identification and assessment of risk. Without someone to lead that process, business leaders may overlook the need to engage in risk thinking, and that ultimately can lead to their being blindsided by significant and catastrophic risk events. In light of the rapid pace of change in today's global business environment, is the lack of leadership worth the risk?
Mark Beasley (firstname.lastname@example.org) is the Deloitte Professor of Enterprise Risk Management at North Carolina State University and the director of the university's ERM Initiative. He frequently works with boards and senior management to assist them in strengthening risk oversight processes.
What to consider when selecting a risk management leader
As organisations consider individuals who can lead the ERM process, there are a number of factors to consider. Here are ten questions to ask:
- To what extent does the individual understand our organisation and its key drivers of success? Does this person understand our industry and our core products and services that provide competitive advantage?
- How involved is the individual in helping determine and execute our strategy? Is the individual a participant in the strategic planning process?
- Does this individual view risks as only having "downside" effects that need to be avoided, or are risks also viewed as opportunities?
- What is the individual's understanding of the ERM concept and related techniques, and does the individual appreciate how ERM is designed to turn existing, traditional risk management efforts into a more strategic view of risks on the horizon?
- Where does the individual fit in our organisational chart? How many people are between the CEO and this individual in our lines of reporting?
- To what extent is the individual perceived as a respected leader in our organisation? Is the individual's "voice" one that colleagues at all levels listen to?
- How effective is the individual in leading and coaching others? Will the individual be willing to be patient in helping consult with other business leaders as they assume responsibilities for managing risks affecting their respective business units?
- Will the individual try to "control" things rather than allow other business leaders to own risks under their key areas of responsibility?
- How effective are the individual's written communication and presentation skills?
- To what extent does the individual have an executive presence? Will management be comfortable having the individual interact with the board of directors and other key stakeholders about key risk issues?