Deloitte’s Michael Kearney stresses corporate need to boost risk management
A small but growing number of non-financial services companies are appointing chief risk officers (CROs) and giving them direct access to their boards, industry professionals say.
Michael Kearney, partner with Deloitte Risk and Financial Advisory, estimates that between 5 percent and 10 percent of non-financial services firms now have a CRO (or equivalent top official who may not have the CRO title) to oversee their risk-management efforts. The trend is driven by a number of factors, Kearney tells Corporate Secretary. For example, a company may choose to make the change in response to a crisis, he says.
Many companies also have a sense that they could handle risk management better without increasing the amount they spend on it. These costs may be spread between departments such as IT, compliance, legal and internal audit. This can lead to work being isolated in so-called silos, creating inefficiencies, Kearney says. As such, he adds, companies may want to take a more strategic approach to risk as part of their efforts to grow.
Looking forward, Kearney predicts that the trend toward more CROs or their equivalents will continue. The growing complexity and dangers presented by the world are such that ‘the need for elevating risk management in a company is at an all-time high,’ he says.
All CROs in Kearney’s experience have a direct or dotted reporting line to the board and/or the audit committee, and quarterly engagement at board meetings is common. Access to the CEO has also become more common over the past two years, he says.
At the same time, there is a lack of consistency in who reports to the CRO, according to Kearney, who adds that there continues to be debate over whether internal audit should report to the head of risk. Others who may report into the CRO include the chief compliance officer (CCO) and chief information security officer.
Kearney says the challenges facing CROs when they are appointed include:
- Defining what they do
- Educating the executive team on what risk management can achieve
- Clarifying how risk is positioned within the company. ‘If you don’t get that right, you don’t pass go,’ Kearney says
- Ensuring they have the right people and the right operating model
- Breaking down silos between, for example, compliance and internal audit, so that they don’t keep asking the business the same questions.
One company that’s taken steps to beef up risk management is Target. The retailer in late 2014 hired Jackie Rice as CRO and CCO to report to board chairman and CEO Brian Cornell. In doing so, the company elevated the post to include centralized oversight of enterprise risk management, compliance, vendor management and corporate security under Rice.
Target had earlier that year announced it was overhauling information security and compliance, including looking for outside leaders in those areas. The company had been hit by a major cyber-security breach in December 2013.
Some of the key changes that came into effect when Rice was hired included:
- Having the position report to the CEO and the board
- Creating a board committee on risk and compliance
- Bringing vendor management under risk and compliance
- Moving second-line functions into risk and compliance.
In addition, one of the first changes she implemented when she joined Target was to assign ‘business risk champions’ – employees who can act as ambassadors for the risk function within the business.
‘Bringing risk and compliance under the same leader is very effective. It helps avoid ‘death by 1,000 cuts’ when dealing with the business,’ Rice tells Corporate Secretary. Looking at the more general move toward more companies having risk chiefs, she adds: ‘It’s becoming a good business practice to have a CRO, whether you’re in a highly regulated industry or not.’
Over recent months, the company has further consolidated its risk approach by integrating Rice’s team into legal, she says. Her reporting line is now to chief legal officer and corporate secretary Don Liu. Combining the teams is designed to ensure they use a consistent language on risk and to ensure issues are escalated, according to Rice.
She has four scheduled meetings a year with the risk and compliance committee, and more as deemed necessary. In addition, she attends a joint meeting once a year between the risk and compliance committee and audit and finance committee.