Having a chief risk officer does not mean risk is being well-handled, and may be a distraction to effective risk management by the CEO and forward-looking risk mitigation
So-called best practice calls for a company to have a chief risk officer (CRO) to monitor and control all risks taken by the enterprise. Indeed, the absence of a CRO is now seen as a bright red flag by regulators and corporate governance mavens. As often happens with potentially good ideas, however, this one has been mangled beyond recognition by many of those trying to apply it. The resulting confusion and misdirection will cause many companies to run into big trouble, despite – or even because of – the obligatory presence of a CRO.
For starters, the chief risk officer is not really the chief risk officer. What? Then who is? The CEO is the chief risk officer because enterprise risk management is a fundamental leadership responsibility that cannot be fully delegated to anyone else. Every CEO has vital risk management tasks to perform and if he or she fails to accomplish them, the company’s risk management efforts will eventually fail. This will happen no matter how good the chief risk officer is, no matter how many risk experts are hired, no matter how much money is spent on risk systems, no matter how many board policies have been ratified, and no matter how many best practices have been checked off.
Skeptics should consult Warren Buffet’s latest letter to Berkshire Hathaway shareholders. In it, he writes: ‘I believe a CEO must not delegate risk control. It’s simply too important. If Berkshire ever gets in trouble, it will be my fault. It will not be because of misjudgments made by a risk committee or chief risk officer.’
Does this mean the CEO has to brush up on stochastic calculus to compute the worst potential risk of the company’s derivatives book? Of course not. Although Buffet has courageously taken direct responsibility for managing Berkshire’s derivative exposures, he most likely gets some help with the math. Many aspects of risk management can and should be delegated by the CEO to those best qualified to carry them out, but three critical risk management responsibilities rest squarely with the chief executive and no one else.
The buck stops here
First, the CEO is directly responsible for thoroughly understanding and signing off on the material risks entailed in the corporate strategy. Are the company’s business lines offering expected returns that justify the risks the firm is taking? Are there attractive new business opportunities that could be exploited if their risks were managed well? Many people will be involved in helping the CEO come to informed judgments on which strategic risks should be taken and which should not, but the CEO makes the final call and should be held accountable for the results.
Second, the chief executive is directly responsible for protecting the corporation by keeping the company’s enterprise-wide portfolio of risks within acceptable boundaries. Are there risks that are excessive or inappropriate in light of the company’s business strategy or appetite for risk? Is the company’s reputation or access to capital being put in jeopardy? Risk control and oversight functions can play a valuable role in identifying and limiting unacceptable risks but at best they are backstops, not the first line of defense. Emerging risks that threaten the franchise may not always be visible in backward-looking statistics or by regulators outside the business following rulebooks shaped by past events.
Looking through the rear-view mirror is not enough. In order to see threats to the franchise in time to act, the CEO must evaluate fresh intelligence from diverse sources and exercise forward-looking business judgment that is sensitive to how the company really works and how it might be affected by potential changes in the business environment.
Third, and most important, the CEO is directly responsible for creating a strong risk culture that enables and reinforces self-disciplined risk management throughout the company, from the mailroom to the boardroom. Are people continually aware of risks? Do they have the motivation, skills, resources and authority to take action that result in good risk/return trade-offs? Are people willing and able to do the right thing even when no one is looking or when new situations arise? Are the incentives that drive behavior aligned with smart risk-taking or with taking excessive or inappropriate risks? It is simply not possible to have a strong risk culture unless the CEO makes it happen through forceful leadership.
Where does that leave the CRO?
Now that we have pinned crucial risk management responsibilities on the CEO – where they belong – what are we to do with the CRO? Do we really need one? The answer is ‘yes’, but only if the CEO has taken the lead in strategic risk-taking, protecting the franchise and building a strong risk culture.
The CRO helps the CEO and board create a credible and consistent risk management framework to govern the company’s risk-taking in all its businesses. The CRO leads the design and implementation of the company’s risk management apparatus: the information, analytics, reporting, monitoring and intervention capabilities that make risk management an operational reality throughout the company. The CRO helps the CFO install risk-based performance measures that underpin business decisions and compensation policies, and provides the CEO and board with expert, unbiased advice to counter the self-interested cheerleading that sometimes comes from the business lines.
The CRO accomplishes all this through a deft combination of independence from and collaboration with the business units. Independence means challenging business decisions that embody dubious risks. Collaboration means contributing ideas to the business units that lead to better results, rather than just saying ‘no’.
The only thing worse than not having a CRO is having one who is put in place for all the wrong reasons: to have someone to blame if things go badly wrong, or to run a compliance bureaucracy that is considered obligatory but of little value, or to house people who could not make it in mainstream business roles, or – worst of all – to present the world with the facade of risk management without the reality of risk management.
Under these circumstances, the CRO is merely an actor in a diverting farce that lulls the company and its constituents into a false sense of security; when asked whether risks are under control the answer is: ‘Yes, of course. We have a chief risk officer.’ In the Great Recession, many of these long-running farces have turned into tragedies.
