The recent financial crisis has brought new focus, from financial institutions and their regulators, on the ways in which financial institutions, including insurance companies in Canada and abroad, manage the risks they face. Everyone is acutely aware of the need to better understand the risks they face, and to minimize those risks. This has in turn heightened the prominence of, and regulatory focus on, the relatively new role of the "Chief Risk Officer", or CRO, as a key member of the senior executive team of many financial institutions. Julie Dickson, Canada's Superintendent of Financial Institutions, has recently made numerous public comments on the critical role of the CRO, and her office now holds annual risk management seminars with CROs from the various types of regulated institutions. Speaking to CROs at one such recent session, she noted, "As CROs you have an incredibly important role to play, and a difficult role." The increased attention on CROs, in her words:
". reflects a key learning from the global financial turmoil: there is a real need for regulators and financial institutions to focus on both the role of the CRO, and solid risk management practices."1
In that context, this article provides a brief history of the CRO role, a summary of the current state of the position and a survey of possible trends relating to the role, including likely future challenges and pressures.
Development of the CRO position
The creation of the CRO position is widely credited to James Lam, who, in the mid-1990s, assumed the title of CRO at GE Capital and implemented a system of risk management widely known today as enterprise risk management, or "ERM".2 In simple terms, ERM is a risk management system that analyzes and addresses risk on a firm-, or enterprise-, wide basis. ERM has grown over time into a vast industry fed by a voluminous amount of business and scholarly research and writing (all of which is beyond the scope of this article). Although fairly unique when introduced, corporate scandals (Enron, Worldcom, etc.), along with the introduction of various regulatory schemes necessitating compliance with certain risk metrics (Sarbanes-Oxley, Basel II, etc) allowed ERM and the concept of the CRO position to gain further momentum and acceptance, even if such acceptance was intended merely to allow a firm to comply with specific regulatory requirements, rather than being an endorsement of the CRO position and/or ERM itself. The position gained the earliest footholds in the finance and energy sectors.3 In the years just prior to the recent crisis, the CRO position had evolved beyond simply being a tool used by large multinational firms, or firms subject to specific regulatory compliance requirements, and beyond the traditional risk management focus of prevention of loss. In the most proactive firms, the CRO position had begun to be viewed as a tool which created value by identifying opportunities to exploit risks, as opposed to simply shielding firms from potential risks.4 In all environments, it had become much more demanding.
The CRO position today
It would appear that, post-crisis, the CRO position continues to vary considerably across industries, reflecting differences in the type, severity and potential impact of risks faced. In addition, the role may differ considerably between firms in the same industry, possibly reflecting the relative newness of the concept and position. Factors influencing such differences include (i) the size and global reach of the firm, (ii) the firm's culture or approach to risk (i.e. whether risk management is considered a high priority of the board of directors or CEO), (iii) the presence of an ERM proponent or an individual keen to spearhead the development of a CRO position, and (iv) the competency of the CRO himself/herself. All of these factors serve to define the position of CRO at any particular firm. However, in general terms, the CRO responsibilities typically are focussed on (i) "technical oversight", and (ii) "directional influence".
Technical oversight refers to the specific responsibility to compile information, data and analysis related to the various known (and, potentially, unknown) risks of a firm (e.g. operational, compliance and financial risks), and to identify new risks to the firm, and based on such knowledge, to gain or develop a comprehensive understanding of the role that risk plays in the firm, including overlapping or conflicting risks and in particular those risks which may not be recognizable without a view of the firm as a whole. This oversight, which goes to the heart of an ERM approach, can be starkly contrasted to the "traditional" approach to risk management which involves, to use industry jargon, risk "silos", wherein each department or business unit of a firm manages its risks separately. It is widely acknowledged that the skill set required for the technical oversight responsibility of the CRO position is not well defined and this is a further reason why the "typical" role of a CRO is not readily definable.5
The second of a CRO's principal responsibilities, directional influence, is what differentiates a CRO from most risk managers and what makes a quality CRO a critical and valued member of the senior management team, or "C-Suite". A CRO's ability to develop a comprehensive understanding of the whole of a firm's risks is significant; however, unless this understanding is translated into corporate action that leads to desired business outcomes, the utility of a CRO will remain relatively limited.
As well, the CRO position has, generally, been described as being responsible for some or all of the following functions:
- Providing the overall leadership, vision and direction for ERM;
- Establishing an integrated risk management framework for all aspects of risks across the organization;
- Developing risk management policies, including the quantification of management's risk appetite through specific risk limits;
- Implementing a set of risk metrics and reports, including losses and incidents, key risk exposures, and early warning indicators;
- Allocating economic capital to business activities based on risk, and optimizing the company's risk portfolio through business activities and risk transfer strategies;
- Improving the company's risk management readiness through communication and training programs, risk-based performance measurement and incentives, and other change management programs;
- Developing the analytical, systems and data management capabilities to support the risk management program.6
A significant determinant, if not the significant determinant, of the influence of a CRO on the activities of a firm, is the reporting structure within which the CRO operates. A wide variety of reporting structures are observed today, each of which may function effectively, but also present certain difficulties or disadvantages. Certain reporting structures include:
Board of Directors: Similar to the CEO, oftentimes a CRO reports directly to the board of directors. The ability of a CRO to report directly to the board regarding the risks faced by a firm would appear to provide an effective mechanism for, ultimately, translating a CRO's understanding of enterprise-wide risk into desired business outcomes, and may be particularly effective if board members are familiar with and view risk management as a significant priority for the firm. However, where board members, already charged with a host of other responsibilities, do not proactively embrace risk management (whether for lack of interest, understanding, time or any other reason), the efforts, ideas and ultimate value of a CRO may be significantly diminished.
Board Committee: A variant is a structure wherein the CRO reports to a board committee, such as a Risk Committee. Similarly, a structure which allows a CRO to present findings and strategies to certain board members can be advantageous, but is subject to limitations similar to those applicable to reporting to the entire board of directors, particularly where the CRO reports to a firm's Audit Committee (which is already charged with other critical and and time-consuming responsibilities) rather than a dedicated Risk Committee.
CEO: No matter how influential the position of CRO may become in a firm, there are those, including some CROs themselves,7 who will always consider the CEO to be the firm's ultimate CRO. As such, a reporting structure wherein the CRO reports directly to the CEO (provided a strong relationship exists between the CRO and the CEO), may be an effective manner to translate a CRO's understanding of firm-wide risks into desired business outcomes, as this understanding is conveyed to the individual charged with the overall management of the firm. As with reporting to the board of directors, where a CEO does not embrace the utility of a CRO, the position is likely to be of limited effectiveness. Reporting to the CEO also appears to be OSFI's preferred approach, as last June Superintendent Dickson noted:
"The global banking industry has acknowledged that CROs should have been more front-and-centre at their firms. As a result of the global financial turmoil, most banks have made changes to ensure that CROs now report directly to the CEO. The status and visibility of CROs within a firm is important - both with the CEO and the board. Many life companies are following suit and this is a development that I encourage."8
In a recent survey, conducted for KPMG International, of nearly 400 executives from insurance companies around the world, and reported in KPMG's November 2009 publication "Getting the Balance Right" (available at www.kpmg.ca), 45% of respondents reported that their CROs report to the CEO. Robert Lang of HSBC was quoted as noting "Speaking as a Chief Executive, I would always foresee a CRO as my direct report and that person would always be a key contributor to the daily running of my business and its strategic considerations".
CFO, Chief Information Officer, Chief Compliance Officer: A reporting structure where a CRO reports to the CFO, CIO, CCO or other C-Suite member is, generally, viewed as providing a CRO with less influence, and ultimately as being less effective in creating positive business outcomes simply because these positions (CFO, CIO and COO) typically lack the required influence on a firm-wide basis to implement strategies that were developed as a result of firm-wide analysis in order to address firm-wide issues. In the same recent survey for KPMG, 20% of respondents reported that their CROs report to the CFO.
Future of the CRO position
The role of a CRO will no doubt continue to evolve, shaped by a number of factors. Perhaps, if the financial crisis had not occurred, the role would emphasize identifying those risks that create value for a firm, a concept that, as discussed above, characterized the years just prior to the financial crisis. However, in light of the financial crisis, it seems that the future motivations of financial institutions, with regard to implementing ERM and appointing CROs, which will in turn significantly influence the role of CROs, will be directed more toward loss prevention and regulatory compliance. In fact, Ernst & Young recently predicted in its Global Insurance Center 2010 U.S. Outlook for the life insurance industry that "[t]he chief risk officer will also face increasing demands from regulators and ratings agencies on risks assumed and capacity".9
In Canada, Superintendent Dickson has demonstrated this increasing regulatory focus by noting that, generally,
"I think that a seasoned, smart CRO who is part of the most senior management team, who has clout and who is respected within the organization as someone who is striving to maximize shareholders and depositors interests over the long run - not over the short run - is key. The CRO position is one where financial institutions should not skimp on talent. After all, this is one person who has to deal with shareholder pressure to increase profits and share price, which typically has meant taking on risk.at least until a problem occurs."10
Further, she has separately commented:
". whenever a new CRO, for example, is appointed at a financial institution, we consider how that affects our risk assessment. We discuss how much depth the new CRO has, the person's clout and general disposition toward risk. At times, I have to say we have expressed, within OSFI, positive and negative views about such appointments."11
In terms of OSFI's focus, she has noted:
"The themes in two recent industry reports, the Institute of International Finance (IIF) report, released on July 17, 2008 and the Counterparty Risk Management Policy Group (CRMPG) III report, released on Aug 6, 2008, are similar. The reports are voluminous, but they contain several items worth noting for both banks and insurance companies.
Chief Risk Officers should periodically commission a review and assessment of the institution's investment in risk management, for presentation to the senior management and the board. This should not happen only after a big problem has occurred; it should happen as part of the normal course of business.12
Comparing the different industries regulated by OSFI, she has remarked to the property and casualty insurance CROs:
"While the P&C industry has perhaps been ahead of the other sectors in the management of specific risks, the establishment of the CRO position, and the processes that accompany it, which allow for quicker assessment of risk across an entire organization, have been slower to develop in the P&C industry to date.
OSFI recognizes that the P&C industry has a diversity of institutions in terms of their size, number and complexity of business lines, risk appetite, etc., and that all of these factors will logically lead to different requirements with respect to the robustness of the risk management program. However, I cannot overemphasize the importance of having an organization-wide enterprise risk management process in place to help manage the numerous known, unknown, and emerging risks that P&C institutions face in these challenging times."13
In the UK, meanwhile, the November 2009 report prepared by David Walker entitled "A Review of Corporate Governance in UK Banks and other Financial Industry Entities", commonly know as the Walker Report, includes the recommendation that banks and other financial institutions be served by a CRO who should participate in the risk management and oversight process at the highest level on an enterprise-wide basis. The Walker Report also recommends that the CRO have an internal reporting line directly to the CEO or CFO as well as report to a board Risk Committee.14 Similarly, the Committee of European Banking Supervisors (CEBS), recently published its high-level principles for risk management as part of its 2010 Standards and Guidelines.15 These high-level principles, which are intended to "strengthen the risk culture within institutions through enhancements in the risk management function" and which the CEBS recommends be implemented by its members prior to the end of 2010, include additional guidance with respect to "the role of the Chief Risk Officer and risk management functions".
The role and prominence of the CRO will also continue to be shaped by the composition and risk management focus of boards. As Superintendent Dickson commented recently:
"In a recent speech on the topic of governance, I suggested that institutions should consider adding risk management expertise to their boards, as well as insurance expertise. As boards change, your role as CROs will change. Having people who truly understand risk management on the board will likely lead to deeper board discussions, which is never a bad thing."17
Another challenge facing the CRO position is a lack of qualified individuals. As discussed above, the technical competence of a CRO is critical, as is the novel skill set required - the ability to grasp all risks of a firm, from financial to operational. Further, complicating this issue is the fact that firms, necessarily, face different risks, which subjects any CRO hired from outside the firm to a relatively steep learning curve.
A final future challenge for CROs, as well as ERM in general, may be to remain a relevant management position (and in the case of ERM, a relevant risk management technique). Put another way, the challenge is to avoid becoming, over time, merely the latest corporate fad or mantra (see Total Quality Management, Quality Circles, Continuous Improvement, Six Sigma, etc.). If the CRO position, as a whole, fails to produce desired business results, or to attract qualified individuals, it may become less relevant, perhaps remaining of high profile only in highly regulated sectors, such as the financial or energy industries. A return to economic prosperity may also threaten the status of the position - as Superintendent Dickson recently noted: "While CROs are valued today, their advice may not be as valued when times are good again."18