From steering a company away from potential hazards to working with the board in setting risk appetite, today's chief risk officer is an increasingly vital cog in the company structure.
There was a time when we rarely heard about the chief risk officer. After the gloom of the late 2000s, however, risk management has moved out of the back office and the CRO is now front and centre of a company’s strategic moves and future projections.
Risk itself has gained – or perhaps regained – respectability, and the executive most likely to be cheering on this new perception is the CRO. While some may see that as a paradox, CROs say their role actually emboldens their company to take risks.
Risk management has moved out of the back office and the CRO is now front and centre of a company’s strategic moves.
“A genuine chief risk officer encourages risk-taking rather than risk avoidance,” says business consultant Todd Davies, who has chaired audit and risk committees and now mentors CROs in many of Australia’s leading companies.
As risk management goes mainstream, an increasing number of organisations are turning to Davies for advice about employing a CRO.
“It is really hot at the moment,” he says. “The top 20 companies and a lot of government agencies are looking at it.”
Davies likens the CRO to a member of a Formula One pit crew, enabling the chief executive to drive the company and take corners fast.
“It is very hard for the person who has their foot on the accelerator to be spending time worrying about where they should tap the brake,” he says.
More often than not, that tap on the brake involves identifying issues that are not yet on the company’s radar. Justin Breheny CPA, recently retired as group chief risk officer of insurer IAG, says the CRO must have the confidence to “tell it like it is”.
“The CRO should be one of the main drivers of thinking about big-picture risks – risks that are coming over the horizon that could cause big disruption,” he says.
“They also need strong influencing skills, because that is how you get change.”
It is change that led the graduate business school INSEAD to appoint a CRO. With disruptive technologies such as MOOCs (massive open online courses) impacting on the education sector, the organisation needed to change its risk strategy. Chief control officer, Singapore-based Irina Netessina, added the CRO role in 2014 to enable INSEAD to reshape priorities and focus more on long-term risk.
National Australia Bank CRO David Gall says the ability to inform major decisions
is an important part of the risk brief. His role encompasses credit, market and operational risks, from everyday banking to NAB managing its own balance sheet.
Gall believes that, as an adviser to the chief executive, a CRO must be able to not only observe and think strategically about risks and develop a response, but also influence
“I think that is where the CRO of the future really can come into their own,” he says.
Widening scope of the CRO
Global issues such as terrorism and money laundering mean that those keeping their finger on potential areas of risk need to keep abreast of international developments and law-enforcement activities.
Regulators have played their part, with the Australian Prudential Regulation Authority (APRA) requiring banks and insurers to have a CRO from January 2014 and mandating that the position reports to the chief executive and must have unfettered access to the board.
Traditionally, the role was focused on ensuring that the company had risk-management frameworks, policies and governance structures in place, but these days CROs see themselves as partners in decisions to help the company grow and to embed a risk culture within the organisation.
Breheny says CROs have an equal seat at the table as the business develops products, services and processes, “so you can ensure risk gets input to those decisions before they occur, rather than running the post-mortem. It is proactive, not reactive.”
In the banking sector – an industry on familiar terms with risk – CROs have long been an essential part of the modus operandi. Gall notes, however, that in recent years there has been a greater focus on emerging risks. These include cyber attacks and issues of long-tail product lines, such as life insurance or defined benefit retirement plans.
Big data is another area where CROs need to think outside the box. While offering great opportunities to better understand the customer and tailor products and services accordingly, it also brings risks relating to privacy and the unrelenting onslaught of cyber criminals.
Gall says the banking CRO must look both forward and outward to identify these risks. That is based on “trends we are seeing, innovation that lies over the horizon and, as
a bank, how we need to be preparing for that today”, he says.
Effective financial risk management
Internal vs external CRO
Views differ on whether the CRO should come from within the company.
Davies doesn’t believe this is necessary but notes the position appeals to people with a background in internal audit, because those roles have moved into strategic decision-making. He finds the best candidates are auditors and people who have worked in consulting and human resources.
Both Breheny and Gall, on the other hand, are firmly of the opinion that the CRO should come from within.
Breheny was IAG’s chief executive Asia Division before becoming group CRO in September 2013 and says CROs who come through the company have an edge, because they understand the business.
Gall came to the role having run retail, business and corporate banking operations and with significant exposure to wealth management, and he says experience across the business spectrum helps decision-making.
Just as importantly, it gives him credibility when talking to first-line managers who know he has stood in their shoes.
“That cannot be underestimated,” he says.
Communication is key
Whether an internal or external appointment, most agree that an effective CRO must be a good listener and someone who is able to build strong relationships with the board and within the organisation as a whole.
Breheny says this means talking to employees so that everybody in the business thinks about risk in a positive way.
“Building a risk culture is an important value add,” he says.
Inherent in this approach is the ability to clearly articulate the language of the business.
A Harvard Business School study, titled The Triumph of the Humble Chief Risk Officer, found this was essential to a CRO’s success.
The author of the study, Anette Mikes, interviewed CROs at a power company and a toy manufacturer and found that they avoided risk-management jargon, which led to managers adopting risk management without being aware of it. The CROs were self-effacing, and Mikes concluded that humility was a factor in their success at embedding risk awareness
In developing the CRO role at INSEAD, Netessina first held seminars and ran exercises to get everyone’s thoughts and help her identify the areas of greatest risk at the business school.
“It is important to start talking about it at all levels of the organisation,” she says.
Netessina found that the entire organisation became engaged with identifying and mitigating risk. She was then able to assign the top risks to “risk owners”, who could work on, for example, how to position degree programs to deal with digital disruption.
An evolving role
The CRO’s role continues to evolve, and Gall believes that over the next year or two there will be as much discussion and focus on an organisation’s risk culture as there is on the rules and procedures that it has in place.
The traditional view of the CRO as being a compliance “box ticker” or the person who tells the executive team what they can’t do has certainly changed.
"Good risk outcomes can lead to very good business outcomes.” David Gall, NAB
While Davies still finds that not everyone at board level is convinced of the need for a CRO or is clear about how to use the role to achieve the best outcomes, investors are starting to place value on companies that have good risk management in place.
As Gall succinctly says: “Good risk outcomes can lead to very good business outcomes.”
Looking for a great career opportunity? Australia has a shortage of candidates for the growing number of companies wanting to appoint a chief risk officer or manager.
Regional director of recruitment agency Michael Page, Adrian Oldham, says demand is strong for people with risk experience, and salaries are rising by 5 to
10 per cent a year.
Justin Breheny CPA, former CRO at IAG, adds that it is one of the few jobs that comes with a licence to operate across the organisation.
“It is an excellent career move,” he says. "It is exciting to add value, you have unfettered access to most levels of the company and it’s one of the most influential jobs in the company.”
While regulators have lifted the CRO role in financial services, risk-management principles are flowing through into other sectors where employers are seeking people with those skills. Industry and commerce now see internal audit as adding value rather than just “tick and bash”, says Oldham. He says operational risk roles are varied and interesting, because they involve examining controls and processes and working on “what if” scenarios.
David Gall, CRO at NAB, says it’s a priority for him to develop the reputation of the risk-management function, so that he can attract the bank’s own staff to his team. If NAB’s up-and-comers gain experience in risk, he says, they will take those skills throughout the bank, adding value to the organisation and its customers.
This article is from the February issue of INTHEBLACK.
The rewards of managing risk