The Evolution of the Chief Risk Officer Role

“The Chinese use two brush strokes to write the word ‘crisis’. One brush stroke stands for danger; the other for opportunity. In a crisis, be aware of the danger–but recognize the opportunity” – John F. Kennedy

The above-shown strokes are the Chinese symbols for “Risk”. The first symbol is known to represent “danger” while the second one symbolizes “opportunity”. The idea of placing them together is to portray that risk is a strategic combination of vulnerability and opportunity.

When viewed from this perspective, Enterprise Risk Management (ERM) is a palette of tools for managing and curtailing risk in a way that would enable the corporation to have an edge over the value-enhancing opportunities and to take leverage of them, than to fall prey to them.

As practiced in the past, many organizations continue to address risk as an isolated system with the management of insurance, risks associated with operations, foreign exchange, credit, and commodity, as niche and mutually exclusive affairs. However, in the new era of Enterprise Risk Management (ERM) all these functions would work in a strategic, integrated, and Enterprise-wide System. And although the management and mitigation of risk are coordinated with top-level executives, the employees at all tiers of the organization are encouraged to view risk management as an inherent and continuous part of their job profiles (1).

This Enterprise Risk Management (ERM) model demands the leadership and guidance of an individual having a global perspective of the interrelationship of all risks which have or could arise within the entire organizational setup.

The role of the Chief Risk Officer (CRO) is a result of the entire ERM movement which felt the need and the urge of a senior-level professional who could shepherd the concept.

The interest and investment in the ERM arose post some high-profile financial scandals, which had led to tremendous losses to both employees and shareholders. This brought forth a huge demand and urge for more responsible methods of corporate governance, risk oversight, and better internal control. The federal interventions put forth as standards, regulations, and legislations also help harmonize this approach (2).

What it takes to be a Chief Risk Officer (CRO) :

There have been a variety of factors that have to be taken into consideration, while conducting a search for the perfect Chief Risk Officer (CRO), for an organization. The 7 major factors, as issued by Protiviti includes :

  1. Role and Expectations, as defined by the Board and Management: The CRO may have to focus more on the strategic issues or more tactical matters, like managing compliance. The nature and scope of the position in the industry have a profound effect on the type of individual needed. Therefore, Chief Risk Officer roles and responsibilities play an important role in the functioning of a successful organization.
  2. Experience Requirements: Chief Risk Officer qualifications are usually expected to be executives with a minimum of 15 years of experience, especially in the role of Risk Management, within the same industry, and also in reporting to the board.
  3. Critical Thinking Skills: Managerial skills including, strategic, thinking, effective data analysis, and analysing risks by disaggregating business plans, among others, are of paramount importance.
  4. Interpersonal Skills: The CRO also needs to be proficient in both written and verbal communications, which would help support the CRO and his colleagues in establishing effective relationships and also to motivate others for the same.
  5. Keen Business Acumen: The CRO must have sound Business and Financial judgement, with critical problem-solving skills, which form the backbone in serving as a trusted advisor and a control authority.
  6. Strong Process Orientation: If the CRO is tasked with assisting the company in developing processes to define, track, and report on key business risks, a thorough understanding of processes and core management activities is required.
  7. Cool under Fire: In order to navigate through a crisis, concise, straightforward communication and active knowledge-sharing styles are required(3).

Above all, the most important factor to consider when hiring a CRO is whether or not the person would “fit” or mesh with the business. The whitepaper also includes questions for the board of directors to answer when assessing the CRO role at the company(4).

The Role of the Chief Risk Officer (CRO) :

The Chief Risk Officers (CROs), or Chief Risk Management Officers (CRMOs) as they may sometimes be referred to as, are corporate executives, who are mainly responsible for the identification, analysis, and mitigation of risks of both classes, Internal Risks, and External Risks. The role also looks after the compliance of the organizations’ policies and decisions with the regulations and guidelines of the Government, and review any factor that may hurt the investments or business units of the organization.

CROs generally have exhaustive experience in the fields of legal affairs, accounting, finance, or actuarial backgrounds.

As the title goes, the position of the Chief Risk Officer is a more dynamic and constantly evolving one. With the advent of technologies, there is also an increased peril linked with its adoption into an organization, the CRO governs the security of data, guarding of Intellectual Property Rights (IPRs), and protection against frauds pertaining to various aspects of the organization. The CRO oversees the internal functions by the development of internal controls and audits, helps to identify the potential risk factors which may arise from within the organization, and therefore can be identified and tackled before they result in chaos or invite regulatory actions.

In the wake of the recent events, the most pivotal role played by the CROs would be :

  1. If the company is involved in the handling of sensitive data, like those including personal health, membership data, political opinions, religious or philosophical beliefs, etc. from a third-party agency, then there are numerous layers of data protection and encryption provided to maintain the confidentiality of the data. The CRO would have to ensure total responsibility of maintaining the confidentiality of the data.
  2. If in the above case, there was a lapse in the security, as the employee in-charge gives data access to an unauthorized person, within or outside the company. The CRO must address this issue at the earliest and should report the same to authorities and also analyze if this would constitute a competitive risk, if a potential rival organization may exploit the data with the intent to take away clients or to tarnish the public image of the organization or the company. In this case, the CRO must bring about the mitigation strategies and the decisions needed to protect the company.
  3. If in case, there is a scenario where the company has an operating warehouse or manufacturing unit or production facility at a place that has civil or political unrest, there may be a chance where the staff may be harmed while performing their regular duties. The CRO would be in charge of settling the disputes in form of the compensations and taking the decision to curtail the losses.
  4. Also, even if any of the employees have been tested positive for influenza or the contagion, the responsibility to enact in the best interest of the employees working at the facility and to ensure the panic does not counter-effect the company’s progress, rests with the CRO.

All of the aforementioned scenarios, which seem tedious, but just form the tip of the iceberg of the roles and responsibilities of the  CRO of an organization (3).

The concept of Integrated Risk Management (IRM) is a relatively new discipline, where the priorities and strategies are likely to evolve spontaneously. The most important task of the CROs over the next few years would primarily pertain to the supervision of the company’s response and compliance with the regulatory requirements, and also to inform the sources of risk to the board members and to ensure business continuity, with the ability to sustain operations even in the cases of disasters alongside financial services.

The rise and the evolution of the post and the responsibilities of the CROs have marked a watershed in the manner most firms, companies, and organizations perceive the risk and consequently act on the same to help the latter remain afloat. In contrast to when the risk officers were associated with the task of the quantification and offsetting of the financial risks, they are now given the responsibility of the identification, analysis, and strategizing the mitigation methods of all risks that would arise in the organization owing to the numerous factors.

With this kind of evolution, the CROs of the future would be given various tasks, of which the measurement and management of operational risk in the coming years, which would demand an approach with a mix of qualitative and quantitative measures, where these specialized skill sets of the new CROs and the experience of the seasoned CROs would help form a successful blend of the strategies (4).

References :

  1. Tom Aabo; John R. S. Fraser; Betty J. Simkins (2005). The Rise and Evolution of the Chief Risk Officer: Enterprise Risk Management at Hydro One. , 17(3), 62–75.
  2. Part Three: The role of the chief risk officer (CRO). (2005). Journal of Healthcare Risk Management, 25(4), 19–24.
  3. https://www.protiviti.com/US-en/insights/board-perspectives-risk-oversight-issue-17
  4. https://erm.ncsu.edu/library/article/finding-right-cro
  5. https://www.investopedia.com/terms/c/chief-risk-officer-cro.asp
  6. http://graphics.eiu.com/files/ad_pdfs/EIU_CRO_WP2.pdf

Submitted by: Ryan Varghese, Member of Student Risk Club (SRC)


You may also like

Leave a reply

Your email address will not be published. Required fields are marked *

More in Riskshots