When some risk management teams are asked to weigh in on a business decision, they boil the question down to a matter of accept or reject. But in limiting their answers to a binary choice they’re missing a trick.
The strategic chief risk officer (CRO) can optimize the risk framework and function capabilities by using the traditional defensive skills, while observing and supporting opportunities with a risk mindset. This gives companies a wider spectrum of potential opportunities. For example, instead of offering a simple “no” or “reject” a better answer might be “maybe — if you remove this risk, or restructure that part of the product.”
By broadening the involvement and role of the risk team in this manner, the strategic CRO can address risks early on, while observing potential risk capacity and engaging with the most optimal risk-reward strategic solution. To accomplish this, risk teams and enterprise risk management (ERM) frameworks may need to be developed to incorporate tools, skill sets and structures that support the strategic CRO. This transition will also require a cultural change in many firms.
Here we focus on the structure of the ERM team, but don’t address other issues, such as the CRO’s position with regards to the board and objectives and remuneration. Those will be covered separately in this series.
For our purposes, we’re going to focus on four key considerations in helping risk teams find more opportunity in enterprise risk management:
1. Structure and skills
For the CRO to be able to contribute to opportunity suggestions, the risk team needs to be structured correctly. CROs should be a step away from the risk “weeds”, enabling them to focus on the key decisions (whether they concern downside risk management or opportunity support).
CROs need to have key skills in the staff beneath them and people who are known and respected in the organization. In addition to having traditional risk management skills (such as technical expertise and operational risk contacts), they should also be key strategic partners to the business — people who engage with the opportunities in a broader business context. The structure will differ between the competencies required and size of the risk teams, but the premise of having both wider business acumen and risk skills is the same.
2. Culture and communication
Many firms seek to ensure a culture of openness and transparency, such that challenges from risk management are recognized and acted upon. This openness and transparency needs to be extended to the opportunities that are informed by the CRO. This may mean shifting from a process of a binary accept or reject response at the decision stage to a collaborative relationship throughout, where there is open communication to understand and react to the opportunity suggestion or potential risk.
This will require CROs to develop sufficient credibility and buy-in from the businesses on ideas that come from outside their units. To get to that point, the CRO must demonstrate the added value from bringing risk into the decision-making process at an early stage. Risk teams need to understand opportunities and offer optimal risk solutions to overcome objections to new proposals.
Without this cultural shift, the additional insights from adapting the risk function in this way will be wasted.
3. Metrics and tools
The models and metrics in place should be used to observe opportunities, optimize risk mitigation and management techniques and ultimately support optimal decision making, as well as give early warning indicators and quantification for defensive risks. The models should enable the business to understand the impact business decisions will have on the risk profile, regardless of whether they’re strategic or mitigation choices.
Companies should ensure risk limits consider risk capacity as well as limits. They also need to incorporate a wide variety of metrics, so that all dimensions of risk and opportunity are considered.
By becoming a strategic partner, the independence and oversight of the second line risk function should not be jeopardized. Those in the second line need to challenge independently, as they have done before. Their observations for better use of risk capital and risk capacity should be based on informed metrics and knowledge.
Regulation requires separate risk taking and oversight — but having a more dynamic, rather than rigid, three lines of defense model, with processes that adapt to allow for different roles in the process can enable the added value that a strategic CRO can bring. For example, if there are times when the independence and challenge of the second line could be called into question, the third line (internal audit) can step in or another second line function can provide an oversight role.
Companies will reap the rewards of additional insight, from the effort of adjusting the governance framework to allow for these dynamic processes and the related additional documentation of the risk management in the full decision making process.
Arguments to address
There are a number of arguments against embracing the strategic CRO function. While we have covered the argument of maintaining independence and challenging decision making, one not addressed here is around remuneration and the position of the CRO in relation to the C-suite.
The debate around this continues. Ultimately, giving the board the relevant information to accept (and reject risk) will lead to business success. Measuring this and incentivizing the right people while maintaining and demonstrating independence is a challenge.
Why not use the huge investment in the second line risk function that has occurred over recent years, to add further value to your company? With minimal extra investment we believe that business decisions can be further optimized. In addition to reducing value depletion, an effective risk function will benefit their organizations by encouraging business strategy that incorporates full risk/reward considerations, helping reduce capital to more accurately reflect retained risk and assisting in optimizing capital allocation.