To whom should the CRO report?

Until the recent credit crisis there was little debate about the role of the CRO, however failures across the financial sector have brought into question the purpose and value of a Chief Risk Officer. Should the role be one of policing operational risk, focusing on business assurance and internal audit, or should it be a broader remit to encompass strategic risk and the wider business model of the organisation?

In many organisations the risk function is seen as something with a financial impact and thus typically a CRO reports into the Finance Director, however his can lead to conflicts of interest in reporting assets and reserves: the different demands of regulator and shareholder audiences. It has been argued by several leading thinkers in the industry, such as Bruno Porro of the Geneva Association, that to be effective the CRO must sit on the main board and report into the CEO. It is important to protect an organisation from self inflicted damage like reputation risk. Here are two examples why this is necessary.

Consider firstly the situation at AIG the American insurance giant bailed out by the US treasury. Here it is said that the CRO was expressly forbidden from questioning the extent of the risk in the financial instruments like CDS (Credit Default Swaps). The decision to move into CDS in 1987 meant that in the words of Ben Bernanke, chairman of the Federal Reserve ‘this was a hedge fund, that was attached to a large and stable insurance company.’ The business model itself had been running for so long with some success that it was considered beyond the reach of the CRO remit.

Consider also nearer to home in the UK the HBOS crisis that led to its bail out by the UK treasury and enforced merger with Lloyds. Here too we now learn the CRO was denied the voice to question the degree of risk in an expansive business strategy. It came out in select committee questioning that a sales culture determined that the risk function need not investigate the risk in highly profitable financial instruments. As at AIG the CRO was confined to reporting on day to day operational risk, not the greater risk contained in the strategy of the business model.

What do these two examples tell us? Firstly in each case the risk function had allowed itself to be seen as a growth inhibitor not a growth accelerator. During periods of high growth excuses were found to marginalise the risk function: believing it might be a brake on sales, gifting valuable market share to competitors. This perception of the risk function as a negative rather than positive corporate attribute is sadly not uncommon, but the important question is how it became so. Focusing on operational risk to demonstrate core competence and corporate worth has left many risk functions ill equipped to evaluate strategic risk, is this by accident or design?

Another learning point from the two case studies is the way the creators of complex financial instruments effectively ring fenced their new products from too much internal scrutiny. An immunity from risk assessment emerged in the gap created by the sales culture: the Golden Goose could not be questioned. Common sense tells us that bull markets have to end but if conventional wisdom is based on making easy money, nobody wants to hear words of caution or restraint. In both cases senior decision makers chose to trust the financial models at the expense of their own risk people. This story is as old as hubris and nemesis and with hindsight it is easy to see how listening to a Head of Risk would have spoiled the party.

Not surprisingly the wind has changed in the financial service market worldwide. Across the world a sales driven culture has been replaced by a risk averse culture so the market has cooled. Obviously confidence will return and there will be more caution than before the crash, but now is the right time to question the future role of the Chief Risk Officer. Risk is after all about uncertainty and represents both threat and opportunity. The risk function should help endorse strategy not be kept away from it. Too many financial reports treat strategy and risk as totally separate entities yet this division is both artificial and counter-productive.

An effective CRO needs to sit on the board and contribute to creating a sound business strategy: determine appetite for risk and the market conditions which alter it. For too many CROs the role is about risk tolerance and reaction to market forces rather than appetite and anticipation of future market forces. Risk as part of business assurance must be much more than a subset of financial control, it needs to be integral to key decisions about the direction of the business. Together with Non-Exec directors, the CRO be critical of any business model that increases reputation risk: he should be empowered to say so directly to the CEO even if this means questioning the business strategy.