daniel chigunwe
Elgin Chetsanga
Over the last two decades there has been serious attention given to the role of chief risk officers (CROs) and their contribution in vital decision-making processes.
Different organisations use various titles for the CRO role depending on market norms, industry norms and own preference.
Despite the differences in titles, chief risk officers have become more valuable to boards and CEOs than they have ever been.
The CRO is now a critical player in the decision-making matrix and he/she should be consulted extensively beforehand.
The history of CRO role starts off in a very captivating way. It is reported that in 1993, James Lam became the first worldwide CRO at GE Capital.
James Lam would later be credited with introducing the Enterprise Risk Management Model. While in the early days of his role, Lam managed credit risks, market risk, risk transfer and hedge risk, the role of CROs would later expand to encapsulate more responsibilities.
From its humble beginnings in the 90s the CRO role became more common after the publishing of the Basel Accord, the Sarbanes–Oxley Act and the Turnbull Report.
Released in 2002, Sarbanes–Oxley Act positively influenced the demand for the CRO role.
Later in 2008, the financial crisis would also bring the role of the CRO into focus.
Numerous companies fell into bankruptcy and this took a toll on many economies.
Realising the avoidable nature of some of the mistakes made in the run up to the financial crisis, more and more companies would create CRO posts.
Broadly defined, the CRO is the organisation’s senior executive charged with looking after the efficient and effective governance of risks (the downside).
The CROs is now also a key player in looking after the upside associated with various risks. The CRO executes his mandate though identifying, evaluating, managing and reporting, risks while working with other senior level executives.
Typically, CROs report to the board while operationally reporting to the CEO. Other reporting structures also exist depending on industry norms or other considerations.
However, it is critical that the CRO have at least direct access to the board to allow them to have independence from management. Independence is a critical aspect of the CROs ability to execute their mandate with a “clear eye” on issues.
Fast forward to today, the CRO is now one of the most important positions in senior management.
The superpower of any CRO, lies in the ability to view risk in the context of the whole company. This integrated view of risk known as Enterprise Risk Management (ERM) has become an internationally recognised approach to manage risks across any organisation.
This ERM approach has obvious benefits as opposed to other silo-based approaches. The ERM approach thus gives the CRO a vantage view of the organisation, which many other executives might not have given the nature of their roles.
Over years, the way risk is viewed by CROs has also changed. In the earlier days, there was an emphasis on the traditional risk types that are ordinarily prescribed by the regulator.
The contemporary CRO is now taking a more forward-looking approach to managing risks. This is usually done through interrogating emerging risks.
Emerging risks are those whose impact and mitigations are not yet fully known but will need the corporation to start preparing for. Common emerging risks which are on most CROs minds include the ever-changing geo-political risks, cyber risks and technology risks.
The evolving role of the CRO has led to a transition from solely monitoring risk to now exercising the power to veto strategic decisions calls.
Ventures that pose more risk to the firm than the firm’s risk appetite can be turned down, re-evaluated, or redesigned to ensure an optimum risk return trade-offs is achieved.
This greater involvement in strategic discussions by CROs has led to the risk function becoming more data intensive.
It is against this background that the CRO role is evolving to become pivoting towards use of technologies such as big data and is committing budgets towards risk management systems.
The size of the organisation and the industry usually determine the responsibilities and requirements on a CRO.
Most CROs look after most types of risks including Strategic Risks, Insurance Risks, Market Risks,
Liquidity Risks, ICT Risks, Credit Risks, Reputational Risk, Sustainability Risks, and many others.
The broad portfolio of risks that the CRO looks after normally requires that the CRO be supported by a team of risk area specialists who look more closely at each of the sub risks.
There are various pathways to becoming a CROs depending on industry type and organisational preference.
In the finance industry, most CROs come from diverse backgrounds, but a common theme is that some business experience is usually advantageous.
Characteristically, most CROs have a masters-degree level of education and a quantitative background.
The contemporary CRO is more than a quantitative person. While the role of the CRO has evolved in the past, it continues to transform with the modern CRO continuing to cultivate deep technical knowledge around various subject matters.
The broad knowledge allows the CRO to comprehend a wider range of risks and their underlying origins.
There modern CROs are also required to have strategic expertise while combining commercial, strategic, leadership and communication skills.
The contemporary CRO should also be willing to challenge other executives robustly yet constructively and be willing to be challenged too.
In summary the modern day CRO is not only a problem spotter but a problem solver who adds value by virtue of their breath and depth.
Elgin Chetsanga is a Head of Risk and Compliance at a local Financial Institution. He writes in his personal capacity. Elgin can be reached on [email protected]
Bongani Ndlovu