Implementing Enterprise Risk Management: The Emerging Role of the Chief
Risk Officer
January 2002
Jerry Miccolis and Chuck Lee discuss the CRO
approach, profile, where to find one, and how this individual should fit into
the structure of the organization to make ERM a living reality.
by Jerry
Miccolis and Chuck Lee
Tillinghast-Towers Perrin
Throughout this series of articles, we've argued that while executives see
the value in the principle of managing risks
holistically, they have been relatively slow to adopt and implement actual enterprise
risk management (ERM). One reason for their hesitation has been their dissatisfaction
with the tools and processes they believe they have available to manage risk
at the enterprise level.
We think that concern is being addressed by the development of the kinds
of tools and approaches we've described in this series, including sophisticated
risk modeling that can account for both financial risks and operational risks.
But there is another reason that executives have been slow to implement ERM.
They have not been certain about how to make it fit into the structure of their
organizations: where it should fit, who should be responsible for it, and what
exactly the organizational role should be.
The Organizational Challenge
From an organizational standpoint, the traditional approach to managing the
various risks to which the organization is exposed was to treat them separately,
appointing someone to manage each risk. Managing a particular kind of risk became
the job of individual specialists. Doing that job well meant focusing exclusively
on "their" particular kind of risk.
Executives have long tolerated this segmented approach to risk management,
but they have never been really satisfied with it. From their perspective, it
ignores the interdependence of many risks. It erects barriers to exploiting
natural hedges among the risks and sub-optimizes the treatment of total risk.
They've known that if it were possible to address all risks on a consistent basis, they would
improve the efficient use of their capital. They would also make better strategic
decisions, and be better informed about taking on risks to create value.
What's been missing for many organizations—and perhaps the reason ERM has
yet to truly take off—is the appropriate organizational structure to implement
an ERM system. At a minimum, that means getting all the disparate risk managers
to work together closely. This often has taken the form of a multi-disciplined
ERM Committee. For other organizations, the organizational solution has meant
appointing a Chief Risk Officer (CRO).
The CRO Approach
In recent ERM surveys we have undertaken,1 including one for the Institute of Internal Auditors, we have found that, worldwide,
less than one-third of companies practicing some form of ERM have a CRO (the
proportion is smaller in the United States than in Europe), and almost half
of these CROs have been in place for a year or less.
The relatively small number of organizations that have taken the step of
appointing a CRO suggests that it is not a trivial matter. The problem has been
determining just what this new creature should look like. That is, what's the
right role, the right responsibilities, and the right competencies for a CRO?
Moreover, there is a wide variety of disciplines from which CROs come. According
to our surveys, they are auditors, actuaries, financial engineers, strategic
planners, lawyers, investor relation specialists, line operation managers, hazard
risk managers, even HR specialists.
The CRO Profile
As the survey results on the "sources" of CROs suggest, at first look, it
seems the CRO should be a master technician, one who commands the technical
expertise of every subdiscipline of risk management in the organization, from
credit risk, to market risk, to operational risk.
But that is not the case. In the first place, that model of universal expertise
exists in very few, if any, individuals. In the second place, the sheer accumulation
of analytic detail for all the company's risks—even if that came in one head—is
not really what the organization needs.
Also, conceiving of the CRO as the "analyst's analyst" can actually create
organizational resistance to the goal of managing risks holistically. Individual
risk managers may view the position as a threat to them—either a direct threat
as a position that would replace theirs, or an indirect threat as a position
that would diminish their importance to the organization—even if this concern
were unfounded. In hedging the perceived risk to their own jobs, individual
risk managers may—consciously or unconsciously—create barriers to ERM.
What is required is someone to coordinate the company's risks and risk management
efforts, someone who can bring senior managers consistent, reliable analysis
and make recommendations that have a good fit with the organization's business
strategies. It is more of a synthetic, than an analytic, task. Where the CRO
position has succeeded in both meeting senior management's needs and overcoming
organizational resistance, it has been defined, not as a master technician,
but as a leader and facilitator and integrator. In this role, the CRO serves
as a coordinator, more than a manager, of risks. He or she is a communicator
who can facilitate dialog among the individual risk managers, both reassuring
them of their individual value to the organization and maximizing that value.
As a key member of the senior management team, the CRO is a peer and advisor
to the rest of senior management who can translate risk management into the
terms that matter to their key stakeholders (i.e., stockholders, employees,
customers), such as the effect of risks and risk management on capital, growth,
return and consistency.
The goals of the CRO are equally holistic and integrative:
- To create a risk aware culture
- To formally bring consideration of risk into strategic decision-making
- To develop a center of excellence for managing risk, drawing on the
expertise of highly skilled individual risk managers
- To communicate to stakeholders and be an advisor to other executives
and managers
The competency profile of the CRO matches the role and goals. The CRO needs
to be a comprehensive, integrative thinker, with a thorough knowledge of the
business and the ability to build strong partnerships with business and corporate
staffs. And, perhaps most importantly, the CRO is someone who is able to clearly
communicate in understandable language, and facilitates and coordinates rather
than functions as a technical manager of risk.
Where To Find a CRO
So, where do companies find this model CRO? As suggested in the survey results
cited earlier, CROs come from a variety of disciplines. There are two disciplines
in particular, however, that have made educating their members in ERM a priority
of professional development. Both the Institute of Internal Auditors (IIA) and
the Casualty Actuary Society (CAS) have made the commitment to such education.
The IIA has conducted studies of ERM best practices and begun to define what
those practices imply about the future roles of their members. And the CAS,
through investigations such as its own ERM survey, has identified the gaps between
the current and desired ERM knowledge of its membership, and gone on to determine
the methods, priorities, and timetable to implement a research and education
agenda for its members—so they will be prepared to take on this role.
Within a short time, then, companies will not only have available to them
the right tools to make ERM a living reality—they will have the right people
to use those tools and to manage ERM professionally. ERM, then, will no longer
be a promising idea. It will simply be the way to do business.
1See the following:
- Trends and Emerging Practices in Enterprise
Risk Management, Tillinghast-Towers Perrin for the Institute of Internal
Auditors
- Enterprise Risk Management in the Insurance
Industry: 2000 Benchmarking Survey Report, Tillinghast-Towers Perrin
Charles
R. Lee is a consultant with Tillinghast-Towers Perrin. He is a principal
of Towers Perrin and a member of Tillinghast-Towers Perrin’s North American
Management Team, managing its Dallas office. He graduated from the University
of Iowa in finance/insurance and industrial relations and holds the Chartered
Property and Casualty Underwriter (CPCU) and Associate in Risk Management (ARM)
professional designations. At the time of the Tillinghast and Towers Perrin
merger in 1986, Mr. Lee managed Tillinghast’s Dallas risk management practice.
Prior to entering the consulting business in 1975, he was an account executive
with a brokerage firm and an underwriter and district manager for the Kemper
Insurance Group. He is the author of numerous articles for finance and insurance-related
publications, and conducts speaking engagements throughout the country. Mr.
Lee can be reached at leecr@towers.com.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author's employer or IRMI. Expert Commentary articles
and other IRMI Online content do not purport to provide legal, accounting, or other
professional advice or opinion. If such advice is needed, consult with your attorney,
accountant, or other qualified adviser.