[BETA] Fortnightly

 

Positioning the risk professional in the corporate hierarchy.

If necessity is indeed the mother of invention, in the instance of the growing popularity of chief risk officers (CROs), good business sense is the father. This is perhaps the most critical moment of the post-Industrial Revolution era for all manner of corporations to have the input of a risk professional at their service. But how do you position them in the hierarchy for maximum effectiveness?

These increasingly significant senior executives are relative newcomers to corporate America, and it wasn't long ago that corporations had no risk officers at all, let alone CROs. But with the highly publicized detailing of problems at Long-Term Capital, Enron, Global Crossing, Tyco, and others, the need for formal risk management and control functions is manifest and compelling. And while many firms have taken the step to appoint a CRO, the risk management function is still not well defined in all cases. Some see the CRO's role as the steward of the firm's risk portfolio; others view the CRO as the risk controller. In most cases, the CRO role is both, making this executive something of a hybrid-balanced between risk manager and risk controller. It is in these cases that conflicts occur. But there are solutions to resolve this dilemma, an important undertaking since, when properly structured, the function immediately becomes a powerful vehicle to facilitate informative risk disclosures to corporate stakeholders.

The CRO's Reporting Lines: The Three Common Approaches

The CRO reports to the CFO at most companies. The benefit of this structure is that it tends to concentrate and leverage financial risk expertise in the CFO's office, where it belongs. But there is a distinct disadvantage to this set-up: If the CRO is expected to challenge the CFO on financing or securitization choices, because of the CRO's subordinate position, he may fail to challenge effectively.

Some firms have responded to this dilemma with a second option, by having the CRO report to the CEO directly, thus avoiding the potential CRO/CFO structural conflicts. But this is an imperfect solution. Given the CEO's other concerns and business management strengths and limitations, he may tend to marginalize the CRO. Moreover, given the typical clusters of priorities, what CEO will have the bandwidth to address "mere" risk issues when so-called strategic issues take center stage? And what is the cost of severing the organizational ties between the CRO's function and that of the CFO? In this reporting set-up, will the CRO have less access to the vital financial expertise of the CFO's office? When the CRO reports to the CEO, he may be in a slightly better position as risk controller, but he is certainly in a weaker position as a risk manager.

A third alternative considered by some is to ask the CRO to report to the audit committee of the board of directors. However, the audit committee is focused on accurate reporting and disclosure, not on how risk management might help the business run better. In many cases, the audit committee members have no background or interest in