Derivatives in the Boardroom?
the business management side of the CRO's function. The CRO who reports to an audit committee, therefore, ends up being more of a risk controller than a risk manager.
So among these options, logic guides the structure as follows: If you want your CRO to be a risk controller, he should report to the audit committee, not to the CFO. If you want your CRO to be a risk manager, i.e. someone who produces and uses risk information for better business management, then the CFO should be his boss. In most cases, it is not advisable to have the CRO report to the CEO, since the CRO function is bifurcated between risk management and control, and he will have a hard time doing a great job at either role.
How the Roles Stack Up-The CRO as "Risk Manager"
The enlightened CRO sees his role as one who allocates and optimizes risk capital. Risk capital is the amount of capital a firm risks when undertaking a business activity, and is just as important, if not more so, than cash capital.
For example, an automotive plant and a new drug may both cost $100 million in cash capital to establish. However, an automotive plant can always be redirected to alternative uses, so the plant builder cannot lose more than (let's say) $60 million, while the drug company could lose $300 million more due to lawsuits if the drug proves harmful. Then the risk capital for the plant is $60 million, and the risk capital for the drug company is $400 million. () Yet if each investment has identical expected cash flow, and the risk is considered diversifiable, WACC models will value these investments the same in theory. In practice, of course, no firm would value these commensurately since they do not view their capital access as being unlimited. One could argue in this case that the risk capital is more important than the capital commitment in making the decision to invest.
The CRO's role should be to fully capture and understand enterprise risk with a view towards optimizing the firm's investment policies. To do this, the CRO needs good integrated risk measurement tools at the project and business level. To ensure line managers manage risk well, the CRO must also control risk budgets and determine the costs of taking risk by each of the business units. The empowered CRO is able to use the price of risk as a mechanism to induce managers to take risk responsibly and consistently.
The CRO as risk manager should also be responsible for providing information to better manage the portfolio of the firm's assets. For example, the CRO of an airline company should be able to add a risk dimension to the analysis of profitability by business unit, as shown in Figure 2.
His analysis recognizes that while the Americas business brings in the highest expected cash flow, Australasia brings in the highest quality cash flow, i.e. cash flow per unit risk. Given the choice of investing an incremental dollar in Americas vs. Australasia, this chart suggests that