Positioning the risk professional in the corporate hierarchy.
If necessity is indeed the mother of invention, in the instance of the growing popularity of chief risk officers (CROs), good business sense is the father. This is perhaps the most critical moment of the post-Industrial Revolution era for all manner of corporations to have the input of a risk professional at their service. But how do you position them in the hierarchy for maximum effectiveness?
These increasingly significant senior executives are relative newcomers to corporate America, and it wasn't long ago that corporations had no risk officers at all, let alone CROs. But with the highly publicized detailing of problems at Long-Term Capital, Enron, Global Crossing, Tyco, and others, the need for formal risk management and control functions is manifest and compelling. And while many firms have taken the step to appoint a CRO, the risk management function is still not well defined in all cases. Some see the CRO's role as the steward of the firm's risk portfolio; others view the CRO as the risk controller. In most cases, the CRO role is both, making this executive something of a hybrid-balanced between risk manager and risk controller. It is in these cases that conflicts occur. But there are solutions to resolve this dilemma, an important undertaking since, when properly structured, the function immediately becomes a powerful vehicle to facilitate informative risk disclosures to corporate stakeholders.
The CRO's Reporting Lines: The Three Common Approaches
The CRO reports to the CFO at most companies. The benefit of this structure is that it tends to concentrate and leverage financial risk expertise in the CFO's office, where it belongs. But there is a distinct disadvantage to this set-up: If the CRO is expected to challenge the CFO on financing or securitization choices, because of the CRO's subordinate position, he may fail to challenge effectively.
Some firms have responded to this dilemma with a second option, by having the CRO report to the CEO directly, thus avoiding the potential CRO/CFO structural conflicts. But this is an imperfect solution. Given the CEO's other concerns and business management strengths and limitations, he may tend to marginalize the CRO. Moreover, given the typical clusters of priorities, what CEO will have the bandwidth to address "mere" risk issues when so-called strategic issues take center stage? And what is the cost of severing the organizational ties between the CRO's function and that of the CFO? In this reporting set-up, will the CRO have less access to the vital financial expertise of the CFO's office? When the CRO reports to the CEO, he may be in a slightly better position as risk controller, but he is certainly in a weaker position as a risk manager.
A third alternative considered by some is to ask the CRO to report to the audit committee of the board of directors. However, the audit committee is focused on accurate reporting and disclosure, not on how risk management might help the business run better. In many cases, the audit committee members have no background or interest in the business management side of the CRO's function. The CRO who reports to an audit committee, therefore, ends up being more of a risk controller than a risk manager.
So among these options, logic guides the structure as follows: If you want your CRO to be a risk controller, he should report to the audit committee, not to the CFO. If you want your CRO to be a risk manager, i.e. someone who produces and uses risk information for better business management, then the CFO should be his boss. In most cases, it is not advisable to have the CRO report to the CEO, since the CRO function is bifurcated between risk management and control, and he will have a hard time doing a great job at either role.
How the Roles Stack Up-The CRO as "Risk Manager"
The enlightened CRO sees his role as one who allocates and optimizes risk capital. Risk capital is the amount of capital a firm risks when undertaking a business activity, and is just as important, if not more so, than cash capital.
For example, an automotive plant and a new drug may both cost $100 million in cash capital to establish. However, an automotive plant can always be redirected to alternative uses, so the plant builder cannot lose more than (let's say) $60 million, while the drug company could lose $300 million more due to lawsuits if the drug proves harmful. Then the risk capital for the plant is $60 million, and the risk capital for the drug company is $400 million. () Yet if each investment has identical expected cash flow, and the risk is considered diversifiable, WACC models will value these investments the same in theory. In practice, of course, no firm would value these commensurately since they do not view their capital access as being unlimited. One could argue in this case that the risk capital is more important than the capital commitment in making the decision to invest.
The CRO's role should be to fully capture and understand enterprise risk with a view towards optimizing the firm's investment policies. To do this, the CRO needs good integrated risk measurement tools at the project and business level. To ensure line managers manage risk well, the CRO must also control risk budgets and determine the costs of taking risk by each of the business units. The empowered CRO is able to use the price of risk as a mechanism to induce managers to take risk responsibly and consistently.
The CRO as risk manager should also be responsible for providing information to better manage the portfolio of the firm's assets. For example, the CRO of an airline company should be able to add a risk dimension to the analysis of profitability by business unit, as shown in Figure 2.
His analysis recognizes that while the Americas business brings in the highest expected cash flow, Australasia brings in the highest quality cash flow, i.e. cash flow per unit risk. Given the choice of investing an incremental dollar in Americas vs. Australasia, this chart suggests that Australasia might be the better bet.
The CRO as risk manager, therefore, uses risk data to inform project and business decisions, allocate risk capacity (risk capital) to various business lines, and monitor performance on a risk-adjusted basis. In fact in many energy companies of today's deregulating environment, performance attribution may be the most important function of the CRO.
The CRO as Risk Controller
Risks lurk on and off our balance sheets. Some are disclosed, others are footnoted, but much risk is invisible to those who scour financial statements for crumbs of insight. Risk ebbs and flows while financial statements take stop-action snapshots. Yet most corporations take only baby steps toward understanding and quantifying risk in their portfolios. Some hire consultants to provide lists of hundreds of risks, but they rarely quantify the size, manageability, and impact of the risks in question.
One must take risks to profit as a necessary matter of growth and progress. This is a legitimate part of the business process and as such, the risk undertaken should be completely overt. In fact, risk management in most organizations is the identification, measurement, and minimization of risks. But those who are over-zealous in pointing out risks sometimes imperil the potential profits of a venture seen as too risky to continue or start. Self-appointed risk managers are often pariahs, isolated and alone. They sacrifice career potential for truth, a personally damaging tradeoff. Perhaps former Enron Vice Chairman J. Clifford Baxter, who committed suicide, and Sherron S. Watkins, the Enron whistle-blower who testified before Congress, fall into this category.
For these reasons, the CRO as risk controller cannot work directly for the CFO or CEO. He must report to the audit committee. Yet even if the position is structured correctly, several problems remain. Would Enron's risk manager have been able to see the hidden risks in the securitization deals? Would he be able to draw experience from many different industries to identify hidden risks? Would he or she have the breadth of practical knowledge to identify market, credit, operational, model, legal, systems, competitive, and other risks?
The CRO as risk controller must be a jack-of-all-trades, able to identify all the relevant risks and ensure they are being reported, measured, and managed properly. () In this role, he or she must be able to credibly represent to the board, senior managers, and credit analysts how the risks are being identified, measured and managed. It is the responsibility of the audit committee to ensure that the CRO as risk-controller has the necessary resources-staff or independent consultants-to get the job done.
Efficient Risk Management Structure in the Corporation
In most large corporations, the CRO function should be separated into two parts according to the two distinct and conflicting functions often ascribed to the CRO. The first role-the CRO as risk manager-should report to the CFO. Risk capital is as important as cash capital, and measures of capital, risk, and return need to be consistent throughout the organization.
The second function-CRO as risk-controller in chief-cannot report to a business head, but must report to the audit committee. The audit committee must ensure that the risk controller has all the information and resources needed to validate risk identification and measurement practices, for the purposes of protecting the interests of shareholders and bondholders, and ensuring compliance with all relevant regulations.
The functions performed by the two roles can be articulated as follows: This article points out the inherent contradictions between a "risk manager" and a "risk controller", and the conflict that develops when organizations have the same person perform both functions. The separation of these responsibilities provides for clearer recommendations on reporting lines: risk managers report to CFOs, and risk controllers report to the audit committee of the board of directors. The functions of the "CRO risk manager" are, broadly, to identify and measure risk, make high-level recommendations on how to manage the business with risk factors in mind, and represent corporate risk policies to equity analysts. The functions of the "CRO risk controller" are, broadly, to audit the risk management practices, enforce policies, and represent his or her findings to the board and credit rating agencies.
If your firm has a chief risk officer, consider whether he or she is more of a risk manager or a risk controller, and if your organizational structure best defines and leverages his or her capabilities. If your firm does not have a CRO, there is no time like the present to install one-reporting to the CFO, in addition to a risk controller reporting to the audit committee of the board of directors. Today's business environment demands certified experts in these vital functions, and shareholders deserve them.
Articles found on this page are available to Internet subscribers only. For more information about obtaining a username and password, please call our Customer Service Department at 1-800-368-5001.