The global financial crisis and its aftermath highlighted risk management weaknesses in many organisations, dramatically in some instances.
Despite giving considerable attention to risk and compliance issues — including in some cases the adoption of formal enterprise risk management (ERM) programs — their efforts were found wanting. Although Australia was spared the worst of the financial crisis and its economic fallout, local organisations were often overrun by unexpected events and by the materialisation of risks that had been lurking in the shadows undetected.
One clear lesson from these upheavals is that there is a point beyond which organisations cannot fully protect themselves from severe external events over which they have little or no control. Their experience recognises the inherent risks involved in doing business — that a low risk/no risk approach is often a low growth/no growth one.
At the same time organisations can still build resilience, avoid many unpleasant surprises and learn to live with the uncertainty that is an inherent part of business by a proactive approach to identifying, understanding and managing their risks. In this regard there is a strong feeling about that many companies could have and should have been better at anticipating and managing recent adverse events.
As boards and CEOs reflect on lessons learnt during the GFC, certain common themes are emerging.
- Companies failed to manage 'strategic risks' that threatened their competitiveness and survival.
- Ownership of risks within organisations was often unclear or divided.
- Notions of risk appetite and ERM lacked precision.
- When push came to shove, the absence of an acknowledged risk management 'champion' often impaired decision making.
- High impact/low probability risks were poorly understood.
- Significant risk concentrations and linkages went unnoticed until they crystallised.
- An absence of purpose and discipline characterised the execution of risk and compliance programs.
- Fashionable risk management approaches such as ERM could give a false sense of confidence and were found to be only as good as the quality of their execution, which in many instances left a lot to be desired.
If companies dig deeper, they will likely find that some of the most significant risks they face are often poorly defined and quantified. It means that important risk issues are inadequately considered or overlooked by boards and CEOs during important business deliberations, including critical investment and capital allocation decisions.
Among smarter boards and CEOs, these insights are provoking a reappraisal of current risk management philosophies and practices. What they are concluding is that ERM and other risk and compliance management processes need to be driven aggressively and continuously from the top. It is refocusing attention on the potential role of a dedicated chief risk officer or senior risk executive, a sort of risk supremo.
Of course, many organisations will already possess risk managers, compliance officers, IT risk specialists, internal auditors and others in similarly titled roles. Some will have bundled risk management responsibilities into a consolidated governance, risk and compliance function. Actual job titles are unimportant. The term 'chief risk officer' (CRO) is widely used in the finance sector, but other titles are equally valid. For the remainder of this discussion we will employ the relatively neutral term 'risk executive'. What is important is the authority and status of the position.
Here, a number of considerations arise.
For example, should the risk executive be the individual in charge of internal audit? Indeed, should internal audit be subsumed within a broader risk management function? In many companies, the internal audit function enjoys considerable autonomy and a direct reporting line to the board audit committee. In addition, internal audit often possesses specialised technical skills that could be dissipated if its work were absorbed into a broader risk management role. There is much to be said for preserving internal audit's separate identity and functional autonomy while ensuring its role is properly co-ordinated with other risk management activities.
Likewise, the risk executive's position in the management hierarchy is a vital consideration. Commonly the risk executive reports directly to the CEO, or perhaps to the CFO or a COO. As the job should be a true C-level appointment, clarity of reporting lines is essential. Status and remuneration should reflect the importance and seniority of the role and the incumbent should command sufficient resources to do the job properly. There should be an expectation that the risk executive will be involved in most, if not all, key business decisions. In some companies the status of the job is underlined by making the appointment subject to board ratification.
Of course, appointment of a senior risk executive should not diminish the responsibility of boards, CEOs and other senior executives for a range of risk management matters. However, the appointment does recognise that board and executive responsibility for risk inevitably will be diluted by other matters. Business units and functional areas should also remain responsible for their own risk management activities. The risk executive's role is to make sure appropriate standards are developed and maintained, that everyone speaks the same risk language and that significant risks are not falling 'between the cracks'. Appointing a senior risk executive should add an additional level to an organisation's risk management capacities, augmenting rather than replacing existing resources and arrangements.
In this context, a good risk executive should be able to strengthen organisational risk management practices in five critical areas.
Strategic insight
Strategic risk and reward goes to the heart of what an organisation does and how it goes about it. History demonstrates that important decisions (e.g. major acquisitions) are often made with insufficient attention to the potential risks and downsides. The risk executive should ask the questions that others are too uninformed or frightened to ask and spot the elephants in the boardroom.
Expertise
Risk management increasingly draws on a blend of specialised statistical, actuarial, financial and economic modelling skills together with a dash of old-fashioned business nous. The risk executive assembles and develops the requisite skill sets and encourages a creative interaction between risk management specialists and the organisation's executive team to produce insightful and reliable conclusions. This work is the basis for crucial decisions about what risks to avoid, mitigate, transfer and carry.
Objectivity
Studies of board and management decision-making processes demonstrate that decisions are often influenced by what are essentially irrational and emotional considerations. The risk executive can inject an element of objectivity and balance into the deliberations. He or she should be conscious of the limitations of current risk management practices, avoid offering certainty where none exists and keep discussions grounded in reality (i.e. the difference between what we wish for and what we actually know). They will assist the board and management to stress test their risk register and consider contingent risks.
Integration and communication
In many organisations risk management processes and systems differ across business units and functional areas, as do the techniques for quantifying and classifying risk. When these matters are poorly integrated, and the absence of a common risk management terminology exists, potentially dangerous gaps in the understanding and coverage of risk are likely to arise. The risk executive seeks to weave these disparate threads into a seamless whole.
Consistency and accountability
Organisational theory stresses the desirability of promoting consistent behaviours and terminologies to avoid confusion and misunderstanding. Ensuring that the relevant managers are fully accountable for understanding and managing designated risks reinforces the appropriate behaviours and discourages inappropriate and unauthorised risk taking. A good risk executive promotes consistency and drives accountability.
Organisational risk management is an evolving science. It typically seeks to identify, understand and manage the gamut of serious risks to which an organisation might be exposed, including matters that can be categorised under relevant strategic, financial, operational, regulatory and reputational headings. It offers insights into the often complex interaction of these different risks. Its practitioners work within the limitations of current risk identification and management methodologies. Much of current risk management terminology and practice derives from the banking and finance sector and must be extensively adapted to work well in other industries.
Companies typically find it difficult to locate high-performing risk executives. Many of them are drawn from backgrounds in finance, accounting and auditing. Some have engineering or IT backgrounds. A select few possess advanced statistical and actuarial skills. A sound overall business knowledge is essential, as are strong analytical skills. They will have the ability to place technical risk issues into broader business contexts. They will appreciate and be sensitive to the broader economic and social environments in which their firms operate.
In the end, however, personal qualities are likely to be paramount. Good risk executives will possess superior communication skills and the presence and confidence to argue an unpalatable position. They will be able to motivate others to pursue appropriate policies and practices and the strength of purpose to rein in the unbelievers and backsliders. They will be assiduous in identifying unnecessarily high-risk practice and policies and ruthless in eradicating them.
Given the sensitivity of the role, appointment of a senior risk executive should be driven by the CEO, endorsed by the board and supported by other key executives.
It would be a mistake to regard the risk executive as a corporate party pooper who closes down the bar just as the guests are starting to get into the swing of things. Instead, good risk executives enhance organisational value by facilitating more informed and balanced decision making and by encouraging a realistic and disciplined approach to risk.
The views and opinions expressed herein are those of the authors and do not necessarily represent the views and opinions of KPMG, an Australian partnership.
