Remember me

Register  |   Lost password?


Divide and Conquer

Sat, 25 Jun 2011 09:51:36 GMT

In my recent conversations with various board members and senior risk officers, I have become more certain of the need to end the dual and conflicting roles assigned to the newly emerged Chief Risk Officer. It is not reasonable to expect a company to make its most effective use of risk capital when its best resource for such is also expected to act as a watchdog. While such an arrangement helps to deal with the Board/CEO agency problem, it simultaneously under-serves shareholders by diverting the attention of those who best understand risk from advising on how to best use it.

In the emerging role of Chief Risk Officer, several trends can be documented. First, the role has realized a quick ascendancy in the corporate hierarchy. Second, the quick ascendancy has provided both an opportunity for influence and an opportunity for blame. Third, as Board members realize the dearth of understanding of modern risk practices among most board members, there is greater reliance on a direct line to the risk-management infrastructure.

See the image below for the typical expectations of a CRO, delineated by their business enhancement or oversight functions. I contend that at each level of responsibility in this chart, there is a conflict of obligation which undermines the potential for effective address of each.


In the most effective governance structure, a Board of Directors, as a whole, will give its chief executive directives on corporate objectives and the rules by which those objectives can be pursued. The Board’s other chief duty is then to evaluate the performance of the chief executive in his/her pursuit. This clear and singular relationship between the Board and the company creates clear accountability, albeit with the aforementioned agency risk.

As a check on the agency risk, many boards are giving their corporate chief risk officers either a direct or indirect reporting line to them. While well-intended, the result is that there is now a diffusion of accountability and a perception, perhaps unintentional, that the Chief Risk Officer is now responsible for the risks of the company, while the Chief Executive Officer is responsible for the business of the company. Businesses exist to take risk. Every business decision is a risk-taking/management decision and thus the management of risk should never be separated from the management of the business.

Those engaged in Chief Risk Officer roles often bring a unique appreciation to their role of the stochastic nature of the future. This is a complementary talent in the same manner which a unique understanding of marketing, communications or customer trends complements the overall business decision making process. Yet, as long as a company’s Chief Risk Officer had divided tasks (escalation of issue or perceived ownership of all that goes wrong and effective taking of risk), neither can get the full attention. Rather, as I argued back in 2001, the ultimate evolution of the risk manager is to that of a business line advocate. The unique skills they bring are best employed by educating and providing the resources to the business lines in such a manner that the management of risk is as close in the organization to the point at which it is being originated.

If the CEO is properly incented to ensure that the company has sufficient risk management resources, and is expected to report to the Board on a regular basis how such is being achieved, the CRO is freed to pursue the most effective use of “risk capital” for the company.

The agency problem still exists, though, and boards cannot ignore it. To deal with this, the creation of a Board Chief Risk Officer, whose task it is to randomly audit elements of the company’s risk infrastructure for consistency with the reports of the CEO is warranted. The reporting line is direct to the Chair of the Board, or the Lead Independent Director. There is no confusion about their responsibility and there are no conflicting objectives in their job description.

The Board Chief Risk Officer is in effect and internal-external audit role. The BCRO’s job is to sample, test and report. It is not accountable for things that go wrong, as that is the CEO’s accountability. But, it is accountable for reporting and affirming whether the reports of the CEO to the Board regarding the management of risk are accurate. In fact, such could be codified in regulation.

The image below shows how the conflicting duties of the current CRO have been divided among these two roles:


Note, you can listen to a webinar where I expand on this in the context of networked and distributive governance. My presentation is in the first 30 minutes of the session, with some Q&A at the end.

, , , , , , , , , , , , , , , , , , , , , , , , ,