Although Australia was spared the worst of the financial crisis and its economic fallout, local organisations were often overrun by unexpected events and by the materialisation of risks that had been lurking in the shadows undetected.
Among smarter boards and CEOs, these insights are provoking a reappraisal of current risk management philosophies and practices. They are concluding that ERM and other risk and compliance management processes need to be driven aggressively and continuously from the top – potentially by a dedicated chief risk officer or senior risk executive.
"ERM and other risk and compliance management processes need to be driven aggressively and continuously from the top – potentially by a dedicated chief risk officer or senior risk executive."
Partner in Charge, Risk Consulting
The appointment of a senior risk executive raises real issues about the authority and status of the position, who they report to, whether the risk executive should be the individual in charge of internal audit or if internal audit should be subsumed within a broader risk management function.
Certainly there should be an expectation that the risk executive will be involved in most, if not all, key business decisions. In some companies the status of the job is underlined by making the appointment subject to board ratification.
Of course, appointment of a senior risk executive should not diminish the responsibility of boards, CEOs and other senior executives for a range of risk management matters. However, the appointment does recognise that board and executive responsibility for risk inevitably will be diluted by other matters.
Business units and functional areas should also remain responsible for their own risk management activities. The risk executive's role is to make sure appropriate standards are developed and maintained, that everyone speaks the same risk language and that significant risks are not falling 'between the cracks'. Appointing a senior risk executive should add an additional level to an organisation's risk management capacities, augmenting rather than replacing existing resources and arrangements.
In this context, a good risk executive should be able to strengthen organisational risk management practices in five critical areas.
Strategic risk and reward goes to the heart of what an organisation does and how it goes about it. History demonstrates that important decisions (e.g. major acquisitions) are often made with insufficient attention to the potential risks and downsides. The risk executive should ask the questions that others are too uninformed or frightened to ask and spot the elephants in the boardroom.
Risk management increasingly draws on a blend of specialised statistical, actuarial, financial and economic modelling skills together with a dash of old-fashioned business nous. The risk executive assembles and develops the requisite skill sets and encourages a creative interaction between risk management specialists and the organisation's executive team to produce insightful and reliable conclusions. This work is the basis for crucial decisions about what risks to avoid, mitigate, transfer and carry.
Studies of board and management decision-making processes demonstrate that decisions are often influenced by what are essentially irrational and emotional considerations. The risk executive can inject an element of objectivity and balance into the deliberations. He or she should be conscious of the limitations of current risk management practices, avoid offering certainty where none exists and keep discussions grounded in reality (i.e. the difference between what we wish for and what we actually know). They will assist the board and management to stress test their risk register and consider contingent risks.
In many organisations, risk management processes and systems differ across business units and functional areas, as do the techniques for quantifying and classifying risk. When these matters are poorly integrated, and the absence of a common risk management terminology exists, potentially dangerous gaps in the understanding and coverage of risk are likely to arise. The risk executive seeks to weave these disparate threads into a seamless whole.
Organisational theory stresses the desirability of promoting consistent behaviours and terminologies to avoid confusion and misunderstanding. Ensuring that the relevant managers are fully accountable for understanding and managing designated risks reinforces the appropriate behaviours and discourages inappropriate and unauthorised risk taking. A good risk executive promotes consistency and drives accountability.
Organisational risk management is an evolving science – likewise, the skills required to be a great risk executive are evolving.
A sound overall business knowledge is essential, as are strong analytical skills. They have the ability to place technical risk issues into broader business contexts. They appreciate and are sensitive to the broader economic and social environments in which their firms operate. In the end, however, personal qualities are likely to be paramount.
Good risk executives possess superior communication skills and the presence and confidence to argue an unpalatable position. They can motivate others to pursue appropriate policies and practices and have the strength of purpose to rein in the unbelievers and backsliders.
They can be assiduous in identifying unnecessarily high-risk practice and policies and ruthless in eradicating them.
A great chief risk officer can be an instrument of profound value for organisations that understand how to empower them.