The Rise of the CROOrganizations Focusing on Risk Turn to a New Role in C-Suite
"My ability to deal with uncertain situations," he says. "I can't underscore the role of experience enough in this position. You can't put a recent graduate or someone from Harvard to manage risk and expect them to succeed. You have to go through the school of hard knocks -- have experience and have made mistakes along the way."
The CRO role is on the rise throughout industry today. In every sector, the increased threat of breaches, reputation and operational risks arising from potential breakdowns in internal controls and corporate governance make the CRO an emerging position.
Also, as organizations move toward an integrated approach to enterprise risk, the CRO role earns greater visibility.
"Many companies have established a CRO position in the last 18 months because of a high level of board interest in enterprise risk initiatives," says John Phelps, director of the Risk Insurance Management Society and director of business risk solutions at Blue Cross Blue Shield of Florida, a national health insurance company. "It isn't widespread yet in many industries, but regulatory pressures and emerging threats are pushing risk managers and others to ascend to the CRO position."
The main goals of the CRO role are to:
- Create a risk-aware culture;
- Bring consideration of risk into strategic decision-making;
- Develop an integrated resource center for managing risk by drawing on the expertise of highly skilled individual risk managers and business leaders;
- Communicate to stakeholders and be an adviser to the board and other executives on risk related issues.
"The uniqueness of the position comes from the board's support in setting the risk appetite and holding senior business leaders accountable for owning the risks," Blakely says.
CRO EvolutionEven with greater boardroom attention to risk, it is not enough for CROs to just align and assess risk across the enterprise and measure it using quantitative analysis. There also is a strong need to understand the qualitative aspects of risk management, including the governance process, which is the tone-at- the top and commitment of senior managers and board members to manage risks.
As a CRO, for example, Blakeley sets policies, processes and risk appetite, but does not own the risks. "They are owned by the ones who take the risk," he says. "This focus on accountability of risk and establishing a culture with the tone-at-the-top is the greatest evolution in this role."
The CRO plays the adviser to the board and senior management on strategic decisions that include the most up-to-date risks the enterprise faces on a financial, operational and strategic level. Therefore, it is important for CROs to have the right skills and qualification.
Senior executives with at least 15 years of experience are preferred, say hiring managers, especially those with experience in risk management in multiple areas, including market, credit, financial and some degree of operational risk.
A CRO needs to have the right experience to make good decisions and balance risks effectively, says Cory Gunderson, managing director at Protiviti, a global business consulting and internal audit firm. "They need to be seasoned to understand the potential consequences to decisions and ensure there is strong transparency in dialogue."
Specific skills include:
- Business Acumen: It is critical for the CRO to understand the business, its strategies and goals to define the risk appetite, Gunderson says. "How close the CRO balances these limits defines the risk appetite, which cannot be done without a keen business sense."
- Data and Analytical Expertise: Being able to look at problems logically and conduct qualitative analysis of information from a variety of sources within the enterprise is important, Blakely says. "As CROs, we need to know all about what types of data is required, how to measure risk and how much risk needs to be taken, to stay within the boundaries set at the top of the house."
- Process Orientation Skills: CROs need to be experts in process evaluations, process improvements and change management, as well as assessing the effectiveness of controls and control mitigation strategies. Their skills are important from the perspective of "facilitating and coordinating processes and controls with regard to significant risk within the organization," Phelps says.
- Critical Thinking: "Strategic thinking, the ability to think across disciplines and make business plans taking into account the future risks are essential skills needed in the role," says Robert Stroud, international vice president with ISACA and the IT Governance Institute. For example, an organization faces the threat of external penetration hack; the impact could translate into potential reputational, financial and legal risk. Here, the IT department proposes to put appropriate technical controls in place and require funding to do so. However, from a strategic perspective, funding will make sense depending on the value of information risk the organization is protecting. Therefore, the CRO will need to understand the impact of this risk on different areas of business, likelihood of attack and significance of data to practice the risk/ reward tradeoffs.
Best Fit For the RoleBecause of the proximity to the board and authority in shaping strategies around enterprise risk management, executives in many areas are all jockeying for this position. CIOs, CFOs, risk manager and legal counsel all have significant interest in the evaluation management and assessment of corporate risks. "All compete for the top risk responsibility, many times identified as the CRO," Phelps says.
So, once management commits to establishing the role, the question becomes: Who can best fit this position?
"If you are picking a CRO, typically this position will be well served if that person has background and expertise in one of the biggest risk areas within the organization," Gunderson says. From his experience, he has seen many credit officers becoming CROs within financial services, as credit risk is a key area.
Compliance and audit leaders are also desirable candidates for this position, as their roles are more interwoven with the business and governance aspects of an organization.
"If I was out in the hunt for a CRO, I would hire a candidate with expertise in the regulatory process and lots of years of experience in the business itself," Blakely says. "Someone who is not afraid to make unpopular decisions from time-to time and put their foot down and say, 'I heard this, but this is how we need to decide and move forward.'"
Experts also cite that the CRO position is largely dependent on the type of industry. However, they all agree about qualities found in the best fit for this role.
"Someone who can communicate risk in terms of business value, not just saving money or losing money, but also how you add value in terms of the organization growing and moving forward," Stroud says. "It's recognizing that not all risk is bad."
For Blakely, the fitness to his role came from multi-disciplinary experience handling different areas of business risks for the organization. "To find the right fit for this position is not easy," he says. "Most comes from poaching other institutions' CROs."
The community of experienced risk leaders is limited. Therefore, Blakely advocates leaders to mentor and train existing risk managers so they can gradually evolve into this role. He also suggests reaching out to risk management associations like Risk Insurance Management Society and Risk Management Association for seeking resources.
To be a successful CRO, one must have commitment from the top of the house, Blakely says. "If you don't have support from the top, it's time to start looking for a new job, because ultimately you will fail and find it hard to get things done."