IT Compliance Institute, December 18, 2007:

Trends and Technologies

Changing Risk: Enter the CRO

What you don't know can kill you -- or sink the company. As executives and boards of directors demand an integrated, enterprisewide view of risk, they're turning to chief risk officers (CROs) to provide it. Where should CROs fit inside an organization, and do they have the authority and oversight to really make a difference? Learn how to make a CRO succeed.

Will the chief risk officer (CRO) conquer risk?

On the index of corporate worries, managing enterprise risk—including IT, financial, strategic, operational, and external threats—is a rapidly growing concern. Not surprisingly, perhaps, many organizations have commissioned a CRO: a senior-level position devoted to identifying and coordinating a company's response to its biggest risks.

The CRO role is not new. Experts say it originated in financial services firms, gaining traction around 2003 in response to Sarbanes-Oxley requirements. The role's purview and popularity, however, has since expanded. Indeed, an Economist Intelligence Unit study found that over half of executives and boards of directors think the primary benefit of having a CRO is to more thoroughly identify all of the risks facing an organization.

Two external drivers for creating a CRO role today are to coordinate a company's response to multiple regulations, including Sarbanes-Oxley and Basel II; as well as to manage rating agency scrutiny. In particular, the New York Stock Exchange now requires a listed company's audit committee—part of the board of directors—to "focus on the organization's risk assessment and risk management processes," says Forrester Research analyst Michael Rasmussen. Following suit, rating agencies such as Fitch, Moody's, and Standard & Poor's have begun factoring an enterprise's total risk management approach into their credit ratings.

The successful CRO, then, looks beyond just credit risks and IT threats. Instead, he or she must gather from each business unit—while accounting for inherent biases—an understanding of the risks each group faces; prioritize the threat posed by every risk and understand how individual risks might interrelate to cause even more damage; and then manage the overall, enterprisewide response to mitigating those risks.

In other words, CROs have their work cut out for them.

The Risk Management Imperative

If it's any consolation, research suggests that taking an enterprise-wise approach to risk management makes good business sense. For example, according to a study from Deloitte & Touche, from 1994 to 2003, "almost half of the 1,000 largest global companies suffered declines in share prices of more than 20 percent in a one-month period." Subsequently, one-quarter of companies took more than a year for their share prices to recover, while as of the study's end date, another quarter still hadn't recovered.

What happened? To find out, Deloitte studied the incidents which sparked share price declines, using the COSO (Commission of Sponsoring Organizations of the Treadway Commission) framework, which assesses strategic, operational, financial, and external risks. It discovered that many firms failed to properly identify the actual risks they faced, or to manage risk interdependencies. In fact, as noted in the resulting report, more than 80 percent of incidents were the result of "several types of risk interacting to produce an even greater loss in value." Most surprisingly, however, the majority of major incidents stemmed from low probability, yet high impact events.

As that suggests, a successful enterprise risk management program tracks much more than just IT or credit risks. "How many companies went out of business in New Orleans because they had no business continuity or disaster recovery plans in place?" says Patrick J. Conte, president and chief executive officer of Agiliance. "The economy, wars, famine, social strife, droughts, mudslides, natural disasters: these things happen in markets that companies trade in, have nothing to do with breaching your IT systems, and they are going to affect your company."

Assembling an enterprisewide view of risk, however, isn't easy. In particular, says Rasmussen, many business groups have inherent biases:

• Audit: Fails to see past individual risks to the broader business picture
• Finance: Focuses on financial risks to the exclusion of other threats
• Information Security: Considers all threats to be bad; doesn't balance risks with reward
• Insurance: Focuses on transferring risk to others; may undervalue accepting or mitigating risks instead
• Project Management: Only addresses risk inside a project development lifecycle.

Accordingly, the CRO must not only consolidate risk information from many different business groups, but also reconcile their different risk perspectives.

Building a Successful CRO

Given the importance of managing risk, what can businesses do to ensure the CRO role is successful? For starters, know that status counts, and just having a c-level title won't be enough. "One important consideration is the stature of the individual within the organization, which gets to reporting lines as well," notes Carol Beaumier, head of the financial services and regulatory consulting practices at Protiviti. "But this obviously has to be someone who can think strategically, who understands the marketplace, who can communicate up and down the organization, and someone who is well respected and can analyze all of the risks that affect the organization."

With the increasing number of c-level positions now at large—CSO, CISO, CCO, CPO—do companies risk creating confusing lines of risk management communication and authority? "The challenge of course is the right degree of coordination and cooperation among individuals," she says. "The chief risk officer should be sitting above it all, and have the broadest perspective, so all these other positions feed in information to the chief risk officer."

CRO: Think Czar

To conceptualize how a CRO can effectively gather this information in the first place, Conte recommends looking past the "chief officer" part of the title. Unlike a CEO, CFO, or CIO, the head of risk management typically has few staff and a minimal budget. "It's really not like the president or the head of state—it's more like the drug czar," he says, referencing the US government position. "They're collection points for information; they don't have a big staff." Instead, the role cuts across multiple lines of business, taking a "matrixed management" approach to involving others and building the requisite, integrated view of enterprise risk.

Of course, playing czar requires polished powers of persuasion. "If you're going to try and influence the risk strategy of an entire organization, you have to be somebody whom the organization trusts, believes, and is going to follow," notes Beaumier. Extensive experience in many different business areas, then, is a decided plus. "A lot of times, I think you'll find CROs are very seasoned individuals, who may have worked in different departments in an organization or throughout the industry, because they really do need to break down the silos and think 'big picture.'"

The more experience, then, the better: that risk big picture just keeps getting bigger.

Mathew Schwartz is a former contributing editor for the IT Compliance Institute. You can contact him about this and other articles at Mat@PenandCamera.com.

This article originally appeared in IT Compliance Insitute and is reprinted by permission of 1105 Media, Inc.