US financial services institutions led the way in the mid-1990s and today there are 200 companies around the world with a board-level chief risk officer (CRO) – and not only in financial services.
James Lam, founder and vice chairman of New York-based risk management consultancy ERisk, is credited with defining and developing the CRO role when he was hired in 1993 by GE Capital to set up a new capital markets business. Later he was given the same position at Fidelity Investments.
He says the rise in the number of CROs is a result of pressure from shareholders, regulators and senior managers for accurate risk information aggregated from across the business.
There are five key areas for which a CRO typically has some level of responsibility, says Lam. These are to integrate credit risk, market risk, operational risk, economic capital and risk transfer.
“The value of creating a CRO role is firstly, integrating the risk management capabilities of the company, and secondly, raising the risk management function to a ‘C’ level position, so it’s no longer a back- or middle-office function, but becomes part of the executive function,” he says.
The CRO usually works alongside the finance director reporting to the chief executive or COO. Lam says it makes sense for a CRO of a company that operates in a risk-intensive business, such as banking, insurance or energy, to report directly to the most senior executive officer because risk is so important.
It was the position of chief information officer (CIO), which swiftly rose to prominence in the late 1980s and early 1990s, that prompted Lam to create the title of CRO. “The CIO role came about because companies wanted to manage their different IT systems with an integrated approach and appoint a CIO. I saw a direct parallel in risk. Credit risk, market risk, operational risk, are highly related and you need to manage them as a portfolio,” he says.
According to Jean Hinrichs, global risk director at Barclays Global Investors, CRO is now an accepted standard role in US financial services organisations, and is an expectation of clients and regulators.
In the UK, it is also still predominantly financial services companies, such as Barclays Global Investors, that have recognised a need to appoint a risk officer to a senior position. “The primary reason for centralising risk management under a senior executive is that it gives you equal footing and input at the senior management level and speaks very loudly to clients and public that we’re very serious about risk management,” Hinrichs says.
John Hurrell, managing director of Marsh Risk Consulting, notes that recognition of the need for a senior executive to oversee all of a company’s risk is now beginning to move, albeit slowly, into other UK corporate sectors, driven largely by the Turnbull report and requirements of corporate governance.
He sees the key functions of a CRO as being to embed a risk consciousness in the company so that risk becomes part of the decision-making process, and to manage reputational risk.
Download our Whitepapers
Hurrell argues that, as the role evolves, reputational risk will become its most important aspect because boards will seek to protect stakeholder value and minimise the damage that may result from adverse publicity if a problem occurs. “I don’t think many UK organisations are creating a new role labelled CRO but what’s happening is that there’s more awareness at board level that somebody, and it’s probably the FD, needs to take an overall view of risk in the organisation and probably needs an infrastructure, which may be one person or a team, to take on that role,” he says.
Richard Raeburn, acting head of the Association of Corporate Treasurers feels there will be a slow process of evolution among corporates towards the creation of a central risk function because of the complexities involved in integrating the different risk silos.
Last December, Delta Airlines in the US promoted its risk manager to CRO, partially because of a growing awareness that property, casualty and information security risks were becoming harder to manage. Delta wanted an executive who could take a holistic view of all the company’s risks and what the financial implications of those risks would be.
And, last August, Zurich-based meditech company, Sulzer Medica, was the first in that sector to appoint a CRO, Dr Gabor-Paul Ondo, after it had been spun off from its parent and had faced lawsuits in the US after having to recall thousands of its hip and knee implants.
“Our goal today is that we cover all major risks across the group and across all functions of the value chain – and at the end of the day it has to be a unique and tailor-made group risk management system for Sulzer Medica,” explains Ondo.
Where Ondo believes Sulzer Medica differs in its risk approach is that it no longer looks at risk as risk. “We look at what opportunities might arise from risk,” he says. “Because the company wants to create long-term financial stability my job is to create the tools and environment that give us the ability to balance profit and risk – and this has to become part of the company’s performance measurement system.”