AdSlot 1 (Leaderboard)

Ahead of risk or a head of risk?

Do you have a chief risk officer in your organisation? That is precisely the question that institutional investors, analysts and stakeholders want answered. They want assurances that you have identified someone within your organisation who oversees risk.

As a responsible executive, you should be able to offer the full list of risk measures you have taken to cover your entire organisation from risk. And that may include designating someone within the organisation as CRO – or chief risk officer. You then ought to ask yourself an important question. Does having a CRO make you, metaphorically, sleep easier at night? Or does it mean that you have simply provided another version of the safety blanket so that if something goes wrong it will be possible to work back through the procedures and show that, despite the disaster, the systems worked well, though they could not have picked up this particular disaster coming, as it did, out of left field.

CROs can be useful by acting as a focus for risk procedures through the organisation. And they could, perhaps, be useful should they identify a gaping hole in the corporate defences. But, in reality, the CRO’s position is a token post to placate corporate governance nerds outside your organisation who wish to see you complying with recent corporate fashions.

Take heart from Michael Power, author of The Risk Management of Everything, a book which shows how we have retreated into a world where everything is defined as risk management and where we are no longer allowed to take risks but must instead subsume all of management into a risk model that doesn’t actually lower risks but acts purely as a system for minding our backs.

Power points out that the use of the word officer “endows any role with a seriousness and officialdom which it might not ordinarily have”. It is something which can be added to a long list of developments, including compliance officers, health and safety officers, information officers and knowledge officers. These fads have come and gone, and where they have stayed have generally been considered a nuisance. Not because they have provided new insights and saved directors from the consequences of their actions but because their new empires have got in everyone’s way.

Power points out that an article last year in the Harvard Business Review did half-seriously propose the invention of a ‘chief ignorance officer’. “Some of these roles come and go,” says Power, “such as that of chief operating officer, which has been strongly associated with the rise and fall of the conglomerate form.” But the idea of a chief risk officer is in the balance. Is it a fad or will it last?

He questions whether a CRO is responsible for risk overall or simply for the systems and says that officerships such as this can be the dumping ground for problems or a way of telling the world that one is serious about an issue. In this respect, CROs may be an organisational fix, and a risky position as a potential blamee. Both of these are undesirable and uncomfortable places to be.

The whole system raises worrying questions. Some of those which Power asks are: “Might the internal allocation of risk responsibility be counterproductive in any way? Do some risks slip through or cut across the responsibility design net? Emergent risks, which are difficult to characterise, defy easy allocation precisely because their nature and causality is poorly understood or contested. Internal accountability structures may be driven by habit and existing practice without regard to the limitations of mapping individual responsibilities to risks. Indeed, the entire process raises the spectre of a kind of hyper-accountability in which the CRO acts as an internal monitor demanding risk auditability.

This is where many organisations now find themselves. We have all seen the presentations with the interlinking of responsibilities snaking upwards and downwards. No one can escape in this web of accountability for risk and risk reporting. The question now is whether it genuinely adds value to your organisation.

As Power puts it: “To the image of a risk champion with a roving role to challenge control practices must be counterpoised that of the controlling bureaucrat presiding over an unnecessarily elaborate and distracting system of internal accountability, surrounding herself with a panoply of comforting control instruments and culturally legitimate quantitative techniques.”

Related reading