CHAPTER 8
Becoming the Lamp Bearer: The Emerging Roles of the Chief Risk Officer

 

ANETTE MIKES

Associate Professor of Accounting, University of Oxford

One of the greatest contributions of risk managers—arguably the single greatest—is just carrying a torch around and providing transparency.

—Chief Risk Officer, interviewed on November 17, 2006

 

Opinion has a significance proportioned to the sources that sustain it.

—Benjamin Cardozo (1870–1938)

 

Despite the widespread adoption of enterprise risk management (ERM) in the financial services industry, banks suffered hundreds of billions of dollars of losses during 2007–2008, stemming from risks that few executives had understood (Treasury Committee 2007a, 2007b). Under the shock of the first subprime-related loss disclosures, industry observers raised the question: “Where were the risk managers?” (Wall Street Journal 2007). In February 2008, a joint study by the Senior Supervisors Group—representatives of eight banking supervisory bodies—noted that, while “some firms recognized the emerging additional risks and took deliberate actions to limit or mitigate them…other firms did not fully recognize the risks in time to mitigate them adequately” (Senior Supervisors Group 2008, 2). The group emphasized significant differences in firms' approaches to risk management, particularly in the design and scope of risk assessment and reporting practices.

Further, regulators and industry observers continue to call for the appointment of executives who are exclusively devoted to the role of enterprise-wide risk oversight, particularly since one early victim of the subprime credit debacle, Merrill Lynch, lacked a chief risk officer and another, Citigroup, was immediately blamed for its ineffective risk oversight (American Banker 2008). Going forward, many argue that the role of the chief risk officer is going to be further emphasized in corporate governance. As Peter Raskind, National City Bank's chief executive officer, argued in an interview in the pages of the American Banker toward the end of the first year of the subprime credit crisis: “This environment has absolutely underscored the need for that person. But it's not just credit risk. It's operational risk, reputation risk, and so on.”1

Risk management in banks is a relatively recent function. Under the leadership of chief risk officers, risk-management staff groups are currently carving out their territory in response to uncertainties ranging from adverse asset-price movements to borrower defaults and threats to the financial health of the enterprise. The visibility of risk management and, in particular, of the chief risk officer (CRO) has increased outside the banking industry, too. In a 2008 survey, consulting firm McKinsey tracked the diffusion of CRO appointments by industry in the United States (Winokur 2009). McKinsey found that 43 percent of insurance companies had appointed a senior risk officer with enterprise-wide risk oversight, in contrast to 19 percent in 2002. Other industries with a significant number of CRO appointments include energy and utilities (50 percent of companies had a CRO in 2008), health care, and metals and mining (20 to 25 percent of companies were reported to have a CRO). Furthermore, it is widely expected that rating agencies will assess the quality and scope of ERM as part of their rating process going forward (Standard & Poor's 2008).

Enterprise risk management, under the leadership of CROs, has the promise to bring enterprise-wide risks, which threaten the achievement of the firm's strategic objectives, into the open and under control. Its organizational significance is that, by providing a process to identify, measure, monitor, and manage uncertainty in strategic decision making, strategic planning, performance management, and deal-approval processes, it enables top management to maintain or alter patterns in risk taking.

This chapter addresses the question: How may chief risk officers realize that organizational significance? I draw on the existing practitioner and academic literature on the role of chief risk officers and on a number of case studies from my ongoing research program on the evolution of the role of the CRO. The first section deals with the origins and rise of the CRO and outlines four major roles that senior risk officers may fulfill. The following sections discuss and illustrate those roles.

THE ORIGINS OF THE CRO

In 1956, Harvard Business Review published “Risk Management: A New Phase of Cost Control,” in which Russell Gallagher called for a “workable program for ‘risk management’…putting it under one executive, who in a large company might be a full-time ‘risk manager.’” The article proposed that, in the face of increasingly expensive insurance premiums, the “postwar battle for tighter cost controls” required a “concerted method of attack” on the management of risks and hazards—namely, the appointment of a professional insurance manager. So began the saga of the chief risk officer in the world of insurance. Indeed, until recently, most nonfinancial firms considered buying insurance to be the core task of the risk-management function (Butterworth 2001).

The seeds of a more strategic role for the chief risk officer were sown in the 1970s. The publication of the Black-Scholes options pricing model in 1973 triggered the staggering rise of derivatives markets (Buehler, Freeman, and Hulme 2008) by enabling more effective pricing and mitigation of risk. Over the next three decades, the world of risk management in the financial services sector changed profoundly as banks and securities houses created a “gigantic clearinghouse for packaging, trading and transferring risks” (Buehler, Freeman, and Hulme 2008). Financial firms both created and took advantage of many important innovations to contain financial risks; the arsenal of risk management was no longer limited to insurance policies. Increasing financial sophistication resulted in two new risk-management strategies: (1) portfolio diversification, and (2) hedging. Energy companies, food producers, and other firms followed suit in widening their risk-management toolkits as markets opened for the trading of various industry-specific risks. However, as Merton observed, top executives in most industries persistently regarded the application of derivatives and other risk-management tools as essentially tactical and therefore delegated the management of financial risk to a host of in-house financial experts such as insurance managers and corporate treasurers (Merton 2005). The dangers of delegation and the resultant “silo” approach have been ruthlessly exposed by a number of corporate scandals over the last two decades and during the credit crisis of 2007–2008, as it became clear that many firms had taken large risks without an appropriate understanding of the long-term, firm-wide consequences, which, by 2009, had spread far beyond their organizations onto millions of stunned stakeholders and innocent bystanders.

The creation of the CRO role with a dedicated risk-management unit occurred intermittently at first; some of the earliest attempts took place in large financial services firms, often as a reaction to excessive investment losses. In 1987, Merrill Lynch, having suffered large losses on mortgage-backed securities in March of that year, appointed Mark Lawrence, a senior executive, to establish a dedicated risk-management unit. But because there was, as yet, no pressure to institutionalize this new organizational function, the role of CRO lacked credibility (Wood 2002) and the unit gradually lost power (Power 2005). GE Capital's risk-management unit was an exception. James Lam, appointed chief risk officer in 1993, became the first to hold the role of integrated risk oversight with that title (Lam 2003). His unit, designed as an integral part of GE's finance function, displayed a “rigorous process approach,” allocating risk-based approval authority down the business lines, applying data-driven analytics to identify and monitor risk, and strictly enforcing risk limits.2 In the early 2000s, Deutsche Bank created the position of CRO (Hugo Banziger) with the mandate to make the risk and profit implications of business-line decisions transparent. By then, the concept of a risk-management head had evolved from a defensive administrative “cop” to—at least in aspiration—a business partner and advisor in risk taking (Power 2005, 134). This shifted the risk-management model (and the CRO) out of the back office and into the front line with a more strategic role. As the new risk-based capital adequacy reform (Basel II) gathered momentum, calls for assembling risk-management practices under the umbrella of a dedicated risk organization and under the oversight of a high-level executive intensified.

The rise of the CRO was not confined to the financial sector: Sulzer Medica appointed a CRO in 2001, following legal losses, and Delta Airlines employed a CRO in 2002 in response to the heightened concern for risks in the airline industry following the 9/11 terrorist attacks (Power 2005).

Nevertheless, it was the increasing codification of enterprise risk management into various risk-management standards that accelerated the appointment of senior risk officers with an enterprise-wide risk oversight. Multidisciplinary task forces in Australia and New Zealand published the first Risk Management Standard in 1995 (revised in 1999 and 2004) and other standard-setters followed suit (Federation of European Risk Management Associations 2002; Committee on Sponsoring Organizations [COSO] 2003), successfully spreading the notion that enterprise risk management was good management. Several companies aspiring to be best-practice organizations adopted enterprise risk management and appointed chief risk officers to oversee its implementation (Aabo, Fraser, and Simkins 2005). McKinsey's 2008 survey found that 10 percent of nonfinancial firms had CROs, up from 4 percent in 2002 (Winokur 2009).

In tandem with the rise of the chief risk officer and the dedicated risk-management function, the internal auditing profession also staked a claim on the risk-management domain (Kloman 2003). The Institute of Internal Auditors, an international professional association of certified internal auditors, included risk management as part of the audit profession's competencies and stimulated the development of control risk self-assessment as the bedrock of enterprise risk management. Furthermore, external auditors had reinvented the financial audit to be more perceptive of the client's business risk and associated risks, offering business-risk assessments simultaneously as an audit-planning tool and as an advisory mechanism. Overall, the shape of a risk-management services industry had become visible, with risk professionals, internal auditors, and external auditors competing to design and service the internal risk-management space of corporations (Power 2000).

Not surprisingly, CROs come from many walks of life, including internal audit, external audit, financial management, business management, and consulting. Industry surveys (PricewaterhouseCoopers 2007; Deloitte 2007; IBM 2005) show that CROs fulfill a variety of roles that nevertheless fall into two categories: (1) a compliance and control function on one hand, and (2) a more strategic “business partner” role on the other hand. Much of the industry debate prior to the subprime-credit crisis focused on how CROs ought to balance their compliance champion role with that of an active participant in business decision making. The credit crisis directed attention to a series of risk-management failures (Stulz 2009), particularly the gaps in financial institutions' internal risk-assessment practices. Indeed, there is wide variation in the usefulness and reliability of the risk models used by various financial institutions (Tett 2008). My recent research indicates that firms' risk-modeling initiatives vary in style and quantitative sophistication and that senior risk officers exercise a large degree of discretion in determining the use and mix of quantitative and qualitative risk-management tools (Mikes 2005, 2007). This finding highlights the role of the CRO as a modeling expert who deploys a certain degree of quantitative enthusiasm or quantitative skepticism in the management of different risk categories (Mikes 2008b). Further, different CROs interpret their “business partner” roles differently. In a study of 15 chief risk officers, I found that some CROs strive to grasp the key strategic uncertainties affecting their organizations (whether measurable or not) and proactively help top management anticipate emerging strategic risks; these CROs play the role of strategic advisor. Other CROs confine their attention to the measurable risk universe and the production of “catch-all” metrics for aggregate risk taking and risk-adjusted performance; they enact the role of the strategic controller.

In sum, the role of the chief risk officer is not only multifaceted but also varies according to the industry, the emphasis the risk function places on compliance with regulatory and risk-management standards, and the extent and sophistication of the firm's risk modeling. The next four sections turn in detail to the four major CRO roles, namely (1) compliance champion, (2) modeling expert, (3) strategic controller, and (4) strategic advisor.

THE CRO AS COMPLIANCE CHAMPION

The role of compliance champion entails advocating and policing compliance with pressing stakeholder requirements and keeping up with new regulations and standards affecting the design and roles of the risk-management function. Many CROs initiate a “risk policy framework”—a determination of what risks need to be addressed and by whom—on which the board and a senior executive then sign off.

The risk policy framework fulfills several roles:

First, it sets the boundaries of acceptable risk taking by ensuring that the appropriate standards and controls are in place. As one senior risk officer put it, the framework tells the business lines “the rules of engagement, making sure that the do's and the don'ts are sufficiently clear.”3 It is now widely recognized in risk-management circles that “both Barings's and Société Générale's losses were created by employees not following the processes.”4 Research on so-called man-made disasters has long established that complex organizations (in any industry) generate “normal accidents” (Perrow 1984) and routine errors that are suited to—and, indeed, called for—the creation of a specialist CRO role (Power 2004, 141). In such settings, CROs are pressure points in the border territory between risk controlling and risk taking; “the risk officer is not necessarily responsible for each risk type, but is responsible to ensure each risk-type owner has set appropriate standards.”5 Although the CRO supports and enhances the management of risk, detailed risk management remains the responsibility of line management.

Second, the risk policy framework advocates a shared understanding of the spectrum of risks the organization cares about; naturally, this spectrum changes over time. Some chief risk officers consider the creation of this shared understanding to be the key benefit of their work because it reinforces the company's shared understanding of its strategic priorities. Hydro One's former chief risk officer, John Fraser, is a case in point. He maintains that enterprise risk management starts with top management agreeing about strategic objectives; then they develop a shared understanding of the principal risks (Mikes 2008a). Fraser acknowledges that his role was “not to give the answers” to the problems of the business but to facilitate the emergence of a shared understanding among managers. He achieved this in interactive risk workshops:

Enterprise risk management is a contact sport. Success comes from making contact with people. Magic occurs in risk workshops. People enjoy them. Some say, “I have always worried about this topic, and now I am less worried, because I see that someone else is dealing with it, or I have learned it is a low probability event.” Other people said, “I could put forward my point and get people to agree that it is something we should be spending more time on, because it is a high risk.”6

Third, the risk policy framework gives chief risk officers a plan, a language, and the authority with which to oversee the development of risk-measurement and monitoring tools for each risk type. At a basic level, every risk function operates a host of templates with which to collect risk information, establish risk-assessment guidelines, and construct risk models that collect loss and other risk-related data to track the firm's evolving risk profile. But there is a plethora of tools and practices for measuring and communicating risk and wide variation in their application even within a particular industry.

THE CRO AS MODELING EXPERT

In general, chief risk officers play a powerful role in selecting the people, processes, and systems that will define the scope of risk measurement and control in their organizations. The infrastructure of most modern risk-management functions contains a wide variety of risk models, processes, and information systems, the design of which requires the CRO to play the role of the modeling expert.

Deutsche Bank's CRO, Hugo Banziger, recalled his early experiences with system-building:

I…had to build an entirely new organization from scratch. We designed a dedicated credit process; hired and trained credit staff, as there were no credit people with derivatives know-how in the market; built credit-risk engines with the help of traders; and created our own Potential Future Exposure model, using Monte Carlo simulations and stress-testing portfolios. After that, we had to build a credit system that could integrate all these functions and aggregate our derivative counterparty exposure globally. These were six very challenging years.7

Banziger is one of several chief risk officers who emphasize risk aggregation as well as risk measurement. As they see it, the creation of an aggregate view of quantified risks is the key benefit of implementing firm-wide risk models. Aggregating risk exposures had been a challenge to risk practitioners for a long time, largely due to the variety of risk measures applied to the different risk types and insufficient knowledge of the correlations between risk exposures, the diversification benefits, and the concentration penalties. The recent development of economic capital as a common-denominator measure for market, credit, and operational risks enables firms to aggregate their quantifiable risks into a total risk estimate.8 Indeed, Wood (2002) argues that the key role of the CRO is to fine-tune the calculation of economic capital for organizational-control purposes. Accordingly, recent works in the risk-management literature advocate risk-based internal capital allocations (measured by economic capital) for performance measurement and control. The ideal of introducing risk-based performance measurement in banks has emerged in tandem with developments in risk quantification and, importantly, risk aggregation.

Risk aggregation requires a high degree of modeling expertise on the part of the risk-management function; it entails the extension of risk analytics to uncertainties with explicable (but not yet known) properties and the adjustment of the measurement approaches as further data become available.

In a recent study, however, CROs voiced divergent opinions on the benefits and limitations of the available menu of risk-modeling initiatives (Mikes 2008b, 2009).

One group of CROs took a skeptical view, emphasizing that risk models were useful tools for managing a narrow set of risks, such as those that lend themselves to conventional statistical analysis (e.g., credit-card risks in a given geography and consumer segment). Due to the homogeneity of such risk profiles and the large number of data points, decisions in such areas could be automated. But these CROs felt that, in less homogeneous business segments, such as lending to both small enterprises and large corporations, risk models were intrinsically less reliable (quantitative skepticism) and the judgment of veteran experts was essential. They did not consider risk modeling accurate enough to produce an objective picture of the underlying risk profiles, only to indicate the underlying trends.

Another group of CROs, however, were committed to extensive risk modeling and fostered a culture in which risk models were regarded as robust and relevant tools in decision making (quantitative enthusiasm), particularly in strategic planning and performance management. In these banks, risk experts gradually expanded the modeling infrastructure to uncover the natures and distributions of hitherto unknown uncertainties (including such risks as lending to small and medium-size enterprises), classifying and measuring these as part of the economic-capital framework. They quantified many operational risks as well, in order to make the aggregate risk profile more comprehensive. These additional risk assessments, once aggregated into the total risk profile, influenced the calculation of economic capital for control purposes. However, linking these risk calculations to planning and performance measurement was not automatic. Several senior risk officers were aware that simply wielding aggregate risk numbers would not convince business lines to change the way they did business. As one senior risk officer explained: There is still an argument that the methodology and data underlying the quantification measurements themselves are not sufficiently reliable. … An aggregate view has to evolve. We have to be more confident in the quality of it. I wouldn't like to run the business on the aggregate view as we see it today.”9

THE CRO AS STRATEGIC CONTROLLER

The evolution of the aggregate view has paved the way for the role of the CRO as strategic controller. This role assumes that the risk function, having built firm-wide risk models, enables the company to operate a formal risk-adjusted performance management system. Chief risk officers in this category preside over the close integration of risk and performance measurement and ensure that risk-adjusted metrics are deemed reliable and are relied on. They advise top management on the absolute and relative risk-return performance of various businesses and influence how capital and investments are committed.

A senior risk officer who fulfilled this role described the risk-adjusted planning process as follows: “We obviously get involved with risk appetite. The businesses put forward their proposals, having linked in with [the group risk-management department]. They generate appropriate figures upon which we make the choices about where to bet the bank. The calculations are done by the businesses initially. They work it through with the risk department.”10

Another CRO emphasized the importance of risk-adjusted performance measurement as a way of making business managers accountable for risk taking: “If we align the incentives correctly, then I don't have a job. The aim is getting the business units accountable for risk and the risk correctly charged and visible.”11

The strategic controller role requires a legitimate risk-modeling capability, which is foundational to risk-based performance management. However, the construction of risk-adjusted performance measurement is inherently political. Risk-adjusted performance measures do not work by themselves; they have to be made to work. The CRO needs to be aware that a new, risk-adjusted view of performance will inherently affect resource and reward allocations; internal jurisdictions may therefore resist it.

For both political and theoretical reasons, CROs must also be modest in their claims of “objectivity.” There can be no genuine objectivity in the measurement or management of that which has not yet happened and may never happen; other parts of the organization will easily recognize this as the soft underbelly of the risk-management function. Field studies on CROs in action show that, time and again, distrust of risk numbers and critique from other organizational groups require the CRO and the risk-management function to reconstitute and revise risk-adjusted performance metrics. Such objectivity as these calculations can achieve may well be the result of an organizational consensus, emerging from the process of challenge and revision. On the other hand, it has been shown that, in the face of challenge and critique from well-established organizational control groups, chief risk officers' “dreams of measurement” for control purposes may turn out to be just that (Mikes 2005, 2009; Power 2004).

THE CRO AS STRATEGIC ADVISOR

In the role of strategic advisor, senior risk officers command board-level visibility and influence, predominantly as a result of their grasp of emerging risks and nonquantifiable strategic and operational uncertainties. They bring judgment into high-level risk decisions, challenge the assumptions underlying business plans, and use traditional risk controls and lending constraints to alter the risk profiles of particular businesses.

Many senior risk officers aspiring to this role do not regard risk modeling as sufficiently accurate to produce an objective picture of the underlying risk profiles; they rely on risk calculations mainly to indicate underlying trends (quantitative skepticism). They are therefore reluctant to link risk measurements to planning and performance management, leaving these control practices to their traditional realm, the finance function. Instead, they seek to mobilize their own experience with other expert views from the organization to help decision makers understand emerging risks, the nature of which is not explicable by modeling. As one such senior risk officer explained: “The key decisions you make are not based on what you put in the model and what gets spat out. … The way I think of it: Risk is chemistry, it's not particle physics. You cannot separate the risks.”12

Key to the strategic advisor role is the CRO's ability to create processes that channel risk information to key decision makers and thus prevent “risk incubation.” While acknowledging that this role is new to them, several CROs are now championing practices of risk anticipation such as risk-based scenario planning and devil's-advocate systems. Looking beyond the risk silos and “taking a 30,000-foot view of the world,”13 these CROs conduct forecasts and assessments in order to find vulnerabilities and problem areas and alert the executive and supervisory boards. Risk anticipation often surfaces multiple and conflicting views. As one senior risk officer explained with a hint of self-mockery, the role of the senior risk manager is like that of the “medieval licensed jester, allowed to be more skeptical about what is going on, constantly challenging existing assumptions and views, and scrutinizing strategic decisions before they are made. The difficulty is to challenge without causing offence” (Mikes 2009).

This role requires the senior risk officer to build a track record and credibility; as Hydro One's former CRO, John Fraser, put it, “You have to earn your spurs.”14 Some senior risk officers in banks who came through the ranks of line management believe they are better positioned to play the role of the strategic advisor than their risk-specialist peers. Having earned the trust and respect of line management, they can negotiate the conditions of good business by understanding both viewpoints, that of the target-focused business originator and that of the risk-conscious controller. As one senior risk officer explained:

You need to know the business generators well enough to know…that their own stance and emotion and the fervor for a deal will impair their judgment. Most people, most very successful deal-doers, will always push the envelope. The issue is to understand how they operate within their values. So not only do you understand where they're likely to over-egg it because the rewards are there, but also you know how to approach them when you want to slow them down. One, they have to trust you. And two, they have to respect your judgment. But you don't achieve that overnight. You generally get it by being encouraging of what you believe is good business.15

The development of the strategic advisor role is partially driven by governance demands for organizational resilience and the management of extreme events, such as fundamental surprises, sudden losses of meaning (sudden events that make no sense to the people involved), and events that are inconceivable, hidden, or incomprehensible (Weick 1993). The specter of “black swan events” (Taleb 2007) raises fundamental questions about the role of risk management and that of the CRO: Should low-probability events be understood under the rubric of risk modeling or rather as fundamental surprise (Power 2007)? The shift in focus from probabilities and statistical loss distributions to facilitating organizational resilience and sense-making under stress marks the difference between the role of the CRO as strategic controller and that of the CRO as strategic advisor.

WHICH CRO ROLE TO PLAY?

The compliance role tends to be well-defined by the environment; within an industry, there is not much room for variation in that role. The modeling role, however, presents risk functions with a practical choice of processes and models and a philosophical choice of where to draw the line between what can be reliably measured and modeled and what must be placed in the hands of qualitative judgment. It is this line that divides (although never absolutely) the role of strategic controller from the role of strategic advisor (see Exhibit 8.1 for a summary of the strategic CRO roles).

Both assume a high degree of path dependency; the requisite resources and capabilities can only be obtained over time (recall Deutsche Bank's six-year effort). The strategic advisory role requires an intimate knowledge of the business and what can go wrong—experience that risk officers can only gain by having lived through many organizational successes, losses, and crises. The strategic controller role, on the other hand, calls for building a sophisticated risk-modeling capability, which is foundational to risk-based performance management. But risk-adjusted performance measures do not work by themselves—they must be made to work. To make risk numbers count in planning and performance management requires leadership, political flair, communication, and well-chosen allies—all of which can only be developed over time.

Exhibit 8.1 Summary of the Business-Partner Roles of the CRO

Source: Mikes (2008b).

Strategic Controller Strategic Advisor
Modeling capabilities
Primary objective of risk modeling Measuring the aggregate risk profile of products and business lines Anticipating changes in the risk environment
The role of judgment in risk modeling Model design contains the modeler's judgment of complex relationships between variables Model design is deliberately simple. Managerial judgment is exercised to adjust model implications to reflect additional complexities
Strategic capabilities
Span of risk control Quantifiable risks Quantifiable and nonquantifiable risks
The essence of the business partner role The integration of risk management with planning and performance management The risk function's ability to influence discretionary strategic decisions and to articulate to line managers the long-term risk-implications of their decisions
The CRO as the advocate of risk-adjusted performance The CRO as a seasoned business executive and “devil's advocate”
Modeling attitudes
Calculative culture Quantitative enthusiasm:
Risk numbers are deemed representative of the underlying economic reality		 Quantitative skepticism:
Risk numbers are taken as trend indicators
Emphasis on the “robust” and “hard” nature of modeling Emphasis on learning about the underlying risk profile from the trend signals
Risk-adjusted performance measures are recognized Risk-adjusted performance measures are discussed, but are open to challenge

It is possible that some CROs may develop the strategic advisor and the strategic controller roles successively if they can negotiate the path dependencies involved. Once models are tasked with accounting for risk-adjusted performance, the room for managerial judgment shrinks, as that judgment is built into the model design up front. Quantitative skeptics are presently reluctant to delegate their understanding of risk-adjusted performance to models. However, some of them recognize that, over time, much of their judgment may be fed into the model design and that careful organizational positioning and packaging will eventually make risk-adjusted performance metrics legitimate and acceptable for control purposes.

Although quantitative enthusiasts maintain that models are capable of accommodating complex relationships between numerous variables, these risk officers also face important judgment calls; they must anticipate when even the most advanced of risk models will cease to be accurate as a result of major shifts in the environment. Given that most risk models in use at the time of this study had been developed in an unusually favorable credit environment (1998–2007), modeling experts whose career trajectory spans several “prolonged stress events” are hard to come by.

CONCLUSION

Chief risk officers, no matter what type of calculative culture they foster, are balancing at least two conflicting objectives: (1) to produce an aggregate view of risks, and (2) to retain case-by-case business knowledge and model familiarity with which to inform expert judgment. Striking the right balance remains a challenge for all CROs and their choice must be congruent with their organizations' decision making, risk taking, and modeling cultures.

With a new regulatory era and a severe and protracted financial crisis upon us, senior risk officers are under pressure to demonstrate how they are realizing the risk-oversight potential of their function. No professional realm can operate indefinitely if it clashes with the requirements of stakeholders (Gardner, Csikszentmihalyi, and Damon 2001). As a professional group, chief risk officers need to accommodate the demands of a wide diversity of stakeholders—including regulators, corporate executives, shareholders, debt holders, and the general public—which in turn requires that the risk function have a clear, well-defined position in the organizational governance process. Senior risk officers increasingly consider the CEO and the board to be their primary customers. However, many risk functions have been caught by the credit crisis in a work-in-progress compliance-champion mode, while others have been in transition toward their particular understanding of the business-partner role. The ideas and practices of risk management, unlike those of long-established professions, have not yet been codified into a unified domain, leaving chief risk officers with a fuzzy role in corporate governance.

But lack of codification is an opportunity for definition. This fuzziness is a historic opportunity for the profession to improve business decision making by defining and amalgamating the strengths of the compliance-champion, modeling expert, strategic-advisor, and strategic-controller roles and by incorporating both good risk analytics and expert judgment. Yet the ultimate test remains the ability of risk managers to influence risk-taking behavior in the business lines. As one CRO participant, quoted at the outset of this chapter, remarked: One of the greatest contributions of risk managers—arguably the single greatest—is just carrying a torch around and providing transparency.”16 The art of successful risk management is in getting the executive team to see the light and value the lamp bearer.

ACKNOWLEDGMENTS

I am grateful to Robert Kaplan, John Fraser, and Betty Simkins for their comments on earlier drafts of this chapter. I am also indebted to Roxanna Myhrum, David Newman, and John Elder for their enthusiasm, perceptive questions, and thorough editing work.

REFERENCES

  1. Aabo, T., J.R.S. Fraser, and B.J. Simkins. 2005. “The Rise and Evolution of the Chief Risk Officer: Enterprise Risk Management at Hydro One.” Journal of Applied Corporate Finance 17: 62–75.
  2. American Banker. 2008. “Risk Chiefs: ‘As the Bar Raises, So Does Demand.’” January 31.
  3. Bank for International Settlements (BIS) Joint Forum. 2003. “Trends in Risk Integration and Aggregation.” August 8. www.bis.org/publ/joint07.htm, accessed May 13, 2004.
  4. Buehler, K., A. Freeman, and R. Hulme. 2008. “The New Arsenal of Risk Management.” Harvard Business Review (September).
  5. Butterworth, M. 2001. “The Emerging Role of the Risk Manager.” In Mastering Risk, vol. 1: Concepts, edited by J. Pickford London, UK: Financial Times-Prentice Hall.
  6. Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2003. Enterprise Risk Management Framework. New York: AICPA.
  7. Crouhy, M., D. Galai, and R. Mark. 2000. Risk Management. New York: McGraw-Hill.
  8. Deloitte. 2007. “Global Risk Management Survey: Accelerating Risk Management Practices,” 5th ed. www.deloitte.com/dtt/research/0,1015,cid%253D151389,00.html.
  9. Drzik, J., P. Nakada, and T. Schuermann. 2004. “Risk Capital Measurement in Financial Institutions–Part One.” May 14. https://cms.rmau.org/uploadedFiles/Credit_Risk/Library/RMA_Journal/Capital_Management/Risk,%20Capital,%20and%20Value%20Measurement%20in%20Financial%20Institution_%20Part%20I_.pdf
  10. Economist Intelligence Unit. 2005. “Global Risk Briefing.”
  11. Federation of European Risk Management Associations (FERMA). 2002. “A Risk Management Standard.” Brussels.
  12. Gallagher, R.B. 1956. “Risk Management: New Phase of Cost Control.” Harvard Business Review 34 (5): 75–86.
  13. Gardner, H., M. Csikszentmihalyi, and W. Damon. 2001. Good Work: When Excellence and Ethics Meet. New York: Basic Books.
  14. Garside, T., and P. Nakada. 1999. “Enhancing Risk Measurement Capabilities.” https://www.ingentaconnect.com/content/mcb/265/2000/00000008/00000003/art00002, accessed November 30, 2020.Previously published in Balance Sheet 8 (3): 12–17.
  15. Hayes, N. 2002. “People, Processes, Systems: Deutsche Bank's Hugo Banziger Knows It Takes All Three.” RMA Journal, December 2002. http://findarticles.com/p/articles/mi_m0ITW/is_4_85/ai_n14897213/pg_2?tag=artBody;col1.
  16. IBM Business Consulting Services. 2005. “The Clairvoyant CRO.” www.ibm.com/industries/financialservices/doc/content/bin/fss_clairvoyant_cro.pdf.
  17. Knight, Frank H. 1921. Risk, Uncertainty, and Profit. Mineola, NY: Dover Publications.
  18. Kloman, H.F. 2003. “Enterprise Risk management: Past, Present and Future.” Reprinted in H.F. Kloman, Mumpsimus Revisited: Essays on Risk Management. Lyme, CT: Seawrack Press.
  19. Lam, J. 2003. Enterprise Risk Management: From Incentives to Controls. Hoboken, NJ: John Wiley & Sons.
  20. Liebenberg, A.P., and R.E. Hoyt. 2003. “The Determinants of Enterprise Risk Management: Evidence from the Appointment of Chief Risk Officers.” Risk Management and Insurance Review, 37–52.
  21. Lore, M., and L. Borodovsky. 2000. The Professional's Handbook of Financial Risk Management. New York: Butterworth-Heinemann Finance.
  22. Marrison, C. 2002. The Fundamentals of Risk Measurement. New York: McGraw-Hill.
  23. Marshall, C. 2001. Measuring And Managing Operational Risks in Financial Institutions: Tools, Techniques and Other Resources. New York: John Wiley & Sons.
  24. Merton, R.C. 2005. “You Have More Capital Than You Think.” Harvard Business Review, November.
  25. Mikes, A. 2005. “Enterprise Risk Management in Action.” PhD Thesis, London School of Economics.
  26. Mikes, A. 2007. “Convictions, Conventions and the Operational Risk Maze—The Cases of Three Financial Services Institutions.” International Journal of Risk Assessment and Management 7 (8): 1027–1056.
  27. Mikes, A. 2008a. “Enterprise Risk Management at Hydro One.” Harvard Business School Case 109-001.
  28. Mikes, A. 2008b. “Chief Risk Officers at Crunch Time: Compliance Champions or Business Partners?” Journal of Risk Management in Financial Institutions 2 (1, November–December): 7–24.
  29. Mikes, A. 2009. “Risk Management and Calculative Cultures.” Management Accounting Research 20: 18–40.
  30. Mikes, A., and Townsend, D. 2007. “Beyond Compliance: The Maturation of CROs and Other Senior Risk Executives.” GARP Risk Review 39 (November–December): 12–18.
  31. Perrow, C. 1984. Normal Accidents: Living with High Risk Technologies. New York: Basic Books.
  32. Power, M.K. 2000. The Audit Implosion: Regulating Risk from the Inside. London: The Institute of Chartered Accountants in England and Wales.
  33. Power, M.K. 2003. “The Invention of Operational Risk.” London: London School of Economics and Political Science, ESCR Centre for the Analysis of Risk and Regulation, Discussion Paper no. 16.
  34. Power, M.K. 2004. “Counting, Control and Calculation: Reflections on Measuring and Management.” Human Relations, 765–783.
  35. Power, M.K. 2005. “Organizational Responses to Risk: The Rise of the Chief Risk Officer.” In Organizational Encounters with Risk, edited by B. Hutter and M.K. Power. Cambridge, UK: Cambridge University Press.
  36. Power, M.K. 2007. Organized Uncertainty—Designing a World of Risk Management. Oxford, UK: Oxford University Press.
  37. PricewaterhouseCoopers. 2007. “Creating Value: Effective Risk Management in Financial Services.” Executive summary. March.
  38. Risk Management. 2007. “A View from the Top.” September. www.allbusiness.com/company-activities-management/management-risk/8911274-1.html, accessed October 2008.
  39. Senior Supervisors Group. 2008. “Observations on Risk Management Practices during the Recent Market Turbulence.”
  40. Standard & Poor's. 2008. “Enterprise Risk Management: Standard & Poor's to Apply Enterprise Risk Analysis to Corporate Ratings.” Ratings Direct, May.
  41. Stulz, R. 2009. “Six Ways Companies Mismanage Risk.” Harvard Business Review, March.
  42. Taleb, N.N. 2007. The Black Swan. London, UK: Penguin.
  43. Tett, G. 2008. “Cinderella Role Moves to the Centre of Attention.” Financial Times, April 28.
  44. Treasury Committee (of the United Kingdom Parliament House of Commons). 2007a. Minutes of Evidence Taken before Treasury Committee, Tuesday, December 4, 2007 (Uncorrected transcript of Oral Evidence given by Mr. E. Gerald Corrigan, Managing Director and Co-Chair of the Firmwide Risk Management Committee, Goldman Sachs; Lord Charles Aldington, Chairman, Deutsche Bank; Mr. Jeremy Palmer, Chairman and CEO, Europe, Middle East and Africa, UBS; and Mr. William Mills, Chairman and Chief Executive of City Markets and Banking, Europe, Middle East and Africa, Citigroup). www.publications.parliament.uk/pa/cm/cmtreasy.htm, accessed January 10, 2008.
  45. Treasury Committee (of the United Kingdom Parliament House of Commons). 2007b. Minutes of Evidence Taken before Treasury Committee, Tuesday, October 16, 2007 (Corrected transcript of Oral Evidence given by Dr. Matt Ridley, Chairman, Mr. Adam Applegarth, Chief Executive, Sir Ian Gibson, Senior Non-Executive Director, and Sir Derek Wanless, Non-Executive Director, Northern Rock). www.publications.parliament.uk/pa/cm200607/cmselect/cmtreasy/cmtreasy.htm, accessed January 10, 2008.
  46. Wall Street Journal. 2007. “Bookstaber Asks: Where Were the Risk Managers?” October 16. http://blogs.wsj.com/economics/2007/10/16/bookstaber-asks-where-were-the-risk-managers/.
  47. Weick, K. 1993. “The Collapse of Sensemaking in Organizations: The Mann Gulch Disaster.” Administrative Science Quarterly 38: 628–652.
  48. Winokur, L.A. 2009. “The Rise of the Risk Executive.” Risk Professional (February): 10–17.
  49. Wood, D. 2002. “From Cop to CRO.” Erisk.com (March).

ABOUT THE AUTHOR

Anette Mikes is Associate Professor of Accounting at the Said Business School and a Fellow at Hertford College. She was the 2017 laureate of the prestigious ACA Prize of the University of St.-Gallen for her contributions to the field of risk management and financial governance. Formerly at Harvard Business School, she launched (with professors Robert Kaplan and Dutch Leonard) the Harvard executive education program “Risk Management for Corporate Leaders.” Her work on the evolution, variation, consequences, and contextual determinants of risk management has appeared in Management Accounting Research; Accounting, Organizations and Society; the Journal of Applied Corporate Finance; and in the Harvard Business Review. Her research documentary on a man-made disaster (“The Kursk Submarine Rescue Mission”) won the Most Outstanding Short Film Award at the Global Risk Forum in Davos in August 2014. The latter project signifies her continuing interest in man-made disasters, and her current research project (“Values at Risk: Management Accounting in the Age of Corporate Purpose”) focuses on the interface between risk management, business ethics, and management control.

NOTES

  1. 1.  “Risk Chiefs: ‘As the Bar Rises, So Does Demand,’” American Banker (January 31, 2008), 48.
  2. 2.  Author's interview on September 9, 2008. The identity of the interviewee is disguised for confidentiality reasons.
  3. 3.  Author's interview on August 31, 2008. The identity of the interviewee is disguised for confidentiality reasons.
  4. 4.  Private communication to the author, received October 16, 2008. The identity of the source is disguised for confidentiality reasons.
  5. 5.  Private communication to the author, received November 11, 2008. The identity of the source is disguised for confidentiality reasons.
  6. 6.  A. Mikes, “Enterprise Risk Management at Hydro One,” Harvard Business School Case No. 109-001, July 2008.
  7. 7.  N. Hayes, “People, Processes, Systems: Deutsche Bank's Hugo Banziger Knows It Takes All Three,” RMA Journal (December 2002). Available at http://findarticles.com/p/articles/mi_m0ITW/is_4_85/ai_n14897213/pg_2?tag=artBody;col1.
  8. 8.  Economic capital is a statistically estimated amount of capital that could cover all liabilities in a worst-case scenario, be it an unexpected market, credit, or operational loss. For risk practitioners and regulators, the conceptual appeal of economic-capital methods is that “they can provide a single metric along which all types of risks can be measured” (Bank for International Settlements, 2003, 6).
  9. 9.  Author's interview on March 3, 2008. The identity of the interviewee is disguised for confidentiality reasons.
  10. 10. Mikes (2005, 170).
  11. 11. Author's interview on November 17, 2006. The identity of the interviewee is disguised for confidentiality reasons.
  12. 12. Author's interview on August 17, 2006. The identity of the interviewee is disguised for confidentiality reasons.
  13. 13. Mikes (2005, 205).
  14. 14. Vanessa Mariga, “Moving into the C-Suite,” Canadian Underwriter (March 2008), 10–16.
  15. 15. Author's interview on November 22, 2007. The identity of the interviewee is disguised for confidentiality reasons.
  16. 16. Author's interview on November 17, 2006. The identity of the interviewee is disguised for confidentiality reasons.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.147.103.202