Carsten Hoffmann, a director at Towers Watson, explains why tomorrow's chief risk officers must be more engaged with the actual business and prove their worth as strategic advisers, rather than just worrying about risk frameworks and regulatory compliance.
Chief risk officers (CROs) may be suffering an image problem. They have had a tough assignment over the last years, building out frameworks for managing enterprise risk and preparing often reluctant insurers for Solvency II.
Where has that landed them? They may hold a senior position within a company but as the leader of the second line of defence, they might be still regarded as the person who says 'no' to ideas. Some consider the CRO as the interface with the regulator, and so she or he becomes viewed as an in-house supervisor. This makes it hard for a CRO to be a constructive force. Even if regulators likely support this view, CROs should stand firm on being a company representative.
Treating CROs in this way is not a good recipe for job satisfaction, nor is it good for business. To reduce the turnover of staff and create a more sustainable future, organisations need to recognise that CROs have much more to bring to the table.
Foremost is the ability of CROs to contribute to strategy. In the classic set-up, the CRO plays a reactive role. He or she typically gives feedback on strategies that have been devised by others within the organisation; their job is to prevent excessive risk-taking and ensure that the insurer has adequate capital.
In this regard, the CRO is a useful counterpart for the business, but there may be little opportunity for a constructive feedback loop to develop. The CRO ends up either accepting or rejecting ideas, with no chance to have a bigger influence.
Some say the CRO can become a 'riskfocused CEO', an individual who considers the same strategic issues as the CEO but provides risk perspective and analysis. For example, when considering whether to enter a new line of business, the CEO might focus on the potential for value creation, an increase in revenue, or brand awareness. The CRO's responsibility would be to evaluate the risks and exposures that this new business would give rise to, and how these might be managed or mitigated.
Could the CRO be more proactive, giving input right at the start of the strategy process? More than others within an organisation, the CRO has a view of the risk and capital positions and is able to give unique input on whether the current strategy is successful. Because CROs understand the risk landscape well, they are able to contribute thoughts on how trends are evolving, and where opportunities and hazards lie.
Could the CRO be more proactive, giving input right at the start of the strategy process?
In this mode, the CRO can help structure the discussion and behave as a critical friend, challenging ideas and not trying to hinder but help come up with the best solution.
There will be difficulties to overcome. If the CRO is the second line of defence, then they must maintain independence from the first line. This is a big barrier to creating value, but the solution is to develop an effective partnership between the first and second line, such that risk management becomes part of the normal activity of the first line.
The CRO's relationship with the CEO and CFO is a crucial factor to success. If they and the others in the C-suite do not consider the CRO an equal, and support the evolution of the role, then the game is lost.
CROs must also take responsibility to train themselves in the 'softer' skills needed for their new status. They will rely less on their technical knowledge of how models work, but they will need to display more business acumen and leadership. Increasingly, we see CROs being appointed from commercial roles, but there should be nothing to stop a risk manager moving in the opposite direction, too. This kind of rotation helps add credibility to the CRO.
In summary, the regulatory agenda has pushed the CRO to the fore, but the role must be a fluid one, developing in line with the sophistication of each business. In the beginning, CROs will rightly focus on developing an ERM framework and then move on to embedding it. Once those elements are in place, the final step is for CROs to become a true strategic partner.
Carsten Hoffmann is a director at Towers Watson.