The recent financial crisis has brought new focus, from
financial institutions and their regulators, on the ways in which
financial institutions, including insurance companies in Canada and
abroad, manage the risks they face. Everyone is acutely aware of
the need to better understand the risks they face, and to minimize
those risks. This has in turn heightened the prominence of, and
regulatory focus on, the relatively new role of the "Chief
Risk Officer", or CRO, as a key member of the senior executive
team of many financial institutions. Julie Dickson, Canada's
Superintendent of Financial Institutions, has recently made
numerous public comments on the critical role of the CRO, and her
office now holds annual risk management seminars with CROs from the
various types of regulated institutions. Speaking to CROs at one
such recent session, she noted, "As CROs you have an
incredibly important role to play, and a difficult role." The
increased attention on CROs, in her words:
". reflects a key learning from the global financial turmoil: there is a real need for regulators and financial institutions to focus on both the role of the CRO, and solid risk management practices."1
In that context, this article provides a brief history of the CRO role, a summary of the current state of the position and a survey of possible trends relating to the role, including likely future challenges and pressures.
Development of the CRO position
The creation of the CRO position is widely credited to James
Lam, who, in the mid-1990s, assumed the title of CRO at GE Capital
and implemented a system of risk management widely known today as
enterprise risk management, or "ERM".2 In
simple terms, ERM is a risk management system that analyzes and
addresses risk on a firm-, or enterprise-, wide basis. ERM has
grown over time into a vast industry fed by a voluminous amount of
business and scholarly research and writing (all of which is beyond
the scope of this article). Although fairly unique when introduced,
corporate scandals (Enron, Worldcom, etc.), along with the
introduction of various regulatory schemes necessitating compliance
with certain risk metrics (Sarbanes-Oxley, Basel II, etc) allowed
ERM and the concept of the CRO position to gain further momentum
and acceptance, even if such acceptance was intended merely to
allow a firm to comply with specific regulatory requirements,
rather than being an endorsement of the CRO position and/or ERM
itself. The position gained the earliest footholds in the finance
and energy sectors.3 In the years just prior to the
recent crisis, the CRO position had evolved beyond simply being a
tool used by large multinational firms, or firms subject to
specific regulatory compliance requirements, and beyond the
traditional risk management focus of prevention of loss. In the
most proactive firms, the CRO position had begun to be viewed as a
tool which created value by identifying opportunities to exploit
risks, as opposed to simply shielding firms from potential
risks.4 In all environments, it had become much more
The CRO position today
It would appear that, post-crisis, the CRO position continues to
vary considerably across industries, reflecting differences in the
type, severity and potential impact of risks faced. In addition,
the role may differ considerably between firms in the same
industry, possibly reflecting the relative newness of the concept
and position. Factors influencing such differences include (i) the
size and global reach of the firm, (ii) the firm's culture or
approach to risk (i.e. whether risk management is considered a high
priority of the board of directors or CEO), (iii) the presence of
an ERM proponent or an individual keen to spearhead the development
of a CRO position, and (iv) the competency of the CRO
himself/herself. All of these factors serve to define the position
of CRO at any particular firm. However, in general terms, the CRO
responsibilities typically are focussed on (i) "technical
oversight", and (ii) "directional influence".
Technical oversight refers to the specific responsibility to compile information, data and analysis related to the various known (and, potentially, unknown) risks of a firm (e.g. operational, compliance and financial risks), and to identify new risks to the firm, and based on such knowledge, to gain or develop a comprehensive understanding of the role that risk plays in the firm, including overlapping or conflicting risks and in particular those risks which may not be recognizable without a view of the firm as a whole. This oversight, which goes to the heart of an ERM approach, can be starkly contrasted to the "traditional" approach to risk management which involves, to use industry jargon, risk "silos", wherein each department or business unit of a firm manages its risks separately. It is widely acknowledged that the skill set required for the technical oversight responsibility of the CRO position is not well defined and this is a further reason why the "typical" role of a CRO is not readily definable.5
The second of a CRO's principal responsibilities, directional influence, is what differentiates a CRO from most risk managers and what makes a quality CRO a critical and valued member of the senior management team, or "C-Suite". A CRO's ability to develop a comprehensive understanding of the whole of a firm's risks is significant; however, unless this understanding is translated into corporate action that leads to desired business outcomes, the utility of a CRO will remain relatively limited.
As well, the CRO position has, generally, been described as being responsible for some or all of the following functions:
- Providing the overall leadership, vision and direction for
- Establishing an integrated risk management framework for all
aspects of risks across the organization;
- Developing risk management policies, including the
quantification of management's risk appetite through specific
- Implementing a set of risk metrics and reports, including
losses and incidents, key risk exposures, and early warning
- Allocating economic capital to business activities based on
risk, and optimizing the company's risk portfolio through
business activities and risk transfer strategies;
- Improving the company's risk management readiness through
communication and training programs, risk-based performance
measurement and incentives, and other change management
- Developing the analytical, systems and data management capabilities to support the risk management program.6
A significant determinant, if not the significant determinant,
of the influence of a CRO on the activities of a firm, is the
reporting structure within which the CRO operates. A wide variety
of reporting structures are observed today, each of which may
function effectively, but also present certain difficulties or
disadvantages. Certain reporting structures include:
Board of Directors: Similar to the CEO, oftentimes a CRO reports directly to the board of directors. The ability of a CRO to report directly to the board regarding the risks faced by a firm would appear to provide an effective mechanism for, ultimately, translating a CRO's understanding of enterprise-wide risk into desired business outcomes, and may be particularly effective if board members are familiar with and view risk management as a significant priority for the firm. However, where board members, already charged with a host of other responsibilities, do not proactively embrace risk management (whether for lack of interest, understanding, time or any other reason), the efforts, ideas and ultimate value of a CRO may be significantly diminished.
Board Committee: A variant is a structure wherein the CRO reports to a board committee, such as a Risk Committee. Similarly, a structure which allows a CRO to present findings and strategies to certain board members can be advantageous, but is subject to limitations similar to those applicable to reporting to the entire board of directors, particularly where the CRO reports to a firm's Audit Committee (which is already charged with other critical and and time-consuming responsibilities) rather than a dedicated Risk Committee.
CEO: No matter how influential the position of CRO may become in a firm, there are those, including some CROs themselves,7 who will always consider the CEO to be the firm's ultimate CRO. As such, a reporting structure wherein the CRO reports directly to the CEO (provided a strong relationship exists between the CRO and the CEO), may be an effective manner to translate a CRO's understanding of firm-wide risks into desired business outcomes, as this understanding is conveyed to the individual charged with the overall management of the firm. As with reporting to the board of directors, where a CEO does not embrace the utility of a CRO, the position is likely to be of limited effectiveness. Reporting to the CEO also appears to be OSFI's preferred approach, as last June Superintendent Dickson noted:
In a recent survey, conducted for KPMG International, of nearly
400 executives from insurance companies around the world, and
reported in KPMG's November 2009 publication "Getting the
Balance Right" (available at www.kpmg.ca), 45% of respondents
reported that their CROs report to the CEO. Robert Lang of HSBC was
quoted as noting "Speaking as a Chief Executive, I would
always foresee a CRO as my direct report and that person would
always be a key contributor to the daily running of my business and
its strategic considerations".
CFO, Chief Information Officer, Chief Compliance Officer: A reporting structure where a CRO reports to the CFO, CIO, CCO or other C-Suite member is, generally, viewed as providing a CRO with less influence, and ultimately as being less effective in creating positive business outcomes simply because these positions (CFO, CIO and COO) typically lack the required influence on a firm-wide basis to implement strategies that were developed as a result of firm-wide analysis in order to address firm-wide issues. In the same recent survey for KPMG, 20% of respondents reported that their CROs report to the CFO.
Future of the CRO position
The role of a CRO will no doubt continue to evolve, shaped by a
number of factors. Perhaps, if the financial crisis had not
occurred, the role would emphasize identifying those risks that
create value for a firm, a concept that, as discussed above,
characterized the years just prior to the financial crisis.
However, in light of the financial crisis, it seems that the future
motivations of financial institutions, with regard to implementing
ERM and appointing CROs, which will in turn significantly influence
the role of CROs, will be directed more toward loss prevention and
regulatory compliance. In fact, Ernst & Young recently
predicted in its Global Insurance Center 2010 U.S. Outlook for the
life insurance industry that "[t]he chief risk officer will
also face increasing demands from regulators and ratings agencies
on risks assumed and capacity".9
In Canada, Superintendent Dickson has demonstrated this increasing regulatory focus by noting that, generally,
Further, she has separately commented:
In terms of OSFI's focus, she has noted:
Chief Risk Officers should periodically commission a review and assessment of the institution's investment in risk management, for presentation to the senior management and the board. This should not happen only after a big problem has occurred; it should happen as part of the normal course of business.12
Comparing the different industries regulated by OSFI, she has
remarked to the property and casualty insurance CROs:
OSFI recognizes that the P&C industry has a diversity of institutions in terms of their size, number and complexity of business lines, risk appetite, etc., and that all of these factors will logically lead to different requirements with respect to the robustness of the risk management program. However, I cannot overemphasize the importance of having an organization-wide enterprise risk management process in place to help manage the numerous known, unknown, and emerging risks that P&C institutions face in these challenging times."13
In the UK, meanwhile, the November 2009 report prepared by David
Walker entitled "A Review of Corporate Governance in UK Banks
and other Financial Industry Entities", commonly know as the
Walker Report, includes the recommendation that banks and other
financial institutions be served by a CRO who should participate in
the risk management and oversight process at the highest level on
an enterprise-wide basis. The Walker Report also recommends that
the CRO have an internal reporting line directly to the CEO or CFO
as well as report to a board Risk Committee.14
Similarly, the Committee of European Banking Supervisors (CEBS),
recently published its high-level principles for risk management as
part of its 2010 Standards and Guidelines.15 These
high-level principles, which are intended to "strengthen the
risk culture within institutions through enhancements in the risk
management function" and which the CEBS recommends be
implemented by its members prior to the end of 2010, include
additional guidance with respect to "the role of the Chief
Risk Officer and risk management functions".
The role and prominence of the CRO will also continue to be shaped by the composition and risk management focus of boards. As Superintendent Dickson commented recently:
Another challenge facing the CRO position is a lack of qualified
individuals. As discussed above, the technical competence of a CRO
is critical, as is the novel skill set required - the ability to
grasp all risks of a firm, from financial to operational. Further,
complicating this issue is the fact that firms, necessarily, face
different risks, which subjects any CRO hired from outside the firm
to a relatively steep learning curve.
A final future challenge for CROs, as well as ERM in general, may be to remain a relevant management position (and in the case of ERM, a relevant risk management technique). Put another way, the challenge is to avoid becoming, over time, merely the latest corporate fad or mantra (see Total Quality Management, Quality Circles, Continuous Improvement, Six Sigma, etc.). If the CRO position, as a whole, fails to produce desired business results, or to attract qualified individuals, it may become less relevant, perhaps remaining of high profile only in highly regulated sectors, such as the financial or energy industries. A return to economic prosperity may also threaten the status of the position - as Superintendent Dickson recently noted: "While CROs are valued today, their advice may not be as valued when times are good again."18
1 Remarks by Superintendent Julie Dickson, Office of the
Superintendent of Financial Institutions Canada (OSFI) to the 2009
OSFI Risk Management Seminar for Life Insurance Companies, Toronto,
Ontario, November 5, 2009.
2 Economist Intelligence Unit. (2005). "The evolving role of the CRO", The Economist Intelligence Unit, London/New York/Hong Kong (May) at p. 3.
3 Ibid. at p. 4.
4 Buehler K., Freeman A., Hulme R. "Owning the Right Risks" (2008). Harv Bus Rev 102-110.
5 Haubenstock, M. "Organizing a Financial Institution to Deliver Enterprise-wide Risk Management". Journal of Lending & Credit Risk Management 81(6), 46-52.
6 Lam J. (2003). What is enterprise risk management. Enterprise Risk Management (chap. 4 pp 43-55). Canada: Wiley. cited in Yi-Shang Huang, The Determinants of Enterprise Risk Management: Evidence from the Appointment of Chief Risk Officers in Publicly-listed Financial Firms in Taiwan. (Risk Management and Informational Engineering Thesis, Ming Chuan University, 2008) [unpublished] at p. 18.
7 Comment by Beverly S. Margolian, Executive Vice-President and Chief Risk Officer at Manulife Financial, at the Chief Risk Officer Forum Session 20 PD, Record, Volume 30, No. 2, Spring Meeting, San Antonio, Texas, June 14-15, 2004.
8 Remarks by Superintendent Julie Dickson, Office of the Superintendent of Financial Institutions Canada (OSFI) to the 2009 OSFI Risk Management Seminar for Life Insurance Companies, Toronto, Ontario, June 9, 2009.
9 Ernst & Young, Global Insurance Centre 2010 Outlook: US life insurance industry outlook, online: http://www.ey.com/Publication/vwLUAssets/US_life_outlook_v3/$FILE/US_life_outlook_v3.pdf at p. 2.
10 Remarks by Superintendent Julie Dickson, Office of the Superintendent of Financial Institutions Canada (OSFI) to the Canadian Centre for Ethics and Corporate Policy, Toronto, Ontario, April 17, 2008.
11 Remarks by Superintendent Julie Dickson, Office of the Superintendent of Financial Institutions Canada (OSFI) to the 2009 OSFI Risk Management Seminar for Life Insurance Companies, Toronto, Ontario, November 18, 2009.
12 Remarks by Superintendent Julie Dickson, Office of the Superintendent of Financial Institutions Canada (OSFI) to the Northwind Professional Institute 2008 Life Insurance Invitational Forum, Cambridge, Ontario, November 13, 2008.
13 Supra, note 1.
14 See Recommendation 24 in the Walker Report.
15 Committee of European Banking Supervisors (2010). High level principles for risk management, online: Committee of European Banking Supervisors http://www.c-ebs.org/documents/Publications/Standards---Guidelines/2010/Risk-management/HighLevelprinciplesonriskmanagement.aspx
16 Committee of European Banking Supervisors, News Release, CEBS today publishes its high level principles for risk management" (16 February 2010), online: CESB http://www.c-ebs.org/News--Communications/Latest-news/CEBS-today-publishes-its-high-level-principles-for.aspx.
17 Supra, note 10.
18 Supra, note 10.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.