Cover Story: Moving into the C-Suite

The old saying ‘full-time risk, part-time risk management’ has become a thing of the past: with the creation of the new CRO (chief risk officer) designation, risk managers have now climbed the next rung on the corporate ladder, eyeing the executive’s proverbial corner office

If some risk managers have their way, another set of letters will soon be added to the C-suite soup– i. e. the’CRO,’ or Chief Risk Officer. For some time, risk managers have said at conferences that their profession will not have truly arrived until it is recognized at the board level. But it’s difficult to tell if the profession has collectively edged itself into the corner office, or if they’ve been left on the sidelines.

A clear definition of the CRO model, the perceived feather in enterprise risk management (ERM)’s cap, is still a work in progress. Nonetheless, risk management representatives argue that in order for ERM to be effective, an organization needs a risk management representative at the senior level. When decisions are made, they argue, risk management is an inherent part of the process; ultimately, by having a seat at the table, the profession will have gained the recognition for which it has strived for over the past decade or so.

The CRO model does have its critics: some say the position itself is counter to ERM principles. ERM is supposed to aim at holistic risk management, for example, whereas the corporate boardroom often breaks down into ‘silos’ heade up by the so-called C-types– CEOs CFOs, COOs and CTOs (Chief Technology Officers). Does a seat for the CRO actually alleviate the other chief executives sitting around the table from shouldering responsibility for the organization’s risk management?

BENCHMARKS AND PLACEMENTS

Before debating the perfect model for the CRO, Canadian risk managers need to gain a sense of where they collectively sit within their respective employers’ organizational structures. Kim Hunton, Risk & Insurance Management Society (RIMS) Canada Council chair, says earlier this year the council established as a target for the next decade the transition of the risk manager position into the C-suite.

The first hurdle, says Hunton, is to find out where RIMS members are currently placed within their organizations’ corporate governance structures. This information would then be used for benchmarking purposes. “Currently we don’t necessarily know where our members are,” she says. “So one of our first challenges is to find out where RIMS members are today, and then to track those member position levels as they move through their working life.”

The Conference Board of Canada’s Corporate Finance and Risk Management division in 2005 published the survey Enterprise Risk Management: Inside and Out. The report surveyed 86 organizations (81 were Canadian), examining the role ERM plays in each company. A majority of respondents were government organizations (25%), followed closely by publicly-traded companies (23%) and crown corporations (21%).

Slightly more than half of the respondents reported having a CRO. The majority of companies that did have a CRO could be found in the financial, utilities and insurance industries.

Karen Thiessen manages the Conference Board of Canada’s Strategic Risk Council — a council composed of senior executives (CFOs, CROs, CIAs, COOs and vice presidents of risk management) with responsibility for ERM. She explains that the position is more prevalent in those sectors that tend to be much more heavily regulated. But, she adds, in the past three of four years, she has noted other sectors — both private and public –including healthcare, manufacturing, telecommunications, Crown corporations and federal government are appointing risk executives to the C-suite.

Thiessen hypothesizes that this recent shift toward increased implementation of ERM by Canadian companies may be a result of two developments: the regulatory dust of the Sarbanes Oxley Act of 2002 (SOX) settling south of the border and credit rating analysis of ERM at nonfinancial companies.

The US was knee deep in complying with SOX for the past few years, and Canadians’ interest in ERM was at an even keel for year one of SOX, but then started to grow over the next couple of years, she says. Canadians could have been waiting to see the final outcome of SOX before supporting a major initiative such as ERM or improving on their existing process. “Sure enough, after the first year of SOX implementation, the Strategic Risk Council grew by more than 50%,” she notes, adding that more Canadian companies will be breathing ERM as a result of the ratings evaluation process of S & P/Moody’s Investors Service.

David Price, regional vice president of financial institutions and professional liability for Arch Insurance (Canada), says that when underwriting a director’s and officer’s liability risk, the presence of a CRO in an organization is generally a sign of complexity in the risk. He notes CROs are commonly found in financial institutions, energy companies and large complex organizations that allocate and manage capital on a risk basis.

A CRO role is “a growing cornerstone” of ERM, Price says. “I believe that if you have someone who is evaluating risk, and assisting the CEO and the board in assessing how much risk they can take for given activities, that is a very strong underwriting risk characteristic.” But the existence of CROs in smaller, less-complex organizations is not a trend Price has observed in the Canadian marketplace. In a smaller, less complex organization, it may not be necessary to have the CRO position, he says, “but it would be a positive addition.”

A SILO OR A BRIDGE?

Susan Meltzer, the assistant vice-president of risk management at Aviva Canada, admits she’s not entirely sold on the concept of a CRO. “I think it takes away the embedding of accountability for risks in the jobs of all of the [other] senior executives, in particular,” she says. “All senior executives have accountability for risk in one way or another. By carving it out, I believe it can create a culture where if you have a risk event, then it was the chief risk officer’s fault.”

Assessing risk holistically should be encouraged as a way of thinking, she stresses. “I think having a CRO takes away from that.”

Thiessen, can see Meltzer’s point of view if, for example, it’s a smaller company whose business processes are highly integrated and relies on all individuals to be owners of risk in their own

One hurdle is to find out where RIMS members are currently placed within their organizations’ corporate governance structures.

department. A CRO, on the other hand, she says, formalizes, coordinates and oversees an ERM process. An organization that practices enterprise-wide management of risks, including the setting of corporate risk tolerances and risk profiles, collectively coordinating and overseeing the process and providing written and verbal reports to the executive team and board, needs a CRO to keep the momentum of ERM.

Doug Brooks is the senior vice president and chief financial officer at Equitable Life Canada. He says that although his title says CFO, he is officially the organization’s CRO. It’s not the job of the CRO to do day-to-day risk management, he says. “The real key is that there are people who are making decisions day-to-day that have to make good risk-adjusted business decisions.” The role of the CRO, he added, “is to create the tools and the culture to make risk management happen within the organization.”

Meltzer says in an ideal world, a company’s top risk manager would have access to the board room table, have a senior-enough position to influence strategy, manage risk at all levels (both high and at ground level) and must be able to “help executives manage their risks, but also challenge the way that they’re managing their risks.”

She compares her notion of the risk manager to the cartoon illustration of the con science — a devil perched on a person’s left shoulder and an angel on the right.

Senior executives aren’t wired to think pessimistically she says, so it’s up to the risk manager to offer all sides of a risk. “It’s not our job to ensure executives make the decision we think they should make. Our job is to ensure that the right people at the right level of the organization have the right information — both the upside and the downside — to make a decision.”Whether or not that warrants a spot in the C-suite, she added, “well, I’m not entirely convinced.”

Still, many in the risk management community maintain the profession needs to be in the boardroom, rather than on the outside waiting for an invitation in. For years, risk managers have

been battling to gain executives’ ears, says Hunton. Placed in a middle-management position, a risk manager is constantly worried about garnering buy-in from the upper ranks rather than just being able to focus on the job at hand.

EARNING YOUR SPURS

Whether or not they wear the executive threads, risk managers must overcome hurdles before either sitting at the executive table or advising the C-types. The Conference Board’s 2005 report suggests most CROs have moved into their positions from within their own organizations; the departments of finance and administration/ financial services predominantly serve as the springboard into the position (18% of the cases).

The very nature of risk management creates a challenge unto itself when it comes to demonstrating the value of the position to those in the upper ranks of management, Meltzer says. “The biggest obstacle is, [risk] isn’t measurable. It’s kind of esoteric.”

The whole point of the profession is to avoid “the big loss,” Meltzer observes. But how can anyone say ‘I averted the big loss’ when no one knows what that loss might have been? “What you’re trying to do is stop big, bad hairy things from happening,” Meltzer says. “And if you’re successful, then they don’t happen. But that’s difficult to measure.”

Brooks says if ERM is driven top-down, it might be viewed internally as just so much more bureaucracy, particularly in a large corporation. “If it’s not properly done, then it can feel like another corporate requirement,” he says. “People will question if it is really adding value.”

Buy-in at the business level is key, he suggests. But it can be tricky to achieve that buy-in before a problem erupts. “I know some companies have gotten into it [ERM] because of a burning platform, and there was an issue that had to be dealt with,” he says. “But I think over the past few years, people have come to realize there have been failures or frauds. These things can and do happen, and companies need to put proper things in place even if they believe that things are under control.”

John Fraser, Hydro One’s CRO, says that when he was asked to take on the role of head of risk management in 2000, the biggest challenge he faced was establishing credibility and adding value.

To overcome this obstacle, Fraser explains, he worked with one of the organization’s subsidiaries and ran a series of workshops on the company’s top risks. Using anonymous voting technology, (similar to that used on the game show Who Wants to Be

“All senior executives have accountability for risk in one way or another. By carving it out, I believe it can create a culture where if you have a risk event, then it was the chief risk officer’s fault.” -Susan Meltzer, assistant vice-president

of risk management at Aviva Canada

a Millionaire?) Fraser and his staff ran the workshop, it was a hit, and the president of the subsidiary asked them to add another workshop with additional risks. “If it was not successful that probably would have been the end of ERM for the company,” he says. “That’s what I mean about credibility, you have to earn your spurs.”

Fraser was invited to bring his anonymous voting technology to the senior management team. He put together a series of mini-workshops, each about 40 minutes long. Each one tackled one of the Top 10 risks facing Hydro One. “It was funny, because the first time we ran this workshop, when we asked each person to vote and press his or her key pad, everyone looked to the president to see what she was thinking,” he recalls. “But what this anonymous voting allows you to do is to be really anonymous and express your opinion in an unbiased fashion. And then you could engage in this great dialogue without the ‘who-said-what.'”

Thiessen agrees with Fraser that if risk managers are going to elevate themselves professionally, they need to find a way to create value for themselves. “I think all risk managers are struggling with this. I also think all risk managers know they are valuable, but that they have to find an innovative way to convey this message to the right people who will let them sit in on the decision-making,” she says.

To gain credibility within an organization, risk managers must not try to do everything at once and keep it simple, Meltzer says. “By bringing in a consultant and working with fancy models right away, and coming up with fancy numbers that no one understands — it doesn’t work,” she says. “You need to take the