The Evolving Role of the Chief Risk Officer

In working with different sized institutions to develop an enterprise risk management program, some of the questions that tend to come up relate in particular to the Chief Risk Officer’s (CRO) role, including:

• To whom should the CRO report?
• Does the CRO only work on the risk framework or can (or should) he participate in risk assessments?
• Does the CRO own any of the risks?

In truth, these are actually not simple questions, so it is not surprising that organizations are wrestling with them.  The fact is that the industry has been given little guidance into the design the CRO position, and asking 10 people will usually yield at least 10 different opinions (sometimes even more.)  However, some patterns are starting to emerge that I believe represent industry best practices.
The fact is that the CRO’s role will very likely be different in a smaller organization than it will in large ones, and that is ok. When an organization is small, the CRO’s role is much more hands-on. As the organization grows, the role becomes more formalized and farther removed from day to day program management. This “evolution” is perfectly fine, but it tends to confuse people if they are looking for one universal job description. Even industry literature tries to take a position on the structure of the CRO’s role, when in practice it is not that simple. The purpose of this article is to outline two different models for risk managers and describe how this evolution should occur naturally over time.
Risk Governance
For the benefit of context, when we talk about the risk management program, there are basically three key roles that need to be identified.

• The design of the risk management (RM) framework
• Implementation of the framework (identifying, monitoring and managing risk)
• Testing of the program (ensuring compliance with the framework and its effectiveness)

Who participates in each of these will largely depend on the size and complexity of the organization. To give us a starting place, we can generally say that the CRO will drive the first point and that Internal Audit (via control validation) will largely drive the last point, but everything else in the middle embodies multiple shades of gray.
This point becomes the most treacherous when we ask the question, who should assess the risk?  While we know that the CRO will always act as a type of subject matter expert, this becomes profoundly dangerous if the CRO’s opinion begins to carry more weight than the actually business or process owners.  Ultimately, the business needs to own the risk, so how does the CRO provide input without inheriting the risk itself? This is the real trick for the organization.  We have to remember that the CRO may understand risk but may not understand every business process.  Conversely, process owners may know the process but may not appreciate all of the potential risks. Enterprise risk management is about making sure that these two roles work closely together to bring the best of all knowledge together in a cohesive way.
With that foundation, there are basically two models of risk governance, the single line and the dual line. The following outlines these two different models for a typical financial institution.
The Singular Model
The singular model is the most common for smaller organizations. In this model the bank typically has a Chief Risk Officer that is responsible for both the design of the program and is also expected to participate in the risk assessment process. Characteristics of this role include:

• Responsible for the development of the ERM framework
• Chairs the bank risk committee (a management committee)
• Will act as a subject matter expert (SME) to business areas on assessing risk, including change management
• May serve as one of the liaisons with regulators (or may even help coordinate bank exams)
• Will typically report to the CEO (any other reporting point is not senior enough)
• Best not to have operational units reporting to him, he needs to remain independent of operations

Where organizations need to be very careful with this type of CRO role is that they will be expected to participate in the risk assessment process (which is fine), but ultimately management needs to own the risk assessments. Management must make sure that the CRO doesn’t become the automatic “go-to” person for assessing risk. However, their role as both program designer and subject matter expert is invaluable to the organization.
A simplified organization chart showing the inclusion of this role is as follows:
Natural Evolution

Then, as organizations begin to grow more complex, a natural evolution takes place to a more mature risk framework. These changes include:

• The risk committee will shift from a management committee to a Board Committee
• The CRO will move into more of a corporate role with risk managers then embedded within business units
• The CRO will be much less involved in risk assessments, instead focusing more on program governance and oversight
• Embedded risk managers are responsible for assessing risk within their respective business units
• Risk frameworks become more formalized and corporate standards emerge

This shift naturally leads to a dual line model, which is much more common in larger organizations.
The Dual Line Model
In the dual line model, the risk management program is split between a corporate risk officer and embedded risk managers.  This model is not unlike that of the Chief Credit Officer (a corporate role) that sets lending policy which is then implemented by the Chief Lending Officer overseeing individual loan officers.
These roles can be described as follows:
Chief Risk Officer

• Oversees the development of the ERM framework (and developing RM policies)
• Act as SME primarily to the embedded risk managers (but could also consult to business areas as needed)
• One of many liaisons with regulators
• Reports to the Board Risk Committee (now chaired by a Director)
• The significance of the independence at this point is important because once he’s independent of management, not only can he drive program design, but he can now be part of program testing as well
• As with the singular model, he should not have operational areas reporting to him

Embedded risk managers

• Responsible for functional risk assessments within those business units where risk assessment and management has grown into a fulltime responsibility
• If there is a head of all of the individual risk managers throughout the business, considering calling this person “Enterprise Risk Manager” or “Senior Risk Manager” or ”Chief Risk Manager.”  But the “manager” (or similar) designation makes a clear distinction between the CRO and the one implementing the framework and actually assessing risk (i.e., managing it).  The individual risk managers will likely report to the heads of the business units with a dotted line to the Enterprise Risk Manager

An example of this type of framework is shown below. Between these two models there is an almost infinite number of permutations and each organization will need to decide how best to design their risk governance structure. But regardless of which structure is chosen, a central, critical point to remember is that while the CRO may serve as SME and provide input on assessing risk he should never, under any circumstances, own the risk. This must remain with business owners.
The ERM Advantage
By committing to employing a chief risk officer, the organization creates one central, highly qualified individual that can develop a solid risk framework and assist management in ensuring that it is consistently utilized. This has a profound impact on reducing losses and preserving capital and shareholder equity.