Background:
Risk is part of everyday business and organizational strategy. However, the volume and nature of risks facing organizations have increased tremendously over the last decade due to the complexity of business transactions, technological advances, globalization and the overall pace of change in the environment.
Although risk oversight has always been an important aspect of the Board’s oversight responsibilities, the financial crisis of 2008 has brought it into sharper focus. The role of the Board of Directors in enterprise-wide risk oversight has become increasingly challenging and there are heightened expectations from various Stakeholders on the Board’s involvement in risk.
After the World Financial Crisis involving unexpected fall of some of the invincible looking Organizations, the following major reasons were identified:
1. Lack of Board Effectiveness.
2. Weak Risk Management Oversight
3. Poor Ethos and Work Culture.
4. Sub Optimal Communication.
5. Excessive Complex Structure.
6. Inappropriate Incentives.
7. Information Glass Ceiling.
8. Dubious Role of Audit
In June 2020, the Reserve Bank of India, Department of Regulation circulated a Discussion paper on Governance in Commercial Banks in India. Some of the points relating to Risk management from this paper are reproduced below:
“1. An independent risk management function is one of the key elements in the governance structure and is part of the second line of defense.
2. The risk management function and its functionaries shall be accountable and report only to the Risk Management Committee of the Board (RMCB).
3. The head of the risk management function, to be designated as ‘Chief Risk Officer’(CRO), shall report to the RMCB which will be responsible for selection, oversight of performance including performance appraisals and, if necessary, dismissal of the CRO. The CRO, together with RMCB, shall be actively engaged in monitoring performance relative to risk-taking and risk limit adherence
4. The CRO shall be a senior official in hierarchy with equivalence no less than those at one level below the WTDs/CEO. The CRO shall have the necessary and adequate professional qualification /experience in the areas of risk management so as to interpret as well as articulate risk in an understandable manner. The CRO shall have the ability to effectively engage the Board, RMCB and management in constructive dialogue on key risk issues. The CRO will function as a secretary to the RMCB.
5. The risk management functionaries shall have direct access to the RMCB.”
Though the document is still a draft, this has stirred a serious debate on the issue of reporting structure of Risk Management team (particularly CRO). And this makes it a perfect background for any meaningful thought sharing on this issue.
Introduction:
Wikipedia points out that the term, ‘Tone at the Top’, originated in the field of accounting and referred to the transparency and integrity of the financial statements and other reporting to shareholders. The term has been used much more widely recently and primarily refers to the tone set by the Board of an organization, but it can also refer to the tone set by the Audit and/or Risk committee, other Board committees as well as by the CEO and Senior Executives.
Risk oversight is a primary Board responsibility, and in the evolving business and risk landscape, Directors need to develop and continuously improve practices to establish a well-defined and effective oversight function.
The Board sets the tone of the organization in the way it executes its responsibilities. Establishing the right tone at the top is much more than a compliance exercise. “Tone at the top” demands that leaders—and especially the CEO—find ways to connect with people inside and outside the organization. Once tone at the top is established, the CEO, Board and the CRO continually work to reinforce and strengthen it.
Within the board, where does responsibility for risk oversight lie? In many companies, it rests with the Board’s Audit Committee while in some others there is an exclusive Committee dealing with Risk Management.
According to the Basel III framework, financial firms should have an independent senior executive with distinct responsibility for the Risk Management function and the institution’s comprehensive risk management framework. This executive is commonly referred to as the Chief Risk Officer (CRO). Whatever the title, the role of the CRO should be distinct from other executive functions and business line responsibilities, and there generally should be no “dual hatting” (COO, CFO, Chief auditor or other senior management should not also serve as CRO).
Where the ERM (Enterprise Risk Management) Function reports is often a contentious issue. In some organizations, the CRO, or equivalent, reports to the CFO. But there is a distinct disadvantage to this set-up. The CRO is expected to challenge the CFO on financing or securitization choices. In this set up, he or she may fail to challenge effectively due to his subordinate position.
Some organizations have responded to this challenge with a second option, in which the CRO reports directly to the CEO. This structure may help ease potential conflicts between the CRO and CFO. However, this structure may also be an imperfect solution. Given the CEO’s many other concerns and responsibilities, he may not have the ability to adequately address risk issues when other strategic issues require time and focus. Besides, there is always a pressure on CEO to show Quarter wise performance, forcing him to take a myopic view of the things.
Another alternative is that the CRO reports to the Board of Directors, either directly or via a Board-level Committee. If the reporting line includes a Committee, the structure typically works best when ERM is incubated under a separate Risk Committee and not under the existing Audit Committee. The Audit Committee is generally focused on accurate financial reporting and disclosure, not specifically on how risk management might help the business run more effectively. The CRO who reports to an Audit Committee or a Chief Audit Executive, therefore, ends up being more of a risk controller than a risk manager.
In majority of the institutions, particular in financial institutions like Banks and Insurance Companies, the CRO reports to the CEO, but has a direct relationship with the board by being a member of its various Committees and at times of the Board itself.
Body:
As mentioned above, the Board is entrusted with the task of oversight or Governance rather than active management of Risk. Hence, it is necessary to clearly understand the distinction between these two functions.
Risk Management refers to the practice of identifying potential risks in advance, analyzing them, and taking precautionary steps to reduce/curb the risk. It relates to the process of minimizing the harm and maximizing the opportunities that risks present to an organization. Risk management is closely linked to the operational processes to facilitate informed business decisions.
On the other hand, Risk governance is the oversight of the risk management program to ensure that the program is being managed properly and that all regulatory and reporting obligations are being met. Framing Risk management policies and putting in place a proper risk management structure falls under the purview of risk governance.
You could say risk management is like the mechanic who makes sure the vehicle runs properly and risk governance is like the vehicle inspector who makes sure the vehicle is still roadworthy. To put it differently, Risk Governance is more about effectiveness while Risk Management is more about efficiency.
Risk Governance and Risk Management can never be completely effective in isolation, each business needs to incorporate both into its operations to be successful.
Boards have a difficult task in overseeing the management of the increasingly complex and interconnected risks that are a threat to the survival of businesses. To effectively exercise its risk oversight role, there is a need for the Board to build a strong risk culture in the organization. Mind-sets and behaviors of individuals and groups inside the organization play a crucial role in the execution of a company’s enterprise-risk-management strategy.
Unless managing risk is an organizational imperative – and line personnel are aware of and own the risks their operating activities create – it is difficult for any CRO to be successful. The enterprise’s risk
culture drives the “everyone is responsible” view. That view starts at the top. The risk culture should be deeply embedded in the organization, so that changes in the economic cycle, leadership, and staff turnover do not make the culture disappear.
The first step to establishing the importance of risk culture to an organization is beginning a conversation between the Board and management regarding setting the “Tone at the Top”. This is generally interpreted as setting of a high bar for honesty, integrity and ethical behavior which becomes a foundation stone for a robust, resilient and ethical culture.
The various risks that the Board has to deal with fall into categories like governance risks, critical enterprise risks, business management risks and lastly emerging and non-traditional risks (such as climate change and disruptive technological innovation.) that are not normally on management’s radar but will impact the organization’s business and are likely to be disruptive to the business.
The Board’s responsibilities are to oversee organizational activities and risks while risk management rests with senior management and ownership of risks resides in the business units. It is very important that the Board monitors the alignment of strategy, risk, controls, compliance, incentives and people. Properly aligning these elements ensures that there is not likely to be a disconnect between a company’s strategy and its execution. It’s important for the Board to assess whether the company’s risk management system, its people and processes, are appropriate and well resourced.
While an organization can appoint a “best in class” CRO that ticks all the necessary CRO boxes, if the organization does not fully embrace and acknowledge the role, it will be doomed to fail from the outset. It is fairly obvious that the risk management function of an organization should be independent. In some firms, the risk management function reports to the CFO. In others, the risk team is a separate function reporting directly to the CEO. Ideally, the risk management function should report to the no one below the level of CEO. This ensures that the risk function is given proper standing in the organization and does not get lost within the finance function. It is imperative that risk managers have the respect of those outside the risk function so that their opinions are heard. To ensure this, risk managers must be sufficiently senior and highly experienced so as to thoroughly understand their company’s business.
In order to ensure that it discharges its role successfully, the Board should engage in constructive risk dialogue with management challenging assumptions which have an impact on risk. It is in this context that the Board should keep itself informed of any current, imminent or envisaged risks that may threaten the long-term sustainability of the organization. Risk reports to the Board, therefore, should contain meaningful information on the firm’s overall risks, risk concentrations, emerging risks, and any changes or trends in key risks.
Why CRO should report to Board rather than CEO?
The Chief Risk Officer and his team of risk- management professionals are expected to champion the protection of enterprise value at crucial decision-making moments when a given strategy, transaction or deal is under scrutiny or is likely to expose the organization to unacceptable risk. Effective CROs are concerned with what the institution’s leaders may not know and, therefore, must occasionally offer a contrarian point of view; otherwise, the decision-making process may end up flawed with “group think.” or by the extraneous factors such as: management bias and short-termism that underlie dangerous organizational blind spots.
A common mistake is positioning the risk function under Internal Audit. In the Three Lines of Defense model, management control is the first line, the various risk control and compliance oversight functions established by management are the second line, and independent assurance is the third. Each of these plays a distinct role within the organization’s wider governance framework. The failure to maintain such independence between risk and audit not only weakens the equal importance of their respective value propositions, but eliminates an entire “line” in the governance framework altogether.
A CRO who reports to the head of a business line is not free to effectively exercise control over the activities of that business line. A CRO reporting through Finance does not have sufficient leverage to push through complex or uncomfortable risk issues to the highest levels of decision-making.
For this very reason, the head of the Risk Management function (CRO or equivalent) should have, ideally, direct access to the RMCB or Board. This is not to say that the CEO is not kept in the loop. This is critical as ERM cannot succeed without the active involvement of the CEO. Unless Risk Management is an integral part of management’s day to day agenda, it is reduced to a mere compliance exercise. Besides, it may so happen that the Board does not have knowledge on all technical areas to interpret results and provide guidance.
International Experience:
According to Deloitte’s Global Risk Management Survey, 68% of CROs in financial institutions report to the CEO, and 46% report to the board directly.
Formal reporting lines may vary across organizations and countries, but regardless of these reporting lines, the independence of the CRO is paramount. While the CRO may report to the CEO or other senior management, the CRO should also report and have direct access to the Board and its Risk Committee without impediment. Also, the CRO should not have any management or financial responsibility in respect of any operational business lines or revenue-generating functions. Interaction between the CRO and the Board should occur regularly and be documented adequately.
What challenges could come when CRO reports to Board?
In case, CRO has a direct reporting line to the board of directors, the Board and the CEO must have mutual understanding of the value contributed by the CRO with the intent of preserving his or her independent role within the organization.
Over the period, the regulator has started having close engagement with the entities, forcing a change in role of CRO. Now, the Board is more sensitive to risk-related issues and requires Chief Risk Officers to have a direct reporting line to the board. As CROs are spending more time complying with the regulatory aspects than on the serious issues of risk management, this can prove to be very costly to the organizations.
As competition grows and market share is at stake, risk-taking will naturally rise and prudent risk-taking will become necessary to achieve the business goals. At such times, CROs cannot remain beholden to the Board because timely decision taking is of essence in such situations.
Ultimately, the question of reporting relationship is less important than three other attributes or critical success factors for the position: unfettered access to the CEO and the Board of directors; leadership of an enterprise-wide risk management committee; and a mutually supportive working relationship with the CFO and the CCO of the organization.
Being executor of entire risk management functions, CRO needs free access to the Board as well as the CEO. Not providing such access would cause disconnect in communication, causing delayed resolution to various strategic problems.
CONCLUSION:
Often, the CRO is the ultimate champion of the risk management process in the organization. To be effective, he/she must have a prominent and effective voice in the management. At the moment when crucial issues are being discussed and CRO needs to put in a contrarian view to protect the shareholder interest, how can a CRO go against a CEO who holds all the powers relative to CRO’s career, viz., Salary, Incentives, Promotion etc.? And if the CEO doesn’t believe in the value of risk management -as is the case with some of the institutions where volume and growth are the most important factors – financial crisis is imminent.
World over, there is no-one-size fits-all model of CRO reporting structure. There are multiple models prevalent in the enterprises some of which are:
1. CRO reports to another senior executive e.g., CFO or directly to CEO
2. Dual reporting for CRO – to the CEO and the Board
3. CRO reports to RMCB or ACB i.e. a Committee of the Board
4. CRO reports directly to the Board The conventional model of having a CRO report to either the CEO or anyone lower to him poses a dilemma in situations where there are serious differences of views about the risk assessment of a particular business model or proposition. The potential conflict of interest in such a situation between the deal makers and the risk managers can best be avoided if the CRO reports directly to the Board or to the Risk Management Committee of the Board (RMCB) and the Risk Management team reports to CRO. The Board may, depending on its composition, decide to opt for option (3) above also. In either of these situations the Directors have the option of interacting with the CRO in the executive sessions to share their concerns. In none of the situations, however, it would be prudent to alienate the CEO from the process completely as this would jeopardize the success of risk enterprise in the organization. The system would function best when the Management is working in tandem with the Board.