Chief risk officers' effectiveness depends on management buy-in: RIMS speakerPosted On: Nov. 4, 2011 12:00 AM CST
SAN DIEGO—While some details of chief risk officers' roles may vary in different organizations, there are core roles and competencies that such executives have in common across different companies and industries, according to one CRO.
Speaking Thursday at the Risk & Insurance Management Society Inc.'s inaugural ERM Conference in San Diego, Carl Groth, group chief risk officer at Torus Specialty Insurance Co. in Jersey City, N.J., said one source of differences in the roles of CROs stems from where they report in their company.
“There's a big difference in what the CRO does for their company and it largely has to do with the reporting line of the CRO,” Mr. Groth said. It's becoming increasingly common for CROs to report directly to the CEO, though there might be differences in the details of a CRO's role based on the “mindset” of various CEOs.
Regardless of where the CRO reports in the organization, the company has to buy in to the idea of risk management and make certain commitments to the program for the individual to succeed.
“In my view, there clearly has to be a setting the stage for a CRO to be able to make a difference,” Mr. Groth said. “There are some very bright people out there who are CROs who haven't done well for one reason or another.” Their lack of success typically is a result of their organizations not providing the necessary “ingredients,” he said.
“If you don't have those ingredients there, no matter how capable the person is, it's difficult to make a difference,” said Mr. Groth.
While saying “one size doesn't fit all,” Mr. Groth said the CRO generally is responsible for developing the enterprise risk management program and ensuring its execution.
Among attributes CROs typically have in common is deep technical expertise. “You have to be a risk expert,” Mr., Groth said. The CRO also typically is a collaborator and effective communicator, and needs to be an “influencer.” The latter is “a tough one to do, particularly when it comes down to challenging some key aspects of a business model,” he said.
Finally, a CRO needs to be an effective project manager.
Among key challenges that might confront a CRO is a lack of understanding of the risk management function in the organization. “The risk function is not a very well-understood function,” Mr. Groth said.
Another frequently seen challenge is board or audit committee disengagement with regard to their risk oversight role. “They can be disengaged because they don't think risk management is that important,” Mr. Groth said. “Or they have their plate so full that risk management kind of falls off the radar screen.”
Other challenges might include the management team being too busy, preventing the proper execution of risk management strategies. And insufficient resources in the form of staff, skills and tools within risk management is a common challenge. “Risk management not being a revenue driver of the company sometimes has a lot of competition for resources,” Mr. Groth said. “Hopefully the case can be made.”
Among factors that can contribute to a CRO’s success is a clearly defined ERM program. “The ERM program should be very clearly communicated,” Mr. Groth said, with senior management and the board understanding the program.
As a CRO, “That’s one of my jobs, to help design all that stuff, work with the senior management team and the businesses to make sure there’s buy-in and all of that makes sense,” he said.