Jack Hampton recently talked with John Bayeux, executive vp and Financial Institutions Practice Leader at Willis Risk Solutions. John has been keenly interested in enterprise risk management for some time. They discussed the May 15 article in Business Insurance proposing dual positions of a chief strategy officer and non-financial chief risk officer.

Hampton: Some people believe that ERM started in financial institutions as did the title of chief risk officer. In your view, would that be correct?

Bayeux: I think that it even predates that title. I remember in 1987, when I was risk manager at L.F. Rothschild, a securities firm in New York, another department within the firm--also called risk management--was responsible for credit and financial risk. In the 1990s, the two disciplines began to come together under the auspices of the chief risk officer. In the banking world, this was driven, to some extent, by the implementation of the Basel I Accord governing the amount of capital a financial institution had to set aside to protect itself against the credit and market risks it assumed in the performance of its daily business.

Hampton: That was a long time ago. What is the current status of chief risk officers in banks, insurance companies and similar firms?

Bayeux: Today, financial institutions are facing the inevitable implementation of Basel II. Now, in addition to credit and market risks, they will have to assess capital against their operational risks. Banks are increasingly assigning the task of leading their compliance efforts to their chief risk officer, and their operational risk efforts to operational risk leaders at corporate and business unit levels. For example, one of my clients, a South Carolina bank, has a fully staffed risk department consisting of credit, market, operational risk leaders and an insurance risk manager reporting to a CRO. This team determines appropriate levels of risk, methods of mitigating them, the risk impact on regulatory capital and the potential for transferring the risk via insurance or other less traditional methods.

Hampton: The Business Insurance article argues that companies should create a chief strategy officer with no responsibilities other than scanning the changing risk horizon external to the organization and bringing back early warning signs. Is that an appropriate model for a financial institution?

Bayeux: I was fascinated by this portion of the article. As I read it, I viewed the chief strategy officer as a person charged with implementing the vision of senior management and the board. I agree with Chris Mandel (www.BusinessInsurance.com/EmergingRiskStrategies) that it would be difficult to achieve such a stand-alone position in today's environment. I do think that every person involved with evaluating and addressing risk within a financial institution should, as a normal part of their responsibility, be "scanning the changing risk horizon" to enable their institution to be ahead of risk development.

Hampton: The article also suggests the creation of a non-financial chief risk officer with responsibilities for helping mitigate broad organizational risks related to culture, employment practices and fiduciary responsibilities. Is such a position consistent with the needs of banks or insurance companies?

Bayeux: I do not believe so. Financial institutions within the Basel II environment have recently appointed operational risk leaders. They also have insurance risk managers who have long sought ways to control or mitigate risk as a core responsibility. Chris Mandel alluded to the fact that some insurance risk managers are more in tune with their institutions than others. With the growth of employment and fiduciary-related claims, the proactive and effective insurance risk manager is already working with other key senior officers to address these risks.

Hampton: The list of critical risks includes insurable risk--the stock in trade of today's risk managers. Banks often do not have traditional risk managers. If they created chief risk officer positions, what kind of people would fill them?

Bayeux: Yes, insurable risks are a subset of all operational risks. Whether a bank has a formalized insurance risk management department or has the function assigned to a finance or legal person, someone has the responsibility for managing these insurable risks. A growing number of the middle-market banks have realized that a professionally managed department handling insurable risks can optimize an organization's performance.

Hampton: From my days at RIMS, I knew you as a proactive advocate for enterprise risk management. You also saw a keen role for the broker in the process. Are financial institutions seriously getting into the game? If yes, what are the drivers?

Bayeux: Financial institutions are most definitely getting into the game. Globally, the largest institutions are compelled to comply with the operational risk capital requirements by their local regulators. These organizations have created robust operational risk management environments. They are focusing on identifying, assessing and quantifying risks, collecting and utilizing loss event data, and determining risk capital.

Hampton: Any other thoughts to share about financial institutions and ERM?

Bayeux: Your treatise of creating two additional risk officers is very interesting and may have some real impact in certain industries. That being said, many financial institutions already have someone performing these functions. Banks have come a long way in assessing their risk and calculate a level of capital to be set aside to cover that risk. However, there is still significant work to be done to bring all of the relevant constituencies together, including strategy, audit, operational risk, insurance risk, business unit leaders and others.