Deloitte has a new study out this week on the importance of corporate risk management systems. It finds that companies spending more on risk management — investing more dollars, embedding risk management principles across the whole enterprise — tend to fare better than their rivals.
That’s not news to internal audit executives or directors of risk management, who usually are the closest thing most companies have to a chief risk officer. And on that point, Deloitte’s study also talks up the idea of companies naming a chief risk officer: someone who reports directly to the board, responsible for risk management across the enterprise.
“Many organizations have, to varying degrees, upgraded and restructured their risk management functions, yet there’s ample opportunity for continued improvement,” Chris Ruggeri, a practice leader for Deloitte Risk and Financial Advisory, said in a statement accompanying the report. “We found that the lack of awareness of risks, particularly strategic risks; and leaders not using the tools available to manage them, can greatly undermine the achievement of strategic goals.”
Ruggeri’s point is certainly valid. It correlates to other conversations I’ve had and studies I’ve seen in the internal audit field, where boards clearly want to pay more heed to strategic or emerging risks. So what’s the proper amount of leadership attention that should be devoted to risk management? Should companies appoint a CRO?
We’ll revisit those questions in a moment. First let’s look at what Deloitte’s survey (of 500 senior executives across a range of large or mid-sized U.S. companies) actually found.
Stronger risk programs correlate to faster growth. Companies with compound annual growth rates of 5 percent or more were more likely to describe their risk management programs as “highly integrated” with operations. Those with CARG below 5 percent were more likely to describe their risk management as somewhat integrated or isolated.
Risk management is becoming more important. Just about every Deloitte survey respondent said risk management will become more important to achieving strategic objectives in the future. When you look at the chart below, however — chief risk officers included in the survey were less likely to say risk management will become much more important (the navy blue portion of the circles), relative to other executives.
Why? Presumably because if your company already has a CRO, it takes risk management seriously today. Those other survey respondents might be at organizations still struggling to catch up.
Plenty of companies still don’t have a chief risk officer. Deloitte said nearly 50 percent of the companies it surveyed already have a chief risk officer — which also means that a majority of surveyed companies didn’t. And in firms that don’t have a CRO, the person who is responsible for risk answers to all sorts of people; no clear standard for a reporting structure exists. See chart at right.
Those are some potent and interesting statistics, and the Deloitte report has many more. They beg the questions we mentioned above: What’s the proper amount of leadership attention that should be devoted to risk management? Should companies appoint a CRO?
Enter the Chief Risk Officer?
First, let’s be specific. CROs are already standard issue in the financial services world. They descended from earlier generations where risk management was more about limiting financial risks from investment plans that might go south. Over time the role has expanded to include credit and liquidity risk as well.
That’s not what Deloitte means here. In this context, “chief risk officer” is more about someone to oversee management of all enterprise risks — financial, regulatory, operational, privacy, and whatever else comes to mine. The CRO exists to assure that the company knows what the risks to achieving its objectives are, and that the company has methods in place to keep those risks from growing too large.
This definition of a CRO has kicked around for at least 10 years (I first heard it before the 2008 financial crisis), but never quite caught on. For example, I’m still unclear on the difference between a chief risk officer and a head of internal audit. After all, the internal audit profession is tilting toward new duties, where audit (thanks to sophisticated data analytics capabilities) helps operating units find ways to monitor and manage risks more effectively.
So how would that be different from what a CRO does? Or would the CRO do that, while audit sticks to its traditional role of objective assessment of controls and risks? (I look forward to audit devotees emailing me with their views.)
On the other hand, remember our second question above: What’s the proper amount of leadership attention that should be devoted to risk management?
That answer seems to be an unequivocal “more.” The true question is whether senior leaders have elevated risk management to its proper place, given how much trouble poor risk management can cause.
For example, how many times has a marketing team launched some clever online campaign before assessing data privacy or reputation risks? How often has accounts payable changed its payment cycle from 30 to 60 days, without assessing the risk that key suppliers might bolt? We could go on and on.
I don’t doubt that those business functions try to be aware of risk as they pursue their objectives. The crucial issue is whether they manage those risks in a disciplined manner, to avoid making mistakes.
CRO, VP of audit, director of enterprise risk management — give that job whatever title you want. Boards and senior management need to empower that person to do the job well. That’s what matters most today, and will keep mattering most tomorrow and beyond.