We have another Radical Compliance podcast to start the week, this time catching up with those folks at Deloitte who recently published a report urging companies to do a more disciplined job with enterprise risk management.
The report, published two weeks ago, surveyed 500 senior executives at large U.S. firms across a range of industries. In that report, Deloitte suggested that perhaps the time has come for organizations to establish a chief risk officer role, where one person is responsible for helping the business to embed risk management in operations across the whole enterprise.
A good idea? Sure; companies that invest more in risk management tend to achieve higher growth over time. But I was fuzzy on the scope of the chief risk officer’s role — especially how this person might interact with the compliance or audit functions, which already do a lot of risk management themselves.
So in this podcast, I spoke with Chris Ruggeri, author of the Deloitte report and a national managing principal at Deloitte’s risk and financial advisory practice. You can hear the full conversation at the top of this post. Meanwhile, I have a few of my own impressions and observations below.
The Struggle Is Real
First, the need for better enterprise risk management is real. As Ruggeri said in the podcast, “There is a general sense that risk management isn’t working well right now.” That’s true. The question is why risk management isn’t working well right now.
First, as Ruggeri says, risk management principles have been pushed downward into the enterprise. That’s good — but it’s not what boards and executive management committees need in today’s regulatory and business climate. They need risk management stitched across the whole enterprise.
What’s the difference? When risk management is pushed downward, each business function might do a good job identifying, quantifying, and managing the risks to its own objectives. Senior leaders need a holistic sense of all the risks the organization has, so they can understand the threats to strategic objectives and respond accordingly.
For example, a compliance officer might zealously pursue his or her due diligence plans, to the point that sales executives slow the pace of new deals alarmingly. Or perhaps the compliance officer relies on an obsolete regulatory change management system, while the sales department goes like gangbusters with new products for new customers.
Either way, compliance and financial objectives are in tension, and that creates strategic risks for the whole enterprise. Senior managers can’t resolve that tension unless they have a clear, quantified, sense of what the whole risk picture is. Better risk management across the enterprise gives them that sense.
As regulators, shareholders, consumers, and other stakeholders expect better behavior from corporations, that need for better risk governance from senior leaders is going to increase. So the more risk management they can establish — in a disciplined away, across the whole enterprise — the better.
CRO Roles and Relationships
I still struggle to understand how you define the role of chief risk officer clearly, so the CRO doesn’t bump into other risk assurance functions — especially the internal audit executive.
For example, Ruggeri sais boards want better analysis of risk, including predictive analytics to help the board anticipate and avoid risk. Nobody would disagree with that statement. But… don’t internal auditors try to do that already?
We see endless articles, studies, reports, and opinion pieces that the internal audit function should add value to the enterprise. What’s more, internal audit can add value, because its role is to assess risks and identify ways to reduce them. With the power of data analytics (which audit functions are rushing to embrace as fast as they can), the audit function can build a tool to assess risk, and then let the First Line of Defense business executives use that tool to manage and monitor risk every day.
So could a chief audit executive become the chief risk officer? Probably; the skill set seems similar. Could the internal audit function evolve into a larger risk management function? Because those two functions seem to have a lot in common right now.
We see hints of that here and there in the corporate world already. In higher education, for example, the fad right now is to consolidate compliance, audit, and risk management functions into one big “Office of Risk Management.” We’ve also need corporations consolidate audit and compliance into one function, or audit and operational risk management into one function. (Then you outsource the financial audit to an accounting firm.)
Any of that can work, if senior leaders have the collective will to make those plans stick. I suppose my point is this: everyone knows that risk management should be better, and must be taken more seriously across the whole enterprise. So do you invest that power into one specific role of the chief risk officer, or not? And if not, how does the C-suite get that better risk management it needs?
We address all those points in our podcast above, and more. Clearly this is a subject with few proven answers yet, so let me know what you think.