C-suites gaining another member: increasingly, larger companies are naming a chief risk officer to oversee complex risk management strategies. Financial Executives Research Foundation (FERF) looks at this evolving role and who is filling it.Faced with challenges created by terrorism, corporate scandals and regulations such as Sarbanes-Oxley or Basel II Basel II is the second of the Basel Accords, which are recommendations on banking laws and regulations issued by the Basel Committee on Banking Supervision. The purpose of Basel II is to create an international standard that banking regulators can use when creating regulations , corporate governance Corporate Governance The relationship between all the stakeholders in a company. This includes the shareholders, directors, and management of a company, as defined by the corporate charter, bylaws, formal policy, and rule of law. and risk management has received increased focus over the past few years. Part of this focus has included the creation, or enhancement, of the role of chief risk officer (CRO). But the role still isn't common, and at companies that do have one, the question remains--just who is the CRO? Based on recent Financial Executives Research Foundation (FERF FERF Financial Executives Research Foundation FERF Far End Reporting Failure FERF Far End Receive Failure ) research, the answer is: it depends. [ILLUSTRATION OMITTED] According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. Brendan Burnett-Stohner, vice chair of Christian & Timbers LLC (Logical Link Control) See "LANs" under data link protocol. LLC - Logical Link Control , an executive recruiting firm, the CRO role has largely developed during the past four years. One of the reasons, she says, is the recent consolidation of the banking industry, which has seen many regional banks being absorbed by larger entities. CROs from financial services The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. have a "perfect profile," she says, which includes: review of banking regulations, participating in annual Securities and Exchange Commission (SEC) meetings, working with credit rating agencies Credit Rating Agencies Firms that compile information on and issue public credit ratings for a large number of companies. , overseeing and defining risk management policies in compliance with Sarbanes-Oxley and Basel II, meeting with major investors and responsibility for internal controls. Broadly speaking Adv. 1. broadly speaking - without regard to specific details or exceptions; "he interprets the law broadly" broadly, generally, loosely , the CRO typically reports to the CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. or CFO See Chief Financial Officer. , acting as champion of the company's enterprise-wide risk management (ERM (Enterprise Relationship Management) An umbrella term with many shades of meaning over the years. It may refer to the management of information from any or all of an organization's customers, suppliers, business partners and employees. ). According to the 2003 Overview of Risk Management report from the Casualty Actuarial Society The Casualty Actuarial Society (CAS) is a professional society of actuaries. Its members are mainly involved in the property and casualty areas of the actuarial profession. , the ERM organizational structure  This article has no lead section.To comply with Wikipedia's lead section guidelines, one should be written. (such as the CRO, the CRO's staff and the risk management committee) should be accountable and have the authority to be a change agent. "Senior sponsorship needs to be high enough in the organization to have a top-level view of all the risks facing the enterprise, see across all organizational 'silos' and have sufficient authority to effect changes in business practice," the report states. Burnett-Stohner's sense of the timing of the CRO emergence dovetails with that of two Tillinghast-Towers Perrin consultants, Jerry Miccolis and Charles Lee Charles Lee may refer to:
"The relatively small number of organizations that have taken the step of appointing a CRO suggests that it is not a trivial matter," Miccolis and Lee added. "The problem has been determining just what this new creature should look like. That is, what's the right role, the right responsibilities and the right competencies for a CRO? "Moreover, there is a wide variety of disciplines from which CROs come. According to our surveys, they are auditors, actuaries, financial engineers, strategic planners, lawyers, investor relation specialists, line operation managers, hazard risk managers--even HR specialists." CRO profiles The questions about what is the right role persist, but Burnett-Stohner provides three basic CRO profiles used in most companies. The first, and broadest, is one in which the corporate risk chief is responsible for enterprise-wide risk management. This structure is comprised of teams of people who reside in each business unit. Each team reports to the CRO and the business unit head and is responsible for managing all risks--from operational and market to financial risks. This type of CRO would also have business continuity planning Business Continuity Planning (BCP) is an interdisciplinary peer mentoring methodology used to create and validate a practiced logistical plan for how an organization will recover and restore partially or completely interrupted critical function(s) within a predetermined reporting to him or her and have a budget for management information system development, instead of relying on business unit budgets. The more complex a business, she says, the more likely a company will have an enterprise-wide risk management program with a more powerful CRO who reports to the CEO and audit committee (or to the risk committee that is typically a subset of the audit committee). In cases such as Ford Motor Credit Co., Bank of Montreal “BMO” redirects here. For the mathematics competition, see British Mathematical Olympiad. Bank of Montreal/Banque de Montréal (TSX: BMO, NYSE: BMO) is Canada's fourth largest bank[1], and is classified as a Domestic Chartered Bank (Schedule I). and Charles Schwab Charles Schwab can refer to:
The second type of CRO is one that manages enterprise risk "through influence." This type of risk chief will not have direct report staff, but instead will monitor risks by developing relationships with business unit leaders. For example, Burnett-Stohner says, Bank of America
Bank of America (NYSE: BAC TYO: 8648 ) is the largest commercial bank in the United States in terms of deposits, and the largest company of its kind in the world. Corp. first defined its CRO role based on this profile. Over the past 18 months, she says, its risk chief has built a support team, making the CRO role a broader one. The third category of CRO is one who reports to a company's CFO. Depending on the company, this person may or may not be responsible for enterprise-wide risk management. Though Burnett-Stohner prefers the first CRO profile, she acknowledges that for some companies, this more limited structure is appropriate. Regardless of the structure, she says that many companies--among them Continental Airlines Inc., Cargill Inc., The Coca-Cola Co., Louis Dreyfus Global and Tyson Foods Tyson Foods, Inc. (NYSE: TSN) is an American multinational corporation based in Springdale, Arkansas, that operates in the food industry. The company is the world's largest processor and marketer of chicken, beef, and pork, and annually exports the largest percentage of beef Inc.--have a CRO. The prevalent use of derivatives and commodities within the energy and financial services, insurance and food industries tend to aggregate risk management and lead to creation of more chief risk officer posts. A 2003 survey by PricewaterhouseCoopers found that 57 percent of the 44 insurance companies sampled had a CRO who reported to the board of directors. The Story at The Williams Cos. For example, at The Williams Cos., a $12 billion energy company, Andrew Sunderman, vice president and chief risk officer, is responsible for strategy and analysis of commodity and credit risk, and for the development of risk management strategies involving capital allocation decision-making for the company's three non-regulated businesses. (The company has four businesses--natural gas exploration and production, midstream mid·stream n. 1. The middle part of a stream. 2. The part of a course that is neither at the beginning nor at the end: the midstream of life. Noun 1. gathering and processing, gas pipeline and power. The regulated gas pipeline business is not overseen by Sunderman, though individuals within that business are responsible for credit risk management.) His duties focus on researching, analyzing and communicating risks--as well as decision-making--within these three businesses. He also interacts with treasury, since derivative use requires ongoing liquidity management and forecasting. Based on his experience on the board of directors of an industry-wide committee of CROs, he says his role is similarly structured to those at other companies, particularly in the energy sector. Williams' CRO role, created in July 2003, was envisioned as a strategic tool to help the company grow share-holder wealth, rather than in reaction to terrorism, corporate scandals or new regulations. Sunderman reports to the corporate CFO of Williams and also works with each business unit CFO. This structure calls for the CRO to report findings to the company's risk management committee, comprising a group of senior executives to whom Williams' board has delegated authority Delegated authority is an authority obtained from another that has authority since the authority does not naturally exist. Typically this is used in a government context where an organization that is created by a legitimate government, such as a Board, City, Town or other to manage credit and commodity risk (the CRO chairs the committee). Risk reporting is also integrated with the company's existing Sarbanes-Oxley 302 and 404 processes. Because Sunderman is also CRO of Williams' power business unit, he has a unique understanding of overall risks relative to the consolidated financial statements Consolidated Financial Statements The combined financial statements of a parent company and its subsidiaries. Notes: Because consolidated financial statements present an aggregated look at the financial position of a parent and its subsidiaries, they enable you to gauge . [ILLUSTRATION OMITTED] Newer Risks to Manage In Burnett-Stohner's experience, approximately 60 percent of companies with a CRO either combine the chief credit officer (CCO (Chief or Corporate Compliance Officer) The executive person in charge of compliance issues, regulatory requirements, internal controls and managing audits within an enterprise or organization. ) duties with CRO duties or call for the CCO to report to the risk chief. For the remaining 40 percent, the two function as peers. For Williams, however, credit risk is managed at the business-unit level because the company determined that there was no strategic need to consolidate this function. Operational and environmental risks are also managed within each unit, while insurance coverage is managed separately by another internal group. Ruud H. Bosman, executive vice president at FM Global, a commercial and industrial property insurance company, says that the global focus on corporate governance in the last five to seven years has resulted in companies trying to manage newer risks in conjunction with more traditional risk. FM Global typically works with risk managers rather than CROs, says Bosman, to help them identify risk exposures, devise loss prevention and control solutions and provide insurance to help minimize the overall financial impact of a loss. [ILLUSTRATION OMITTED] "How risk management is delegated within an organization will depend on the company," he says, "but from my perspective, risk management starts with the company's CEO and board of directors having awareness of business risks. The presence of the CRO is not as important as the fact that a company's leadership should deal with risk in whatever shape or form and make [informed] decisions. At the end of the day, [risk management] really is an issue for which the board of directors and CEO need to take the lead and be specific about what should be done." Sunderman agrees. "Any company that wants to allocate capital properly needs to analyze and understand risk--whether or not a company chooses to do so with a CRO will depend on facts and circumstances." He suggests that when there are risks common to multiple business units, a company may want to consider aggregating risk management. "It is the responsibility of business unit leaders, who are responsible for investing capital to price and manage risks," he says. "[A CRO may be] prevalent in certain industries because of involvement in the derivatives market The derivatives markets are the financial markets for derivatives. The market can be divided into two, that for exchange traded derivatives and that for over-the-counter derivatives. . A company can manage its own commodities and related risk at the entity level, but hedging commodity risk through the use of derivatives may result in overpaying. Since derivative use is an integral part of Williams' business, the company's strategy is to consolidate derivative risk management at one level." [ILLUSTRATION OMITTED] Ideally, says Burnett-Stohner, a company should strive to integrate risk management into each person's job so that all consider risks as part of their everyday routines. For those companies that opt for a CRO role, she says, the current trend is to fill the slot from the ranks of line business leaders--people who are used to managing risk in every iteration all day, every day. "When we're looking for Looking for In the context of general equities, this describing a buy interest in which a dealer is asked to offer stock, often involving a capital commitment. Antithesis of in touch with. CROs," Burnett-Stohner says, "we frequently go to energy companies and commodities trading. Going for line business management is tough, though, because it may be a step down [in position]." That means, she says, that companies have to pay appropriately and provide the opportunity for a candidate to have "a larger role down the line." Cheryl de Mesa Graziano, CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. (cgraziano@fei.org), is Director of Research at Financial Executives Research Foundation. Raj Aggarwal, Firestone Chair in Finance/Business at Kent State University, is also a FERF Trustee. RELATED ARTICLE: takeaways * The chief risk officer role is a relatively new one, and there are several different models that companies seem to be choosing from. * There is no one discipline that the risk officers draw from, though increasingly they are being recruited from line management positions. * Some CROs report to the CFO, others to the CEO or the board of directors. The more complicated the risk management, the more prominence the position has. * Companies in energy and financial services, insurance and food industries, with their heavy usage of derivatives and commodities, have tended to create CRO jobs. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion