Risk Professional, February 2009

cover Story

and they know us.” need to address: governance and risk

Koch is no different from any company, oversight; balancing risk and reward; build-private or not, financial or other, that must ing risk capabilities; and transparency and define a risk appetite that fits its business disclosure. mix and strategy. Says McKinsey’s Buehler, With regard to governance, corporate “You don’t want a ‘Dr. No,’ but just as bad boards need to “clarify” their oversight is having a CRO who never says ‘no’. Both roles, Hida suggests. A number of industry lead to poor outcomes.” experts agree. They say boards need to

“How do senior risk officers strike a bal- have more of a presence when it comes to ance between the twin roles of ‘compliance risk expertise, setting up risk committees if champion’ and ‘business partner’?” asks they don’t have them already. Harvard Business School post-doctoral fel- Many boards are “not well organized to low Anette Mikes in research published in provide effective risk oversight,” Lam says, the Journal of Risk Management in Financial In- when it comes to governance structure and stitutions last August. Mikes, also co-author risk management expertise. They might of “Beyond Compliance: The Maturation not have a dedicated risk committee, or of CROs and Other Senior Risk Execu- don’t spend enough time on risk manage-tives” in the November/December 2007 GARP Risk Review, ment issues. They are often not well served, he says, with tracked senior risk officers at 15 international banks from respect to the right risk policies, defined risk tolerance levels June 2006 to June 2007, a period that provides, as she puts it, and useful reporting. Lam advocates that boards add risk “a snapshot of the calm before the storm.” management expertise to their ranks, which he stressed is the CEO and is more an adviser than a policeman.

Mikes found that “the role of CRO’s had expanded dramatically, with more than half of them frequently involved in firm-level strategic decisions.” However, she goes on, “in the majority of these banks . . . various compliance and risk modeling initiatives were still works in progress at the onset of the market turmoil. CROs voiced divergent views on the uses, benefits and limitations of risk models,” she wrote, adding, “strategically involved CRO’s interpreted the ‘business partner’ role of their function differently. Some risk functions aspired for an influential expert voice in key business decisions, while others strived for the formal integration of risk management with performance management.”

Risk management programs and CROs, like financial risk models, clearly aren’t of the one-size-fits-all variety. So, with the benefit of hindsight, and insights gathered during these very challenging times, what are some of the things companies can and should do to either get or keep their risk management programs on track and to support their risk professionals?

Deloitte’s Edward Hida, global leader for risk and capital management and a partner in the regulatory and capital markets area in New York, lists four main areas companies

A typical board doesn’t understand the extremely complex risks financial institutions are taking, says RiskMetrics’ Gregg Berman.

different than financial expertise.

“The types of risks that financial institutions are taking are extremely complex,” points out Gregg Berman, a co-head of the risk management unit of New York-based RiskMetrics Group, which was spun out from JPMorgan & Co. in 1998 and went public last year. ”A typical board of directors doesn’t understand them,” says Berman.

For the most part, experts are in agreement that CROs should report directly to CEOs, with a so-called dotted line to the board.

Lam notes, however, that there is another, controversial conversation taking place on this subject: Should CROs have a straight line of reporting directly to the board? This would be for cases where companies are taking on too much risk, or that involve reputational or regulatory risks. Adds Lam, who has written in detail on this issue in a white paper, “Where was the outcry? Why didn’t we hear about chief risk officers going directly to the board, or quitting out of protest given what was happening on their watch? I believe a central issue is the continued lack of true independence of risk management.”