The Future of the CRO: A jack of all trades but overall an enabler.
It is clear that times have changed in the last decennia and that managing risk is looking further then just doing a background check. Something which CRO even today are aware off. If you would ask me being a more business oriented risk manager is adding value for the company as it can not only act as an enterprise wide risk manager but also using the risk information in order to correctly price the risk the company is taken and to make sure that those risks are managed from an overall perspective rather than a contract by contract. In general, the job of a CRO also has changed and the importance has also being reinforced as being directly linked to the board of directors while in the last decennia and in some part of the words the CRO is still not part of the senior management team. On top of that the CRO is facing a series of challenges in the next era. The variation and the number of risks to monitor has been increased alongside with the increasing number of regulations. On top of that the CRO will also have to handle the gaps the company has in finding the necessary resources that is aware of these changes and are qualified. The CRO truly a jack of all trades.
A jack of all trades as a master in nothing?
The name “jack of all trades” has sometimes a negative connotation often as consequence of the fact that the someone that does many jobs cannot do everything in depth as what would be required. A CRO claiming that they are a jack of all trades are often indeed master in nothing. Important for any organization though is spot the right CRO profile for their organization. A true leader which is a people manager with a great deal of people judgement and not afraid of making though decisions. Depending on the mix of skill sets they already have and added with the skill set the CRO bring are the most important things to look at. No a company does need to focus on all risk aspects but a CRO above all should be able to see the big picture and contribute to the revenue not by taking more risk but by asking the correct price for the risk the company is willing to take. Risk management in every organization is done at each level. After all it is said that everyone is a risk manager as the first level of defense lies in the business the company has.
Everyone is a risk manager
It is true that it is said that the risk the organization is taken starts with the identification of the risk rather then managing it. When risk is quantified and transparent it is much easier to take counter measures or taking the risk in accordance with the risk appetite the company is willing to take in its descried strategy. If everyone is a risk manager should there then be one person responsible for the risk in the organization? In a study of the North Caroline State University ERM initiative research publishes that in fact 42% of the companies have hired a CRO. Generally, companies do not begin by hiring a CRO through the creation of a new f ull-time position. Instead, most institutions begin by adding CRO responsibilities to someone such as the CFO. On the one hand side this is wise as the domain of finance and risk should be looked after in an integrated way. On the other hand a CFO often is much more focused on the P&L and contracting then focused on the risk management practices leave alone the time of using these numbers in a business oriented way. But also here the job of a CFO is changing and the CFO and CRO will need to work together to bring the organization to growth and even EBITDA control. The Responsibilities of a CRO however are important and cannot be disregarded. It must be said however that in the financial services industry following the same research as mentioned above large corporations (63%) and Financial services companies (66%) have hired more of such an important role then others. For large companies internal fraud and AML (anti money laundering) as well as operational or reputation risk are of course much more important then in smaller institutions. where everyone knows everyone. On the other hand in the Financial services industry it is logical given the risk management challenges and the regulatory requirements which are increasing within those respective companies.
The Regulatory Challenge
In the Financial services the regulatory challenge is already known and was even reinforced heavily in the last decennia certainly after the crisis in 2008. Looking more broadly it is clear that even in the most known risk space (credit risk) not everyone is sophisticated or is actually using it for their benefit. It can be said that all industries have encountered an increase in supervision. Even when business change is up hand to find the new unicorn in the market it does not take long before regulations are set out. A recent example is for instance the cryptocurrencies which were until a while ago unregulated but where now a lot of governments have taken a stand to tax the cryptocurrency but also are actively looking how it can be regulated. Another example can be found in the so called Fintech companies which have taken some lucrative banking activities but where a lot of banks are pleading now with their regulators to regulate these firms as well. For some sectors like the financial services industry the tsunami of regulations is not over yet. With IFRS 17 and the Basel III finalization piece it is promised that at least to 2021 financial institutions will be occupied in finding a funded answer to comply to all of these regulatory pressures. Regulations are there in many forms and they have been growing at a more rapid pace then an institution can implement it. it is however important that with a higher regulatory pressure the CRO can use this to solve internal risk management issues as long as he has the insight in how regulations are translated practically for the organization.
Using what the company has to do in something they want to do.
The downside of every regulation is that as an organization you have to comply. A strategy could be to do this at the lowest cost. A smart CRO for me is someone that interpret the regulations in such a way that it not only looks at the cost but also how these requirements can be used within the improvement of the internal risk management. Stress testing for example is something that around the world is asked for regulatory purposes but for user is interesting for a CRO as it can use this to see the impact of big contracts and pipeline transactions as well as to identify a risk and reward balance for their company. Within the Financial services industry this even goes beyond just that as many regulatory requirements are there from a regulatory perspective but representing internal risk management practices. An example could be the Liquidity coverage ratio. Many banks have this measure already internally and have perfected it for their portfolio and for their business and is not necessary the regulatory ratio. Of course it become more important to see if the internal risk management practices and regulatory requirements are met and using the same inputs to manage the regulatory and internal risks within the institution. An example in the leasing industry is for instance the calculations required in IFRS 16 which gives an indication on the net worth of a leasing contract in correspondence with the underlying asset and implied discount rate needed from a regulatory view. Internally the margin of the leasing contract is taking into account the same cash flow expectations adjusted for the value of the underlying asset and the credit risk of the counterparty. In addition to this the reinvestment risk can be studied. The fact if someone will rent or lease the underlying asset or it would be idle waiting to be used. A last example in the energy sector cis of course the market risk of energy products and the hedging of different market factors and prices. It can also be observed that not only the CRO needs to look at a certain counterparty for a certain contract but also look at the counterparty and services on a more global basis. Although we live in some uncertainty in some countries around free trade in general the access to markets from business perspective has been eased in the last decennia and by consequence a more global view from a group CRO is required.
Think global act local
The CRO responsibilities should include — even disregarding if it is a group CRO or a CRO of a national company — a constant view on the global demands on the different risks, regulations and business drivers. The time that risk management was limited to the own company and the counterparties has been long gone. Looking at all the risk and business elements across all internal, market and legal aspects has become important. In particular, but not limited to companies that act across country or continent boundaries need to have a global view. What are the risk of doing business in a certain country but also what is the revenue we would get globally of having operations within that geography. Overall the approach and strategy should be set out on a global basis but the impacts, pricing and approach should have a local touch. Therefore it is important that a CRO in particular has experience and can interpret different cultures and business models across the world. Have global enterprise view but has the capability in translating and managing this with a local touch. In addition to that is to take the local requirements but also regulations into account and take action to adjust the local strategy when required. Of course no one has forgotten the Barings bank debacle what could happen if you let a branch go off without any global analysis. It is clear that risk management on its own requires a skillset but the value of this skillset is measured as these risk elements can be used to maximize the business value. After all everyone is a salesman.
Everyone is a salesman.
A cliché that is it for sure but every sales kick off of every company in the world is mentioning it, everyone is a sales. Maybe there is some truth in this in the context of the CRO responsibilities. The CRO should be actively be involved in making the business certainly for large clients. Why? Well the concentration risk is maybe one side of the story which is easy to identify given it is a significant client. On the one hand side as mentioned before determining the price of the risk on the other hand a unique instrument to join the sales team in explaining to the clients why a certain contract value needs to be asked. Of course price is not only determined by the price but also about the value of the asset or service which is sold and the market conditions. Assuming that clients have an idea for rational it can be important that the elements that drive the price and the risk that are taken can be communicated as this will gain trust of the counterparty. Even more important is that the CRO also internally can explain why certain contracts should not be done to keep the company also long term from harm and by consequence contribute to margin and support the business. Overall the CRO should not be seen as an opposite to the Finance or business department even not as a supporting department but as the one that helps making the business. Of course this requires the CRO to manage the different kind of risk. Depending on the business it is of course important to understand the different nature of risk within a contract. A CRO cannot be an expert in every kind of risk so he/she needs to base the overall judgements on known measures and qualitative reports from the risk management team. Making sure the whole risk management has the necessary skillset the CRO will need to be able to trust and gather the risk managers to complement him/herself to complete all regulatory and internal management tasks to create business value.
So what determines the CRO?
Is there something as an ideal CRO? Should it be the almighty person? The Master of everything? If you ask my opinion he/she should be the enabler. The enabler of the business. The enabler of a transparent communication. The enabler of a great risk-reward balance. A leader that steers a team and the company. A leader which understand the organization and its key drivers for success and contributes to it. A risk manager that understands risks and regulations not always as negatives but turns this into an opportunity which drives business. It is person which not only the management but clients are willing to deal with. It is person that is not owning the different risks but empowers people throughout the organization to understand which risks versus rewards they are taken. A CRO is not a controller but acts like an executive which inspires. In the first place a person that drives strategy and enables business. In short a CRO enables.
Note: the article mentions the personal views of Jeroen Van Doorsselaere and does not necessarily present the views of the companies and institutions where he has worked with. For sake of the article pictures were added but can be removed if there are any rights bound to it. pitures were taken from following websites (www.fastprojectplans.com,www.wordpress.com, Bayer solutions,www.deloitte.com,Pinterest,Marcheadvisor.com,Yong and yang living)