The role of the chief risk officer (CRO) is a relatively new phenomenon in business. In the banking world in the early 1990s, the term was applied to managers who were in charge of a middle and back office that combined credit, market, operational and liquidity risk. The term served not only to personify a more consolidated view of the previously siloed risk management function, but also to elevate the importance of risk management to an executive level.
The CRO role is also becoming more prominent in corporate circles. One of its early proponents was Thierry Van Santen, who heads the business risk division of France-based food group Danone and is an executive member of the Federation of European Risk Management Associations (FERMA). “My role in implementing an enterprise risk management (ERM) programme is to be a leader of the risk management process throughout the organisation and to help identify any risks or vulnerabilities that could affect the company’s strategy,” he says.
It has been an evolution that began 15 years ago, he says. “In the beginning it was an old-fashioned operational risk programme that relied predominantly on insurance. And then in 1998 we looked at implementing an ERM programme throughout the company.” The objective was to create value and opportunities through one clear principle: if you can identify and manage all of your risks, you can exploit all of your opportunities.
“Business is so complex these days for companies operating on a worldwide basis that you need all the managers on every level understanding their risk and adopting a consistent approach so as to optimise the risk-taking process.”
For FERMA members that have taken on the CRO role and are adopting an ERM programme, the communication between these managers is achieved through an established risk charter and a series of departmental risk maps. The risk maps are regularly updated through a series of meetings and reviews with both regional and branch teams. The information garnered from the meetings and the risk maps is then communicated upwards by way of various committees.
Updating risk maps
The updating of the risk maps is based on linking the risk management process to the company’s strategic objectives, he says. “You need to understand your risk and weaknesses to implement a new strategy.” Similarly, if the company embarks on a new business venture or if there is change of management, the risk maps will be updated accordingly.
How is the CRO role viewed by most organisations? “There are two types of companies employing CROs,” says Mr Van Santen. “There are those that are implementing it as part of a compliance process, which is the worst scenario (in effect, they are dealing with the downsize side of the risk only). Then there are those that see the CRO as a way of generating profit for the organisation and creating a consistent and truly enterprise-wide view of risk.”
At many corporates, the CRO will be from an operational or insurance-based background; at others the role is seen as an extension of the chief financial officer function. For firms that want to adapt a truly enterprise-wide risk management programme where risk and reward are equally visible to all, where does Mr Van Santen see these two paths meeting?
In search of true ERM
The finance department has always been heavily involved in the financial risk management of an enterprise, he says, whether it be the movements of currency rates, treasury management or the trading of commodities. But that does not mean that it should operate in isolation from other departments, just as terms associated with financial risk management, such as value at risk, can be applied to other areas of risk. “A true enterprise risk management process will ensure that, whichever department is involved, finance or supply chain management, the same process is used,” he says.
From which departments and disciplines are CROs of the future likely to come? Is it becoming more of a financial role or are the traditional operational risk managers likely to assume the mantle?
“Increasingly, we are seeing CROs coming from a general management background,” says Mr Van Santen, which underlines how much of a communication role it is. Nevertheless, there is still some way to go before the CRO becomes an accepted part of every organisation, he adds. “In our last FERMA survey of 2006, only 20% of companies had a CRO. I would like to see that figure closer to 80% but I think the job has to mature before we reach that point.”
