The CRO: a species at risk: the position of chief risk officer is struggling to find a niche within many organizations. Beyond a few sectors, notably the energy and financial services industries, the need for a CRO is still hotly debated

Risk & Insurance, Sept 1, 2004 by Lawrence Richter Quinn

Thinking of becoming a chief risk officer? Here's some advice: Forget it. You don't have time for the pain.

The CRO position, created only a few years ago at a handful of companies, is in danger of becoming irrelevant outside of two or three industries, most notably insurance, energy and banking.

Certainly, the number of CRO positions isn't increasing. In fact, the opposite appears to be the case. At best, some companies are appointing de facto CROs without the benefit of the C-level designation--usually an executive who has been designated "vice president" of risk, possibly with other responsibilities attached.

What's more--and far more important--those who have the title are in danger of losing their direct reporting relationship with the CEO and their "dotted line" relationship with audit or finance committees. Instead, they're being told the CFO is their boss. In effect, it's becoming an unequal relationship between C-level appointees and the CFO is winning this battle.

AN EMASCULATED POSITION

That's making it more difficult for CROs to fulfill their mission, which many say is to assure boards that the company has a grip on all the risks it faces and that the firm has appropriate policies in place for managing them.

What's the danger? That future risks will be poorly handled? That stakeholders will get exactly the opposite of what they've been promised? That companies may be opening themselves up to Sarbanes-Oxley Act liabilities?

There's no question that the designation C-R-O--and those who hold it--are in trouble. The reasons are many: competition with the CFO, weak support from boards, poorly defined missions and tuN' battles with line managers resentful of a new third-party C-level executive.

Finally--and perhaps most lethally--the question of who is qualified to fill the position is a debate raging among corporate executives, consultants and academics following the issue.

"There are different issues trying to bring a CRO in, issues about carving out a new slot within a corporation," says Bob Anderson, executive director of the Washington, D.C.-based Committee of Chief Risk Officers and former CRO of El Paso Energy. "In theory, the CRO is the peer of the CFO, and the CRO has a 'dotted line' relationship to the audit committee. But that's not always the case."

To be effective, CROs need the ear of the audit or finance committees, Anderson says. Adds Don Mango, CRO at GE ERC: "Appointing CROs can be a little bit like putting the cart before the horse. You can have a very effective enterprisewide risk management program without a CRO. And you can have a CRO who leads an ineffective risk management program. If the person is cosmetic, that person is going to struggle."

Some executives worry that some boards may be appointing CROs simply as a highly public and visible means of fobbing off their risk management responsibilities without supporting the position after it's created. One of the more well-known CROs, Richard J. "Rick" Machold, vice president and CRO of Atlanta-based Certegy Inc., suggests as much.

"The board cannot abdicate its responsibility," says Machold. "Ideally, the CRO is a mechanism that affords the board and audit committee unfettered transparency into the risk profile of the business. But he or she may not be able to do that."

Others agree that board access is crucial, although not necessarily provided. "CROs really need a senior-level sponsor at the board level and a senior-level sponsor at the executive level. You need commitment and resources," says James Lain, president of Boston-based risk advisory firm James Lain & Associates, former CRO of Fidelity Investments and author of Enterprise Risk Management: From Incentives to Controls.

Hawkish board members and executives sin]ply believe that a CRO should never be appointed and that they may well be detrimental to the health of a publicly held corporation.

"You know who a company's chief risk officer is?" says P. Richard Hackenburg, vice president of insurance services at risk-management advisor FOJP Service Corp. in New York and a former senior executive at insurance broker Willis. "It's the chairman of the board. Someone else serving as the CRO is a bunch of hooey. At the end of the day, the office of the CRO is all irrelevancy."

"Risk management starts with the CEO. It needs to be imbued throughout the organization," says Warren Batts, retired chairman of Chicago-based Premark International and an adjunct professor at the University of Chicago's school of business.

John O. Whitney, who sits on the board of Princeton, N.J.-based Church & Dwight (maker of Arm & Hammer products), as well as other boards, says CROs just aren't worth paying for. "If you have a huge multidivisional enterprise, you might want someone who pays attention to that, but I wouldn't want to add to the overhead," he says.

Many believe that making the CRO report to the CFO kills the effectiveness of the position, particularly without the direct relationship to the board.

"I've written numerous times about the necessity of any organization having a single independent leader or coordinator for the risk process, but I'm not sure that any one title is required, says H. Felix Kloman, editor and publisher of Lyme, Conn.-based e-newsletter Risk Management Reports. "I do believe that the leader should have direct access to both the CEO and board. An individual who reports, for example, to the CFO is limited in what he or she can accomplish."