In today’s new era of permanent volatility, the CFO–chief risk officer partnership can promote a more effective, integrated approach to risk management, while driving further strategic and operational efficiencies in a company. That, in turn, helps to make companies more agile and able to retain and attract talent.
A strong CFO-CRO partnership can be the foundation for a risk-management initiative designed to align global strategy with risk, make the best use of data and analytics, and draw on sophisticated tools for coping with unknown and nontraditional risks.
From a strategic standpoint, the collaboration can help companies steer their business to where they can achieve better risk-adjusted returns. Better measurement of risk-adjusted returns can lead to exits from high-risk businesses and the redeployment of resources to areas where there is a better chance of sustained profitability.
A “holistic” approach to risk management — integrating risk and finance — can result in more competence in aligning strategic goals with successful results. Bringing together the skill sets of the CRO and CFO can, from a strategic standpoint, help organizations direct their business activities to exploit new opportunities for growth, while at the same time becoming more resilient. This becomes a competitive advantage for companies and helps them not only to survive the economic condition in their market space but to thrive in it.
Doubting the Need for a CRO
The CEO of Zions Bancorporation, Harris Simmons, however, didn’t believe his company needed a CRO. On April 27, 2012, he wrote a letter to the Board of Governors of the Federal Reserve System to that effect. Simmons argued the company should not be required to have a CRO, even though Dodd-Frank Section 165 states that banks with assets of $50 billion and above should have one.
Wrote Simmons: “While there is an uncontested need for an independent risk management function in large banking organizations, I would urge the Board to allow covered companies a measure of flexibility in determining how such an organization should be structured.”
Simmons further stated in his letter to the Board of Governors that, “In our organization, for example, we currently have both a Chief Credit Officer and an Executive Vice President for Risk Management; each reports directly to the CEO. We have deliberately chosen such a structure because, in a more traditional commercial banking organization such as Zions Bancorporation, we believe credit risk generally constitutes the greatest source of risk to our capital; it has proven, over time, to eclipse all other risks combined.”
He also wrote, “We believe that having the chief credit officer administratively report to the CEO, as opposed to subordinating the credit officer position by having it report to an intermediate CRO, enhances the Chief Credit Officer’s stature and clout within our organization, consistent with the objectives of the proposed regulation. It allows us to have a senior executive who is focused solely on credit and not spread thin by having responsibility for an assortment of other risks.”
What Simmons is not seeing is the value of a CRO in not only protecting the organization’s assets but also improving the quality of decision making. The CRO can lead the discussion of whether the organization has an effective enterprise risk management structure in place and determine if there is a sound assessment of risk-reward trade-offs.
Thomas Stanton, author of Why Some Firms Thrive and Others Fail, notes: “One of the critical distinctive factors between successful and unsuccessful firms in the Financial Crisis was their application of a ‘constructive dialogue’ between those who wanted to do deals, or offer certain financial products and service and those in the firm who were responsible for limiting risk exposures.”
By creating a respectful exchange of views among these “divergent perspectives, successful firms freed themselves to find constructive outcomes that took the best from each point of view,” he writes.
Banking regulators have for several years encouraged banks to adopt an enterprisewide risk-management approach, in which a number of risks are monitored beyond such traditional bank exposures as credit risk and interest-rate risk. Most financial institutions have long had a chief credit officer, since credit risk is an exposure that banks have traditionally paid close attention to. This recent emphasis on enterprise risk management has created the need for a senior-level executive to oversee risk across the entire organization.
The CRO plays an important role in helping to develop and execute an organization’s strategic issues, such as:
• Establishing and communicating the entity’s risk appetite and risk-management philosophy,
• Implementing an appropriate infrastructure of policies, processes, personnel, reports, and systems for managing and monitoring risk, and
• Integrating risk management with strategy-setting and business planning, and establishing appropriate risk reporting to senior management and the board.
The CRO should be able to think strategically, work with operating units to break down business plans and transactions into components of risks the organization is taking on, and recommend ways to improve proposed plans and transactions by mitigating the risks. Other key parts of the CRO’s job include analyzing data and distilling key points to help senior management and the board assess risks in a given situation.
The CRO needs to be both a trusted adviser and a control authority who can articulate the risk and reward trade-offs. The individual should have a sound business and financial judgment combined with problem-solving abilities.
Equally important is that the increasing use of models and quantitative analytics across industries makes the need for core analytical skills crucial. The CRO must be able to accumulate, summarize, and interpret risk reports from business, functional, and assurance units and translate them into terms decision makers will understand. The objective is to improve proposed business plans and transactions so the organization can have a chance at succeeding in creating value for the enterprise while also protecting it.
The CFO/CRO partnership — and the overall integration of risk and finance — can affect management decisions related to risk appetite, entering or departing new businesses, capital sourcing, and other areas. All such decisions can be dependent to a greater or lesser extent upon data quality.
Regulatory Risk Requirements
Further, many businesses outside the sphere of financial services must now report their risks on a nearly real-time basis to regulatory authorities. This can increase the number of points of interaction at an operational level between risk and finance. To reinforce and accelerate this integration, many CFOs and CROs have undertaken a number of initiatives, including:
• Teamwork on data-quality issues. Some organizations have hired a single chief information officer responsible for data-quality issues for both the finance and the risk functions. At other companies, the CRO and CFO meet regularly on a committee that reviews the quality of data.
• Improvements to data processes and systems. There are examples of CROs and CFOs collaborating on major overhauls of corporate data processes and systems, including data-reengineering programs between risk and finance in an effort to deliver greater certainty regarding the accuracy, completeness, and timeliness of data. Some other organizations have worked to develop common data warehouses, so that finance and risk are using the same source of information. Differing data sources can cause delays and may also become a source of unnecessary conflicts in the risk-finance working relationship.
• Joint development of risk and capital models. Risk models are often developed by the risk function, but in close coordination with finance. Data fed into models often comes out of systems created by finance, and outputs from the models can, in turn, influence financial reporting.
• A greater use of risk analytics. More and more organizations are using sophisticated risk analytics, not only to support credit and financial decision making, but to provide a stronger foundation for operational strategy. The risk function often provides analytics services to all functions, including finance, which can further foster integration.
While risk and finance could once afford to rule their own fiefdoms, that’s no longer the case. Improving efficiency can be furthered by the elimination of redundancy in data, processes, and technology. Emerging technologies for accounting rule engines and integrated risk and finance platforms may also ease the integration of data, calculation, and reporting as companies upgrade legacy computer systems during the next few years.
John Bugalla is a principal with ermINSIGHTS and Kristina Narvaez is president and CEO of ERM Strategies LLC.