Michael Hofmann’s job didn’t exist in January. In February, Hofmann became the first chief risk officer (CRO) of Wichita-based Koch Industries Inc., a privately held diversified energy company. His title gives him oversight responsibility for several risk-related areas that had previously been kept separate, from property-and-casualty exposures to foreign-currency exchange, commodity price fluctuations, credit risks, and reputational exposures.
“My job is to pull it all together,” he says.
The new CRO joins a small but growing list of executives occupying this emerging corporate position. Chief risk officers aren’t exactly taking the business world by storm, but they are finding a niche as companies migrate toward enterprise risk management, the activity taking up much of Hofmann’s time. “We’re building the capability internally to identify all risks, analyze and quantify them, and then determine the optimum means of mitigating, absorbing, or transferring them,” he explains.
Enterprise risk management veers sharply from traditional risk management, in which different company departments are given the task of managing different risks. The custom is for insurance risk managers to mitigate property-and-casualty exposures, treasurers to run herd on finance risks, internal audit to manage compliance issues, desk traders to hedge market risks, and so on. Rarely is there any sharing of risk knowledge or strategy in this so-called silo approach. Not only do these overseers analyze risks differently, they often use different tools for risk transfer — a mix of traditional insurance, counterparty trades, derivatives, and alternative risk-transfer methods.
Even the jargon differs from silo to silo. That’s why Hofmann sees a common language for risk as indispensable to enterprise risk management.
“At this point, we’re working to apply our state-of-the-art trading-risk framework to all other aspects of our business by using common definitions of risk and a common way to measure or quantify risks,” he says. “When that’s done, we will decide on an ongoing basis which risks to keep and which to transfer. Then we can effect the transfer through our trading desks, financial markets, insurance carriers, integrated risk policies, OTC [over-the-counter] transactions, or a contractual transfer to another party entirely.” Pulling all this together will take at least two years, he estimates.
Hofmann isn’t alone in his endeavor. Regulatory pressures, particularly capital adequacy, allocation, and accountability issues, are compelling many companies to get a firmer handle on risk. A number of those companies are designating CROs or forming multidisciplinary risk oversight committees to effect enterprise risk management strategies. By managing the entire risk portfolio under one umbrella, they ensure that a rigorous, consistent risk management process is applied throughout the entire organization.
Tearing Down Walls
While Hofmann is building this capability internally, other CROs are working closely with insurance brokers, accounting firms, and risk management consultants to lead the way, a process that generally takes at least two years to reach fruition. The effort is worth it, advocates say. By tearing down the walls separating the management of risks, CROs have discerned undue risk concentrations within the portfolio of risk — exposures that may seem small on an individual basis but are dangerous in sum.