"Only those who dare to fail greatly can ever achieve greatly.”—Robert F. Kennedy
As firms become more complex and interdependent their risk profiles continue to change—a dialectic that has been exacerbated by the current global recession. The altered environment requires more effective leadership, and a culture and process that focuses on the true risk/reward model that is enterprise-wide risk management. In this issue, Mark Adams and a team of consultants from our CEO and Board Services practice and from a cross-section of Russell Reynolds Associates’ industry sectors examine how risk has changed the profiles of key leadership roles.
The Forces At WorkRisk is a fact of our day-to-day lives. In business, it is largely accepted that one must take a certain amount of risk to gain reward. There is however, a way to optimize risk-taking that enables the conscientious and disciplined achievement of rewards.
Current examples of poor risk management abound, with the entire world now in or headed for a major economic downturn. Whether Wall Street or Main Street, all firms are increasingly vulnerable to poorly managed risk. There are four forces in particular that have combined to make risk even more complicated:
- Globalization—increasingly global markets and economies have broadened organizations’ risks as their reach and market penetration expand.
- Technology—as technology speeds processes, widens access and permeates the entire business, it can be a tool for risk identification and measurement, but may also be an accelerator of contagion.
- Regulatory and Government Involvement—increased government regulation aimed at avoiding systemic risk will ultimately require firms to develop an understanding of, and compliance with, new rules in both mature and emerging markets in order to drive growth.
- Supply Chain—greater complexity and sophistication of global contracts, logistical issues, outsourcing arrangements and stricter inventory management all contribute to increased risk.
Making Sense Of Risk—The ERM ParadigmEnterprise risk management (ERM) is one paradigm that can be used effectively across industries to identify and address all forms of risk management activity across an entire organization. It is best described as a five-step process involving planning, analysis, solution identification, decision-making and monitoring. The process is deployed in order to head off negative risks and events and to enhance the likelihood of positive outcomes by reducing the variability of initiatives. To that point, Standard and Poor’s (S&P) announced it has started incorporating evaluation of ERM into its ratings of all companies in late 2008, underscoring how ERM is now perceived as a value-added discipline and management best practice.
The Diagnostic QuestionsFirms tend to focus on risks they understand best; for example, financial firms focus on market liquidity or volatility as their primary risks, whereas consumer product firms might identify product liability as the exposure with the highest potential to create “reputational” risk.
While the risks may vary, ERM provides a framework that applies regardless of an organization’s core competencies. CEOs and Boards can ask the following questions to bring structure to addressing risk:
- How does the firm's top leadership identify address known risk?
- Is the firm engaged in businesses it doesn't know and understand very well?
- Is there a mechanism in place that will allow leadership to anticipate areas of risk?
- Has there been a recent crisis in the firm or actions by a peer or competitor that have provoked a change in the firm’s approach to risk?
- Where is the organization in its journey towards risk identification and full ERM?
- How much buy-in is there from the C-suite and Board—especially the Audit Committee—to adopt ERM?
The Role Of The Chief Executive Officer (CEO)
"A pessimist sees the difficulty in every opportunity; an optimist sees the opportunity in every difficulty.”—Winston Churchill
A good title for today’s successful CEOs might be “Captains of Chaos”. The rapidly-changing and ambiguous nature of business requires senior leadership that approaches risk by:
- Viewing risk as an opportunity rather than a constraint—exploiting opportunities that paralyze or deter peers will allow CEO’s the ability to carpe diem (seize the day) and sustain a competitive advantage.
- Adapting and improvising—no exact blueprint or business plan will last long, and an ability to influence people by providing purpose, direction and motivation will ensure success.
- Executing with speed—leaders must be decisive, focused and a quick study, honing their ability to leverage resources swiftly.
- Exploiting technology—instead of expecting to possess relative technological superiority, technology should be used as a tool to exploit the non-linear nature of business in a chaotic system.
- Delegating and training—to prepare the next level of leadership there is a need to constantly test executives’ abilities by putting them in challenging situations that allow them to think and act under pressure and stress, and to create a risk-intelligent culture where teams are rewarded for innovating both individually and collectively.
The Role Of Chief Risk Officer (CRO) In ERMIn our search for top CROs and Heads of Risk, we frequently advise CEOs on the definition and strategy for the CRO role. More often than not it is a new position. In our experience, success is predicated on getting the following right:
Reporting RelationsThe CRO should report to the CEO and be responsible for recruiting and managing a small staff globally, while also stewarding numerous strategic partnerships with internal constituencies and outside General Counsel (GC), Chief Operating Officer (COO), Chief Financial Officer (CFO) and the head of Internal Audit, all of whom should view the CRO role as a complement to their areas of responsibility.
MissionThe goal is to build a thorough and comprehensive ERM infrastructure spanning all parts of the organization and provide a clear and easy-to-interpret real-time interface for senior management regarding all risk-related activity.
Responsibilities of the CROBuild the philosophical and methodological blueprint for ERM, encompassing:
- Strategic risks: political, competitive, compliance, governance, reputation, macroeconomic
- Operational risks: technology & operations, supply chain, business continuity
- Financial risks: investments, financing, legal/liability, counterparty, systemic, FX
- Hazard risks: traditional insurance, fraud, theft, pandemic, terrorism
Coordinate with senior management and peers to adapt and integrate future business plans to the redefined or new risk management framework.
The ideal CRO profileQualifications
- Relevant business experience, ideally within the firm’s industry but often experience with an analogous industry with similar risk profile offers a broader perspective on risk at the top.
- Experience in as broad a set of responsibilities possible, especially in operations, finance and/or legal. This is equally as important as time spent specializing in risk management and ERM.
- Global experience with resultant cultural astuteness. The CRO should be savvy and pragmatic about how to realistically effect change in a growing, global organization.
- Track record of successfully using education, technology and communication to align the company and management with the goals and policies the candidate is charged with managing.
- Successful use of technology as a tool to implement policies and to inform and educate managers on responsibilities and success/progress.
Personal and Professional Competencies
- Judgment—ability to make decisions that balance a variety of factors (e.g. cost of risk, short vs. long-term impact) to achieve an optimal outcome
- Vision—ability to anticipate future business risks and develop strategies to address them.
- Development and leveraging of relationships—ability to create and cultivate networks of people across a complex matrix organization and use relationships strategically to accomplish objectives
- Analytical skill—possession of strong quantitative, forecasting and analytical skills and a deep knowledge of risk management
- Effective communication—ability to be highly articulate and to convey important messages in a clear and compelling manner
- Strong healthy ego—possession of the confidence and character to hire the strongest, smartest people; ability to be resilient, learn from mistakes and complement self with talent in areas of weakness; possession of emotional intelligence.
ERM In The BoardroomThe expectation is that boards, along with the CEO, should take a more proactive stance toward risk and ERM, especially as we consider the impact of the current financial crisis. As was seen in the aftermath of the Enron and WorldCom scandals, outrage about the accounting abuses in which those two companies engaged drove Congress in 2002 to pass the Sarbanes-Oxley Act (SOX), shaking up the world of corporate governance. In today’s crisis, what appears to have been a lack of proactive risk management and a clear understanding of the risks impacting the balance sheets of so many firms, indicates a need for aggressive board oversight in all areas of risk.
SOX significantly strengthened the importance and independence of the corporate internal audit function at public companies and put its oversight squarely in the hands of the board. Among other things, SOX required that a designated board member be a “Qualified Financial Expert” (QFE) and defined the knowledge that a QFE must possess. In practice, the QFE typically heads the board’s audit committee and is a former top-level accountant, chief financial officer or corporate controller. Even if a latter-day SOX doesn’t materialize, boards now may want to take it upon themselves to create a QFE-equivalent role for risk management: perhaps a “Qualified Risk Expert” (QRE).
At financial companies, this QRE director would ideally be a former senior executive in a big financial organization—an investment bank, commercial bank or insurance company—with a complicated balance sheet. He/she should have a deep understanding not only of the entire spectrum of financial instruments and trading strategies, but also of the asset-liability management process. Although the financial industry is the most obvious candidate for the QRE role, a board-level discussion take place to determine need for a QRE at every public company, across industries. Industry-specific factors affecting risk management will vary, but the role is universal; the most likely QRE candidates will probably have already handled risk as a CFO, GC or COO.