The CRO is here to stay

New CRO appointments are being announced by a wide range of companies. Recent announcements include St. Paul, Duke Energy and Credit Agricole Indosuez. While only a handful of CROs existed in the early 1990s, today that number has grown into the hundreds. The rise of the CRO has even caught media attention. Stories on CROs have appeared not only in trade publications such as Risk Management and CFO Magazine, but also general business and popular newspapers such as the Wall Street Journal and USA Today.

Why is the number of CROs growing so quickly? The short answer is that more and more companies are appointing CROs to establish enterprise risk management (ERM) programs. By creating a CRO position, a company is signaling both internally and externally that it is serious about integrating all of its risk management activities under a more powerful senior-level executive. There are four key trends that will continue to grow the ranks of CROs globally. These trends are:

1. External stakeholders demanding more effective risk controls

2. Internal management recognizing the value proposition for risk management

3. Growing acceptance of the role of a CRO

4. New technologies and products that support ERM

External Demands

Stockholders are demanding much greater earnings stability and they are voting with their pocketbooks. In today's market environment, a company that misses earnings by even a small amount can expect to see its stock price drop much more significantly. At the same time, management can no longer turn to creative accounting to smooth out earnings, such as the use of restructuring charges and reserves, as the SEC has cracked down on "earnings management" practices. In this environment, management must control the key drivers of earnings volatility, namely the company's underlying business, operational, credit and market risks.

Regulators and stock exchanges are also setting standards for risk management. Examinations by regulators are increasingly focused on the target company's risk management policies and controls. For example, bank regulators are setting capital requirements based on enterprisewide risks. This allows companies that have developed sound internal models to use them to determine regulatory capital requirements. Regulatory capital relief provides a powerful incentive for banking institutions to invest in risk management resources and regulators of other risk-intensive industries (e.g., insurance, energy) will likely take a similar approach.

The private sector is also doing its part in establishing risk management standards. Over the past several years, numerous papers have been published by various groups, including: stock exchanges (the 1994 Dey Report from the Toronto Stock Exchange and the 1999 Turnbull Report from the London Stock Exchange); professional organizations (the 1992 Treadway Report from the audit and accounting associations and the 1996 Risk Standards Working Group Report from institutional investors); and international groups (the 1993 Group of Thirty Report and the 1994 Bank for International Settlement Report on derivatives risk management).

These initiatives not only established risk management standards and guidelines, they also served to highlight the role of the board of directors and senior management in the risk management process.

The combination of an unforgiving stock market and the increasing focus on risk management from public and private-sector initiatives has led the boards and senior management of companies to ponder certain questions: Do we have effective controls for managing all of the risks faced by the company? Is the right level of risk information being reported to senior management and the board? Should enterprise risk management be a part-- time job for the CEO or CFO?

Many companies have concluded that the best organizational strategy is to appoint a CRO and invest in the human and technology capital to fully establish an ERM program under his or her leadership. However, to obtain and maintain management support, the value proposition for risk management must be made.

Value Proposition

What is the value proposition (or cost-benefit) of appointing a CRO? To address this important question we must first determine the costs of appointing a CRO and establishing an ERM program, then evaluate the tangible and intangible benefits.

The establishment of a CRO position and ERM program is normally a multiyear, multimillion dollar effort. The salaries of top-notch CROs range from six to seven figures. A team of risk specialists must be recruited. Beyond internal resources, many companies find the need to hire external consultants to help them establish best practices and build risk models.

In addition to compensation, another major expense is the development of data, analytical and technology resources. A company must also invest in awareness and educational programs to support effective change management over time.

When all of the costs are added up, the price tag can be substantial. However, since companies are already spending millions on risk management staff, technology and risk transfer, not all of these costs are incremental. More importantly, the costs of an ERM program should be weighted against its benefits.

What should management expect in terms of benefits? Under the leadership of a CRO, ERM produces both intangible and tangible results. Intangible benefits include:

Stronger risk culture by establishing a more independent and powerful risk function

Higher risk awareness among all employees resulting from communication and educational programs

More effective and integrated organizational structure that breaks down the traditional risk silos

Clearer risk acceptance criteria that enable the taking of greater and more intelligent business risks

Improved risk transparency to key stakeholders through risk reporting and escalation

Fewer surprises given early risk identification and resolution

While these benefits are difficult to quantify, they are valuable to any company. For example, what is the value of avoiding an event that would damage the reputation of the company? Or what is the value of having senior management focus on executing its business strategy as opposed to fighting the next crisis?

In addition to the above intangible benefits, there are more quantifiable benefits that a CRO should help a company achieve:

Reduced losses and earnings volatility

Lower costs of risk transfer programs

Improved return on equity (ROE) and shareholder value

A company can achieve a dramatic reduction in losses through risk management. One large financial services firm experienced a 30 percent reduction in its loss-to-revenue ratio, while one of its business units achieved an 85 percent reduction in operational losses.

Besides loss reduction, a CRO can help a company reduce its earnings volatility by establishing the risk limits that will protect the company from excessive risk concentrations. With respect to risk transfer, companies incur hedging costs to reduce financial risks and pay insurance premiums to reduce operational risks. Risk managers who executed multirisk, multiyear risk transfer programs have claimed cost savings in the 20 percent to 30 percent range for the same level of protection. To go a step further, by taking an ERM view of a company's portfolio of risks, and incorporating the benefits of diversification, a company should be able to significantly reduce the overall size its risk transfer program.

While reduction in losses, earnings volatility and risk transfer costs represents an important and tangible benefit, the value proposition for ERM should not be based on downside risk management alone. The highest form of risk management is in supporting business growth and profitability, and ultimately in maximizing shareholder value. As a business partner, the CRO can provide business units with analytical tools for assessing and pricing risks embedded in their products and investments. A CRO can also simplify the approval process for new product and business development.

Finally, the CRO can help improve return on equity and shareholder value by allocating capital to business activities with the greatest risk-adjusted returns. The contribution to shareholder value from risk management has been reported by Chase, Enron and Royal Bank of Scotland. In fact, in bestowing its Financial Risk Manager of the Year award in 2000, the Global Association of Risk Professionals noted that recipient Bill Martin, CRO of Royal Bank of Scotland, "helped ignite a 55 percent jump in share price over the course of 2000 in the face of unprecedented global volatility."

The Role of the CRO

In order to achieve the benefits discussed above, the role of the CRO and the ERM function must be clearly defined. More importantly, a company needs to appoint an individual with the appropriate organizational and technical skills to lead the risk function. In order to do so, business executives must address two important questions: What does a CRO do? What are the position's key qualifications?

The role of a CRO is to take risk management to a higher level, moving it from the back office to the boardroom. The CRO is responsible for:

Aligning risk management strategies and processes with the company's business strategy

Establishing an overall ERM vision, plans, key milestones and success measures

Integrating all risk and control functions, policies and committee structures

Supporting business growth and profitability through capital allocation and pricing models

Developing enterprise-level risk measurement, analytical and reporting processes

Enforcing risk policies and limits, and executing risk transfer strategies

Facilitating organizational sharing of best practices and lessons learned

An effective CRO is a multifaceted individual with broad business, organizational and technical skills. He or she should perform five key roles:

1. Leader-to establish a vision and effect organizational change

2. Evangelist-to obtain management buy-in and line cooperation

3. Steward-to protect the company's financial and reputational assets

4. Technician-to possess deep technical skills in business, financial and operational risk

5. Consultant-to educate the risk staff and business managers

While it is difficult to find all of these skills in one individual, the first three are "must have's" for the CRO, while the last two can be supplemented by the ERM staff.

To whom the CRO reports is also an important question. CROs reporting directly to the CEO and the board are often most effective. To the extent that the CRO reports to the CFO or the Treasurer, and is therefore two or three levels below the CEO, the function becomes increasingly less productive.

Technolog and Product Innovations

The CRO today is supported by more advanced tools and risk transfer techniques than were available even a few years ago. Risk assessment and measurement methodologies, such as risk mapping, value-at-risk, economic capital and risk-adjusted return on capital (RAROC), provide management with better information on critical risk exposures as well as risk-return trade-- offs. These methodologies, together with early warning indicators, represent a whole new risk measurement toolkit that is much more forward-- looking than traditional risk measures that included losses, error rates and incident occurrences.

A parallel development to the advances in risk assessment and measurement is the availability of more cost-effective computer networks. The cost of computing, data storage and communication has continued to drop significantly each and every year. Moreover, the adoption of Internet/intranet applications will enable the communication of critical risk information on a global, real-time, 24-by-7 basis. The cost of installing and maintaining risk management software should also decline as vendors move toward an application service provider model.

If the CRO decides to transfer out some of the company's risks, the advent of credit derivatives, catastrophe bonds, asset securitization and alternative risk transfer products has provided innovative structures and new sources of capital. Moreover, the application of economic capital and RAROC should establish the economic framework to evaluate the cost-benefit of various risk transfer strategies.

Staying-Power

Yes, the CRO is here to stay. Risk-intensive companies should give serious consideration to establishing this role. For the risk professional, the question should no longer be "if" or even "when"-it should be "how." How do I learn more about ERM and acquire new skills? How do I think more broadly about risk management and add maximum value to my company? How do I advance my risk management career and perhaps one day be CRO? Given the development of ERM and the role of CRO, there has never been a better time to be in the risk profession. RM

Editor's Note: The position of the chief risk officer and the concepts of enterprise risk management make up some of the most incendiary debates in the profession today.

Your responses to this article and the issues at large are encouraged. Look for continued coverage of the debate in upcoming issues of RM.

Send your comments to the editor in chief: lsullivan@rim.org; 212.655.2695 (fax); or Risk Management, 655 Third Avenue, second floor, New York, NY 10017.