- Operating in default mode. By this, the author refers to the board deferring to the CEO, who in turn defers to the CRO (chief risk officer). While the author seems more concerned that the board is not actively involved, I am more concerned that risk management is left to the CRO rather than being seen as the responsibility of every manager at every level of the organization. The responsibility for managing performance should not be separated from the responsibility for managing risk, and this is exactly what is likely to happen when the CRO is seen as responsible for risk management
- Ambiguous mandates and limited resources. Budgets are allocated for operational activities, with no time left for holistic risk management. Again, my point is that operational activities must include risk management
- Risk is siloed in functional and business verticals. The article expresses this well: “Below the level of CRO, risk officers oversee tightly defined areas of an organization’s risk — and lack the authority and credibility to influence the wider organization. In fact, the risk function itself is often a silo, largely devoted to setting and monitoring quantitative risk parameters and leaving holistic risks, such as reputational risk, to others”
- There is no mechanism for addressing risk holistically. This is a continuation of the prior point: nobody is considering the interrelationship and potential aggregation of risk across the organization

As a result, says the author, risk management “remains fragmented and provides poor visibility of risks”.

I like the point that appointing a CRO is just consolidating the risk silo into one organization, still separated from operating management’s responsibility.

Although I differ from the author’s opinion that risk management should be driven from a board perspective down, I wholeheartedly support the article’s ideal:

"Everyone comes to own enterprise risk individually. Over time, the institution creates — and continually refreshes — a culture in which it becomes second nature to strive for the ultimate goal of ERM: an enhanced capacity to increase stakeholder value by more effectively dealing with the risks and opportunities offered by uncertainty”

My opinion is that while the article has detailed some important obstacles, the most important is that those who direct and manage the organization, including the risk officers, have not fully appreciated the true value of risk management. It lies in these two statements:
- Risk management informs and enables better decisions, not only at the board and executive levels but every day by operating management
- Risk management helps you take the right risks

I welcome your views.

Link: www3.cfo.com/article/2013/1/risk-management_erm-cfo-cro-risk-management-rob-sloan




Norman Marks, CPA, is vice president, governance, risk, and compliance for SAP's BusinessObjects division, and has been a chief audit executive of major global corporations for more than 15 years. He is the contributing editor to Internal Auditor’s “Governance Perspectives” column.
normanmarks.wordpress.com/