Jim DeLoach of Protiviti is an old friend. We enjoy discussing risk management over a meal, finding that we agree on far more than we disagree. Where we do disagree, it may be more by way of expressing ourselves, or due to our different positions and perspectives (he is a consultant and external advisor to boards and executives whereas I was an executive practitioner, now retired)
His work always, in my experience, merits our careful attention and reflection.
Jim recently wrote Positioning Independent Risk Management to Succeed: 6 Ways to Support the CRO. Here are some excerpts and my comments:
DeLoach: If the board, senior management and operating personnel believe that the CRO is the only person within the organization who is concerned with risk, the game is over before it begins. In these situations, there is a major source of dysfunction lying in the weeds, and it is merely a matter of time before the organization falls victim to it.
Marks: Absolutely correct and a good observation. Decision-makers need to understand and consider everything that might happen and make an intelligent and informed decision. Such a decision leads to taking the right levels of the right risks, that in turn leads to achieving objectives and success.
DeLoach: Effective CROs are concerned with what the institution’s leaders may not know and, therefore, must occasionally offer a contrarian point of view; otherwise, the decision-making process may end up flawed with “group think.” In today’s environment, decision-making processes should be driven by objective assessments of the risk/reward balance, rather than by the emotional investment, management bias and short-termism that underlie dangerous organizational blind spots.
Marks: If the leaders don’t know, why is that? The CRO should help all decision-makers think about all the things that might happen, and do so in a disciplined manner. Teach them to fish rather than giving them fish. In addition, the CRO should question the analysis of the potential for reward – not to tear it down but to ensure it has the same rigor as exercised on the potential for harms. Finally, it’s not about “balance”. Any decision will have multiple ramifications and the CRO can help facilitate the consideration of all of them, not singly but as a combination.
DeLoach: In many organizations, board risk oversight is enhanced when the board and executive management are supported by an effective independent risk management function.
Marks: In many organizations, setting up an independent risk management function creates an atmosphere of mistrust and impairs success. The CRO and his team must consider themselves as aides to management rather than the police function that prevents them taking too much risk.
DeLoach: Tension within an institution between its market-making and control-related activities is inevitable and should be encouraged. Striking the appropriate balance between the two is fundamental to what a CRO attempts to achieve.
Marks: A system of internal control enables success, not just prevents harms. Thinking of the risk function as limited to preventing harm prevents it from achieving its potential.
DeLoach: The “Champion” CRO advances and enables the organization’s risk management framework and plays the roles of coordinator and integrator (to ensure consistency across operating units and functions), educator (as a provider of insights), facilitator (of risk assessments and formalization of risk mitigation plans), consultant (regarding application and execution of the risk management framework), communicator and reporter. Champion CROs often establish, communicate and facilitate the use of appropriate risk management methodologies, tools and techniques; facilitate risk-related meetings; and work with risk owners to provide transparency into the capabilities around managing the priority risks across the institution.
Marks: Agree, but let’s add the role of mentor, helping decision-makers understand how to identify, assess, and respond to all the things that might happen as they make decisions.
DeLoach: the CRO establishes and communicates the organization’s risk management vision.
Marks: It’s not about managing risk for its own sake, but knowing when and how to take the right levels of the right risk. Risk management vision is a myopic view that focuses solely on limits to harms. Sometimes, it is right to go all in!
DeLoach: To serve as a second line of defense, a CRO must have sufficient stature with business line leaders and across the organization. Stature comes from the authority, compensation and direct reporting lines that command respect.
Marks: Stature comes from consistently producing results, to the extent that leaders across the enterprise recognize the CRO and his team as helping them and the organization succeed.
DeLoach: the CRO role should not be perceived as a check-the-box compliance function that forces the business to follow rules imposed on it.
Marks: Agree, and this is achieved by acting as a partner in and to the business, helping them succeed rather than policing them.
DeLoach: The CRO should have open and free access to the board (or a board subcommittee).
Marks: Yes, but this should be seen as required only in an emergency. If the CRO cannot work constructively with management, he is failing.
DeLoach: If there isn’t a CRO (or equivalent executive) and/or an independent risk management function, executive management and the board of directors may want to inquire why, in the context of the nature of the entity’s risks inherent in its operations.
Marks: Sorry, Jim, but that’s the wrong question. Let’s get the board to ask the CEO whether and how he has confidence that the right risks are being taken and that decisions across the extended enterprise are intelligent and informed. Further, ask whether the reporting of performance against strategies and objectives includes the likelihood of their success and what might happen to limit or extend success. The CRO doesn’t have to be totally independent to be effective!
Please contrast this article and comments with my other blog on From Risk Management to Risk Leadership.
I welcome your comments.
- Useful ethics training for internal auditors - February 21, 2024
- Internal audit wastes so much time on policies, documentation, and more! - January 17, 2024
- The risk to an organization of technology debt or deficit - December 11, 2023