Sean Thompson, President & Chief Executive Officer, NAVEX.
As the collapse of Silicon Valley Bank sent shockwaves across the country, one detail jumped out at me: The bank went eight months in 2022 without a chief risk officer.
Why is that detail so telling? Because risks abound in today’s business landscape. Organizations with chief risk officers can assess those risks more perceptively and manage them more wisely—which means those companies are also able to take on more risk safely and reap the ensuing rewards.
A good analogy here might be the brakes on your car. When you know the brakes are bad, you drive more slowly and take turns more cautiously because you’re not sure how well they’ll work. With good brakes, however, you can go faster and take sharper turns—because you know the brakes are there when you need them.
A strong risk function operates the same way: It allows your enterprise to take more risk because you know you’ll be able to respond to changing conditions with agility. A chief risk officer, who has visibility into risk across the whole organization, is critical for that long-term success.
The Evolving Roles Of Risk And Compliance Officers
Many CEOs might naturally wonder, “Isn’t this what the chief compliance officer does?” Not really—or, more accurately, not any longer.
Compliance officers are responsible for worrying about compliance risks and maintaining a program to manage those specific risks. The Foreign Corrupt Practices Act is one such example; you need a robust compliance program to reduce the risk that someone in your enterprise is bribing foreign government officials to win business. Privacy compliance, product safety and anti-discrimination policies are other examples of chief compliance officer responsibilities.
The chief risk officer has a wider remit simply because plenty of business risks today aren’t compliance risks, or they double as compliance risks and business risks, where the internal controls to govern those issues are one and the same. Moreover, their job is to manage the risk of noncompliance, which can negatively impact the bottom—and top—line.
Go back to Silicon Valley Bank. One mistake was that SVB didn’t hedge its interest rate risks as rates rose in 2022. Another was the failure to see that the digital transformation of banking—a perfectly reasonable thing for a bank to do—gave depositors an easier way to withdraw their money quickly, so the value of hedging (to prevent a bank run) became even more important.
A chief risk officer might have helped SVB understand both of those perils. Neither of them, however, are compliance risks that a CCO would typically address.
Risk officers are responsible for assuring that the business operates with sound practices for governance, risk and compliance. The CRO should have an enterprise-wide remit, so they can understand the full risk profile of the organization. They should be ready to recommend financial controls to prevent fraud or other malfeasance, IT controls for cybersecurity threats and “people controls” that support a culture of integrity.
Admittedly, the above paragraph does sound a lot like a compliance officer, and the two roles can overlap significantly. At large organizations, the compliance officer might report into the CRO, and some businesses might even consolidate the two into a single “CRCO” role, as we do at my company.
For CEOs and boards, however, the real question is whether the chief risk officer has the right resources and support to identify all of an organization’s risks and to keep those risks at appropriate levels. That’s the effective braking system that allows your enterprise to act with speed, agility and safety.
Risk’s Partnership With The Board And C-Suite
What an effective chief risk and compliance officer brings to the table is this: the execution of risk acceptance, mitigation and management. And because risk exists throughout the enterprise, that means the risk and compliance function must be able to break down silos across the enterprise, find the relevant information about risk and report that information back to senior management so you can refine your objectives and strategy as necessary.
In other words, a strong CRCO can have a strategic influence on the business because they help you understand all the risks challenging your strategy—and how the company can navigate through those challenges. For example, an empowered risk officer might advise that it’s wise for the company to take added risk and maximize an opportunity to grow at a faster rate than competitors. With a full understanding of the organization’s risk appetite, risk officers can help balance risks with desired returns, all while balancing proper governance and compliance.
Risk officers do need two things to succeed in the way I’m describing.
First, the CRO can succeed if they have the right people skills and relationships to put all those data-driven insights about risk to work. An effective risk officer instills a risk-aware culture that starts with the board and C-suite, then permeates the rest of the enterprise.
Second, it’s important to have the right technology to measure and monitor risk. The good news is that technology is getting better all the time, especially with the advent of machine learning and artificial intelligence. (Disclosure: My company provides risk software.) I suggest risk leaders look for solutions that:
• Engage employees and third parties in best practices that address potential risk across the risk spectrum, such as conflict of interest reporting, cybersecurity training, incident reporting and more.
• Aggregate risk-related data from across the organization to holistically measure and monitor risk while correlating data points that wouldn’t be obvious when viewed in a silo.
• Streamline workflows and organizational processes so the CRO can focus their team on adding strategic value to the business.
While change management often accompanies new technology, I advise CROs to socialize early on the need for technology, gaining cross-departmental buy-in and perhaps even finding areas for greater collaboration in the process.
Ultimately, of course, the people accountable for the risks of an enterprise are the board and the CEO. A strong chief risk officer is the best way to assure you don’t overlook those risks—that you understand them and engage with them appropriately. The result is a more agile organization that can accelerate, slow down and turn as conditions change. That’s how you outmaneuver the competition and achieve the outcomes that matter most for your business.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
Read the full article here
