Page 34 - RMAI Bulletin July - September 2021
P. 34

RMAI BULLETIN JULY TO SEPTEMBER 2021

             fairly obvious that the risk management function of an  weakens the equal importance of their respective
             organization should be independent. In some firms,  value propositions, but eliminates an entire "line" in
             the risk management function reports to the CFO. In  the governance framework altogether.
             others, the risk team is a separate function reporting
             directly to the CEO. Ideally, the risk management  A CRO who reports to the head of a business line is
             function should report to the no one below the level  not free  to  effectively exercise control over the
             of CEO. This ensures that the risk function is given  activities of that business line. A CRO reporting through
             proper standing in the organization and does not get  Finance does not have sufficient leverage to push
             lost within the finance function. It is imperative that  through complex or uncomfortable risk issues to the
             risk managers have the respect of those outside the  highest levels of decision-making.
             risk function so that their opinions are heard. To
             ensure this, risk managers must be sufficiently senior  For this very reason, the head of the Risk Management
             and highly experienced so as to thoroughly understand  function (CRO or equivalent) should have, ideally, direct
             their company’s business.                        access to the RMCB or Board. This is not to say that the
                                                              CEO is not kept in the loop. This is critical as ERM cannot
             In order to ensure that it discharges its  role  succeed without the active involvement of the CEO.
             successfully, the Board should engage in constructive  Unless Risk Management is an integral part of
             risk dialogue with management challenging        management’s day to day agenda, it is reduced to a
             assumptions which have an impact on risk. It is in this  mere compliance exercise. Besides, it may so happen
             context that the Board should keep itself informed of  that the Board does not have knowledge on all technical
             any current, imminent or envisaged risks that may  areas to interpret results and provide guidance.
             threaten the long-term sustainability of the
             organization. Risk reports to the Board, therefore,                  Board
             should contain meaningful information on the firm’s
             overall risks, risk concentrations, emerging risks, and
             any changes or trends in key risks.                  Audit                            Risk
                                                               Committee                       Committee
             Why CRO should report to Board
                                                                                   CEO
             rather than CEO?
             The Chief Risk Officer and his team of risk-
             management professionals are expected to champion    Chief           Other           CRO
             the protection of enterprise value at crucial decision-  Auditor      CXOs
             making moments when a given strategy, transaction or
             deal is under scrutiny or is likely to expose the
             organization to unacceptable risk. Effective CROs are  Internal       Risk           ERM
             concerned with what the institution’s leaders may not  Audit       Champions       Function
             know and, therefore, must occasionally offer a
             contrarian point of view; otherwise, the decision-
             making process may end up flawed with “group think.”  International Experience:
             or by the extraneous factors such as: management bias  According to Deloitte’s Global Risk Management
             and short-termism that underlie dangerous        Survey, 68% of CROs in financial institutions report to
             organizational blind spots.                      the CEO, and 46% report to the board directly.

             A common mistake is positioning the risk function  Formal reporting lines may vary across organizations
             under Internal Audit. In the Three Lines of Defense  and countries, but regardless of these reporting lines,
             model, management control is the first line, the  the independence of the CRO is paramount. While the
             various risk control and compliance oversight functions  CRO may report to the CEO or other senior
             established by management are the second line, and  management, the CRO should also report and have
             independent assurance is the third. Each of these plays  direct access to the Board and its Risk Committee
             a distinct role within the organization’s wider  without impediment. Also, the CRO should not have any
             governance framework. The failure to maintain such  management or financial responsibility in respect of any
             independence between risk and audit not only     operational business lines or revenue-generating


                                                           32
   29   30   31   32   33   34   35   36   37   38   39