Page 26 - The Insurance Times January 2022
P. 26

While an organization can appoint a “best in class” CRO that  not only weakens the equal importance of their respective
         ticks all the necessary CRO boxes, if the organization does  value propositions, but eliminates an entire "line" in the
         not fully embrace and acknowledge the role, it will be  governance framework altogether.
         doomed to fail from the outset. It is fairly obvious that the
         risk management function of an organization should be  A CRO who reports to the head of a business line is not free
         independent. In some firms, the risk management function  to effectively exercise control over the activities of that
         reports to the CFO. In others, the risk team is a separate  business line. A CRO reporting through Finance does not
         function reporting directly to the CEO. Ideally, the risk  have sufficient leverage to push through complex or
         management function should report to the no one      uncomfortable risk issues to the highest levels of decision-
         below the level of CEO. This ensures that the risk function  making.
         is given proper standing in the organization and does
         not get lost within the finance function. It is imperative that  For this very reason, the head of the Risk Management
         risk managers have the respect of those outside the  function (CRO or equivalent) should have, ideally, direct access
         risk function so that their opinions are heard. To ensure this,  to the RMCB or Board. This is not to say that the CEO is not
         risk managers must be sufficiently senior and highly  kept in the loop. This is critical as ERM cannot succeed without
         experienced so as to thoroughly understand their company’s  the active involvement of the CEO. Unless Risk Management
         business.                                            is an integral part of management’s day to day agenda, it is
                                                              reduced to a mere compliance exercise. Besides, it may so
         In order to ensure that it discharges its role successfully, the  happen that the Board does not have knowledge on all
         Board should engage in constructive risk dialogue with  technical areas to interpret results and provide guidance.
         management challenging assumptions which have an impact
         on risk. It is in this context that the Board should keep itself
         informed of any current, imminent or envisaged risks that                  Board
         may threaten the long-term sustainability of the
         organization. Risk reports to the Board, therefore, should  Audit                            Risk
         contain meaningful information on the firm’s overall risks,  Committee                    Committee
         risk concentrations, emerging risks, and any changes or
         trends in key risks.                                                        CEO

         Why CRO should report to Board rather
                                                                  Chief             Other
         than CEO?                                                                                    CRO
                                                                 Auditor            CXOs
         The Chief Risk Officer and his team of risk- management
         professionals are expected to champion the protection of
         enterprise value at crucial decision-making moments when  Internal          Risk             ERM
         a given strategy, transaction or deal is under scrutiny or is  Audit    Champions          Function
         likely to expose the organization to unacceptable risk.
         Effective CROs are concerned with what the institution’s
         leaders may not know and, therefore, must occasionally  International Experience:
         offer a contrarian point of view; otherwise, the decision-  According to Deloitte’s Global Risk Management Survey,
         making process may end up flawed with “group think.” or  68% of CROs in financial institutions report to the CEO, and
         by the extraneous factors such as: management bias and  46% report to the board directly.
         short-termism that underlie dangerous organizational blind
         spots.                                               Formal reporting lines may vary across organizations and
                                                              countries, but regardless of these reporting lines, the
         A common mistake is positioning the risk function under  independence of the CRO is paramount. While the CRO may
         Internal Audit. In the Three Lines of Defense model,  report to the CEO or other senior management, the CRO
         management control is the first line, the various risk control  should also report and have direct access to the Board and
         and compliance oversight functions established by    its Risk Committee without impediment. Also, the CRO should
         management are the second line, and independent      not have any management or financial responsibility in
         assurance is the third. Each of these plays a distinct role  respect of any operational business lines or revenue-
         within the organization’s wider governance framework. The  generating functions. Interaction between the CRO and the
         failure to maintain such independence between risk and audit  Board should occur regularly and be documented adequately.

          26  The Insurance Times, January 2022
   21   22   23   24   25   26   27   28   29   30   31