No longer purely custodians of caution, the role of the chief risk officer is transforming to accommodate the demands of corporations and investors.
In the past, approaches to corporate risk were merely responses to major scandals. It took a seismic event for regulators, companies and governments to take risk approaches seriously and to adopt new protective measures.
In the early nineties, the collapse of FTSE 100-listed textile group Polly Peck, the Mirror Group pension scandal and the liquidation of BCCI led to the formation of the UK Corporate Governance Code.
More recently, the 2008 financial crisis, which claimed Lehman Brothers, Northern Rock, Bradford & Bingley and many others, saw the code revised and radical changes made to how risks are assessed within financial institutions.
The rise of the chief risk officer (CRO)
Given the scale of the 2008 crisis, it is perhaps no surprise that the role of the chief risk officer (CRO) is currently more commonly found in UK banks, asset managers and insurance groups than in non-financial sectors.
But the importance of having a chief risk officer, who is able to quantify business risk, is beginning to catch on in other sectors, according to the risk management association Airmic, and it is not purely to satisfy the probing eyes of regulators.
“Risk management is not just about prevention, it is about opportunity,” explains Julia Graham, deputy chief executive at Airmic. “Risk management is like brakes in a car. They give you confidence to go faster. The modern world of risk management is about releasing opportunity and allowing you to take more risk.”
Ms Graham’s sentiments are echoed by institutional investors who are taking an interest in corporate governance and sustainability credentials.
Increasingly, investors are engaging with companies, urging them to identify future threats to revenues, and are even using their votes at annual general meetings to ensure companies carry out comprehensive risk assessments.
Last year, investors made global headlines when they voted at the annual general meetings of Exxon and Shell, eventually obliging the companies to do more to assess the impact climate change will have on their business models.
The shifting role and responsibilities of the CRO
With business sustainability climbing the agenda for institutional investors, it is becoming more important for larger businesses to have a senior executive that is plugged into different areas of the business and has full oversight of long-term vulnerabilities.
Increasingly you will see the CRO becoming the chief executive of the future
“CROs have much more influence than they did in the past,” explains Philip White, a member of the enterprise risk management team at Thomson Reuters. “The CRO needs to have complete oversight of the business and how it is performing. This includes new business decisions, going into new markets or developing new products. It is increasingly the CRO who has that sway.”
As business needs have changed and stakeholders demand increasing levels of reporting from the executive, the professional profile of individuals holding CRO responsibilities have also changed. At the turn of the millennium, executives in a risk function were typically from a financial background, but the profile of today’s CRO is much more varied, according to Mr White.
“The CROs of 20 years ago were very much numbers or ‘quant’ people. They didn’t necessarily have the greatest communication skills. That element is now far more important,” he says. “Increasingly you will see the CRO becoming the chief executive of the future. The chief risk officer has to have his or her fingers in so many pies around the organisation.”
Many job titles, one focus: risk management
Airmic has been working with professional consultancy group Oliver Wyman to chart the current responsibilities that fall to the modern-day CRO. The decision to chart the responsibilities, rather than the job title, was a deliberate one, according to Airmic’s Ms Graham, who says CROs and the like go by many job titles.
“In many organisations it is the chief financial officer or the chief executive who is running that role and the head of enterprise risk will report to them,” she explains. “Risk management is a relatively new profession. It has only emerged in the past ten to fifteen years. Other professions in law, accountancy and personnel directors have been around a lot longer, so not everyone is used to dealing with risk managers as a professional group.”
Case study: Aon UK’s Matt Kimber
Consultancy group Aon is among an increasing number of organisations to recruit a high-powered chief risk officer (CRO). In March 2017, Aon announced it was appointing Matt Kimber, who joined the business after more than five years with brokers Jardine Lloyd Thompson (JLT) where he was group head of risk and compliance.
Notably, Mr Kimber’s appointment as CRO at Aon UK saw him join the company’s board, reporting to chief executive Julie Page, who said he would bring valuable experience to the group’s risk and compliance team.
Aon praised their new recruit, saying he had already made some landmark corporate achievements over the past 20 years, including influencing and developing “enhanced risk-aware cultures” at insurance brokers and risk managers Marsh, and Lloyds Banking Group.
Mr Kimber, a graduate of the University of Hertfordshire with a degree in accountancy and financial management, also worked for eight years at Halifax Bank of Scotland, where he was group head of operational risk.
At JLT, his role was truly integrated within the business, including engagement with the enterprise risk management, compliance, financial crime, information risk management, regulatory and quality assurance teams.