Mod 12: Governance functions and the role of the CRO

Question 1

List the key responsibilities of a CRO

Answer 1

Key responsibilities of a CRO
The CRO is responsible for:
1. providing leadership and direction for ERM
2. overseeing development / implementation of an ERM framework 3.managing the risk management function
4. ongoing risk policy development, and monitoring of adherence
5. risk (profile) reporting (internally and externally)
6. challenging / overseeing other areas of the business re risk
7. managing / optimising the risk portfolio
8. allocating appropriate capital to business activities
9. developing data systems / risk models for analysis / monitoring / RM
10. safeguarding financial and reputational assets
11. maintaining expertise and advising on matters of RM
12. supporting an appropriate risk culture across the organisation.

Question 2

Outline the role of the CRO in the corporate structure

Answer 2

Role of the CRO in the corporate structure

1. member of the risk subcommittee
2. head of risk management function
3. on the Board, or with a clear reporting line to the Board through the CEO/COO/CFO

Question 3

Outline the five key skills for a CRO

Answer 3

Key skills for a CRO (LEAST)

1. Leadership – to develop the ERM vision and recruit / retain a risk management team
2. Evangelism – to convert the sceptics about ERM
3. Advising (consulting) skills – to influence and educate the Board and implement policy
4. Stewardship – the ability to act as a guardian of the organisation’s financial and reputational assets
5. Technical competence – to assess and manage financial and operational risks

A CRO also needs wider management skills, including project and change management skills.
©

Question 4

Outline the criteria for an individual to be described as a ‘risk expert’ (ie as specified under the US Frank-Dodd Act)

Answer 4

Definition of a ‘risk expert’
1. understanding risk management and governance – including setting risk appetite, risk policies and reporting
2. knowledge of relevant regulation and legislation
3. experience of identifying, assessing and managing risks
4. knowledge of ERM and business interdependencies
5. ability to lead, advise the Board and challenge management on risk strategies and plans
6. experience in risk management tools and applications, including qualitative models and risk measures
7. understanding of usefulness and limitations of risk management strategies (eg derivatives)
©

Question 5

List the initial priorities for a newly-appointed CRO

Answer 5

Initial priorities for a newly-appointed CRO

1. risk tolerance understood?
2. risk-aligned compensation?
3. timely & quality communications with internal & external stakeholders?
4. any competence gaps (ie skills, capability and experience)?
5. each part of the business contributes added value?
6. risk management integrated (into capital management, pricing and reserving processes)?
7. quality & extent of information given to stakeholders appropriate?
8. governance structures robust?
9. RM operating model appropriate? ©

Question 6

Outline the role of a Central Risk Function

Answer 6

The role of the Central Risk Function

1. giving advice to the Board on risk
2. assessing the overall risks being run by the business – taking account of hidden risks and correlations, as well as general uncertainty
3. comparing overall risk profile with risk appetite
4. acting as a central focus point for reporting by staff of new and enhanced risks
5. giving guidance to line managers about the identification and management of risks, making suggestions for risk responses (but not normally directly managing the risks)
6. monitoring progress on risk management
7. pulling the whole picture together
   ©

Question 7

State the ‘three lines of defence’ and outline three ways in which first two ‘lines of defence’ might relate to each other

Answer 7

The ‘three lines of defence’ and their relationships

1st is line management staff in the business units
2nd is the CRO, risk management and compliance functions 3rd is the Board and audit function, who oversee the first two!

The relationship between the first two lines might be characterised as:

1. offence verses defence – the first line focus on maximising income whilst the second focuses on minimising losses
2. policy and policing – rules are set by the risk management function and policed by the risk management, audit and compliance functions
3. partnership – risk management staff are integrated into the business units and the two functions share some measures of performance.
   ©

Question 8

Describe the factors that will determine the most appropriate governance structure (ie how the ‘lines of defence’ relate to each other)
©

Answer 8

An appropriate governance structure
An appropriate governance structure depends on:

1. the existing governance structures, eg committees and decision-making bodies
2. the size and nature of the business, eg life insurance or general insurance business for insurers
3. the risks faced by the business
4. the autonomy and accountability of the elements in the current corporate structure. For example, if individual business units are run autonomously, the risk management function needs to support each individual business unit, rather than only operating at the ‘whole organisation’ level.

In practice the solution may be a mix of organisational structures, eg partnership plus an overlay of policy and policing.
©

Question 9

Outline the potential problems of the policy and policing approach

Answer 9

Potential problems of the policy and policing approach

1. policies may become out of date as the risk management function is not in touch with day-to-day operations
2. audit and compliance reviews aren’t continuous, so may fail to identify problems
3. friction between line management and the risk management function as each fails to understand the other’s viewpoint fully / lack of shared objectives
4. line management may have little incentive to report problems, policy violations and issues where it is uncertain whether a violation has occurred.
   ©

Question 10

Discuss the characteristics of the partnership approach ©

Answer 10

Characteristics of the partnership approach

1. business units and risk management function work together in a client-consultant type relationship to manage risk
2. business units must recognise the benefit to long-term performance of a risk management function
3. risk management staff must recognise the importance of their role as consultants, ie meeting the needs of the business units (the client)
4. should lead to more collaborative decision making, less hiding / more timely resolution of issues
5. independence may suffer in this structure – it is hard for risk management staff who are integrated into business units to have a corporate oversight role
6. possible ambiguity of reporting lines for risk management staff

Question 11

Outline the four key challenges in managing the relationship between business units and risk management staff

Answer 11

Challenges in relationship management
1. conflict and conflict resolution
–risk as ‘opportunity for profit’ or an ‘opportunity for loss’?
– marginal-cost versus full-cost pricing?
2. integration of risk management staff within business units
– risk management staff feel stuck between two opposing sides
– ‘dotted line’ link to the CRO for performance review
3.aligning incentives of business unit and risk management staff – can reduce conflict between them, but difficult to design.

4.measuring operational risks
–difficult to reflect in performance measurement systems
–particularly important to ensure a common taxonomy

Question 12

List the skills required in a risk management function

Answer 12

Skills required in a risk management function

1. project management skills
2. change management skills
3. relationship management skills
4. technical expertise 5. implementation skills
   ©

Question 13

State the business activities where the risk management function should be involved, according to best practice

Answer 13

Activities where the risk management function should be involved
1. business strategy
− follow RM process, expected risk-adjusted performance
2. business development / new product
−uncertain
assumptions, set trigger points
3. product pricing −
allow for expected losses, cost of capital, cost of risk transfer
4. measuring business performance
− risk-adjusted, balanced scorecard / dashboard reporting
5.risk and incentive compensation
disclosure, encourage appropriate risk taking, clawback provisions

Question 14

Outline the features of good compliance practice

Answer 14

Features of good compliance practice

1. the organisation has good knowledge of legislation and other rules with which it must comply (eg stock exchange regulation, accounting standards, employment and health and safety legislation)
2. line managers have identified the provisions with which they must comply and documented their compliance with each specific provision
3. where there is not yet full compliance, the risks of non-compliance have been identified and a plan to achieve compliance within a suitable timescale has been drawn up
4. regulators have been informed promptly where there is regulatory non-compliance
   ©

Question 15

Outline the role of the internal audit function, as pertaining to risk management

Answer 15

The role of the internal audit function

Risks are an important concern for the internal audit function – eg auditing system security in order to prevent fraud.

Its other responsibilities will vary from one organisation to another, but may include:
 monitoring compliance with laws and regulations
 checking for errors / shortcomings in systems and process, eg:
1. non-observance of internal governance codes
2. examination of key spreadsheets
3. examination of procedures for paying insurance premiums on time and observing insurance conditions.