Module 12: Governance / assurance functions and the role of the CRO Flashcards
A good CRO should improve the effectiveness of an organisation’s risk management function by (3)
- filling in any gaps in the skills, knowledge and/or experience in a management team
- providing additional resource for a risk management function
- being prepared to escalate issues directly to the Board without fear or prejudice to their own job security or remuneration.
Explain how a CRO might be positioned within an organisation structure
Typically the CRO will either sit on the Board or will report to the Board through the CEO or CFO.
It is particularly important that the relationships between the CRO and other officers are unambiguous.
A CRO reporting to the CFO or CEO may mean conflicts of interest inhibit communication to the Board.
Discuss the degree to which the Board might delegate some of its responsibilities for risk management and outline how that might best be achieved
It is common for Boards to delegate risk management to a risk subcommittee. This subcommittee will take responsibility for setting risk management strategy and policies and monitoring.
It should be independent from the day-to-day business and those appointed to it should be suitably qualified.
The accountabilities, responsibilities and relationships between the Board, risk subcommittee, CRO and line management should be clearly defined and distinct. While the Board may delegate some responsibilities to a subcommittee, the Board retains overall accountability for risk management.
In the financial sector, such delegation should be to a risk subcommittee, rather than the audit subcommittee.
Outline the key responsibilities of the CRO
- providing overall leadership and direction for ERM
- establishing and integrating an ERM framework across the company
- developing risk policies / minimum standards and monitoring adherence
- developing risk models and data systems
- effective reporting (internal and external) on risk exposures (current and future / emerging)
- allocating capital to business activities based on risk-adjusted returns
- managing optimising the risk portfolio
- safeguarding the company’s financial and reputational assets
- ensuring compliance with regulatory requirements.
6 key skills required of a CRO
- LEADERSHIP
to develop the ERM vision and recruit / retain a risk management team - COMMUNICATION SKILLS
to influence and persuade the business about ERM - STEWARDSHIP
the ability to act as a guardian of the organisation’s assets - TECHNICAL COMPETENCE
needed to manage financial and operational risks - CONSULTING SKILLS
needed to influence and educate the Board and implement policy - PROJECT AND CHANGE MANAGEMENT
Outline what a CRO will need to establish upon or soon after their appointment to the role
The CRO will need to establish whether:
- there is a clear understanding of the company’s risk tolerance
- management’s compensation is aligned, with prudent risk management
- there are any gaps in the skills, capability and experience of the team
- each part of the insurer’s business increases its overall value
- risk management is linked into capital management, pricing and reserving processes
- the quality and extent of the information given to stakeholders enables them to assess the financial condition of the insurer
- the governance structures are robust
- the risk management operating model is appropriate
The CRO will need:
- to establish a close working relationship with the CFO - since they each have a role to play to make earnings more predictable and less likely to reduce in future
- authority within the organisation
- to understand the insurer’s key stakeholders and drivers of performance
CRF abbreviation
Central risk function
The role of the CRF should include (7)
- advise the Board on risk
- guide line managers on identification and management of risks, and suggest risk responses
- act as a central focus point for staff to report new and enhanced risks
- assess the overall risks being run by the business
- make comparisons of the overall risks being run by the business with its risk appetite
- monitor progress on risk management
- pull the whole picture together.
3 lines of defence
1st: line management staff in the business units
2nd: the CRO, risk management team and the compliance team
3rd: the Board and audit function
The relationship between the first two lines of defence may be characterised as one of (3) models:
- offence vs defence
- policy and policing
- partnership
Outline the offence vs defence model
The first two lines are set up in opposition to each other.
- business units focus on maximising income and
- risk management focuses on minimising losses.
Key disadvantage of the offence vs defence model
The relationship is potentially destructive and damaging to the organisation as business units and the risk management function have opposing objectives (and incentives).
Outline the policy and policing model
Business units operate within rules, which are set by the risk management function and policed by the risk management, audit and compliance functions.
Key disadvantages of the policy and policing model
- policies may become out of date as the risk management function is not in touch with day-to-day operations.
- audit and compliance reviews do not occur continuously, so may fail to identify problems.
- there may be friction between line management and risk management as each fails to understand each other’s viewpoint fully.
- Line management may have little incentive to report problems, policy violations and issues where it is uncertain whether a violation has occurred. This issue is mitigated somewhat by arguments about “the greater good” or if incentives are linked to policy compliance and reporting violations.
Outline the partnership model
Risk management staff are integrated into the business units and the two functions share some measure of performance.
Under this approach:
- Business units and risk management staff work together in a client-consultant type relationship to manage risk.
- Business units must recognise the benefit to long-term performance of a risk management function.
- Risk management staff must recognise the importance of their role as consultants, ie meeting the needs of the business units (the client).
Key disadvantage of the partnership model
- Independence may suffer in this structure - it is hard for risk management staff who are integrated into business units to have a corporate oversight role.
Describe how a mix of organisational structures might work in a large insurer
In a large insurer (or indeed any large businesses) the risk management function may be split between a central team and units embedded in each business unit.
In this situation, it is important to ensure that a “silo” mentality does not develop - a matrix reporting framework may help here.
4 Key challenges in managing the relationship between business units and risk management staff
- conflict and conflict resolution
- management of risk management staff within business units
- aligning incentives
- measuring non-financial (e.g. operational) risks
Outline the nature of the challenges:
conflict and conflict resolution
Conflict arises as a result of parties perceiving risk differently - does risk mean an “opportunity for profit” or an “opportunity for loss”?
Business units often want to increase volumes and may argue for pricing based on marginal costs, but the finance department want to grow revenue and control risk and argue for full-cost pricing.
Outline the nature of challenges:
management of risk management staff within business units
- Risk management staff embedded within business units may not be trusted by business unit staff and may feel stuck between two opposing sides.
- it may be best if the risk management staff report to the business unit head and have a “dotted line” link to the CRO.
- the CRO should have input into the performance review of the risk management staff embedded in business units.
Outline the nature of challenges:
aligning incentives
- Aligning incentives for business unit and risk management staff can reduce conflict between them, although in practice the design of suitable performance measurement and incentive systems may be difficult.
Outline the nature of challenges:
measuring operational risks
- Operational risks can be difficult to assess and take into account in performance measurement systems.
- It is particularly important to ensure a common taxonomy around operational risk management to minimise the risk of confusion.
List 5 key skills required within a risk management function
- project management skills
- change management skills
- relationship management skills
- technical expertise
- implementation skills
Outline 6 (risk-focused) questions management should ask themselves when developing their unit(s) plans and strategies
Management should address questions such as:
- What risks may prevent us from achieving our objectives?
- How do we assess and monitor these risks?
- How can we mitigate or transfer these risks?
- What level of risk-adjusted performance can we expect?
- What risk limits / tolerances should be adopted?
- Who will measure and monitor the risks involved?
