Module 12: Governance / assurance functions and the role of the CRO Flashcards
A good CRO should improve the effectiveness of an organisation’s risk management function by (3)
- filling in any gaps in the skills, knowledge and/or experience in a management team
- providing additional resource for a risk management function
- being prepared to escalate issues directly to the Board without fear or prejudice to their own job security or remuneration.
Explain how a CRO might be positioned within an organisation structure
Typically the CRO will either sit on the Board or will report to the Board through the CEO or CFO.
It is particularly important that the relationships between the CRO and other officers are unambiguous.
A CRO reporting to the CFO or CEO may mean conflicts of interest inhibit communication to the Board.
Discuss the degree to which the Board might delegate some of its responsibilities for risk management and outline how that might best be achieved
It is common for Boards to delegate risk management to a risk subcommittee. This subcommittee will take responsibility for setting risk management strategy and policies and monitoring.
It should be independent from the day-to-day business and those appointed to it should be suitably qualified.
The accountabilities, responsibilities and relationships between the Board, risk subcommittee, CRO and line management should be clearly defined and distinct. While the Board may delegate some responsibilities to a subcommittee, the Board retains overall accountability for risk management.
In the financial sector, such delegation should be to a risk subcommittee, rather than the audit subcommittee.
Outline the key responsibilities of the CRO
- providing overall leadership and direction for ERM
- establishing and integrating an ERM framework across the company
- developing risk policies / minimum standards and monitoring adherence
- developing risk models and data systems
- effective reporting (internal and external) on risk exposures (current and future / emerging)
- allocating capital to business activities based on risk-adjusted returns
- managing optimising the risk portfolio
- safeguarding the company’s financial and reputational assets
- ensuring compliance with regulatory requirements.
6 key skills required of a CRO
- LEADERSHIP
to develop the ERM vision and recruit / retain a risk management team - COMMUNICATION SKILLS
to influence and persuade the business about ERM - STEWARDSHIP
the ability to act as a guardian of the organisation’s assets - TECHNICAL COMPETENCE
needed to manage financial and operational risks - CONSULTING SKILLS
needed to influence and educate the Board and implement policy - PROJECT AND CHANGE MANAGEMENT
Outline what a CRO will need to establish upon or soon after their appointment to the role
The CRO will need to establish whether:
- there is a clear understanding of the company’s risk tolerance
- management’s compensation is aligned, with prudent risk management
- there are any gaps in the skills, capability and experience of the team
- each part of the insurer’s business increases its overall value
- risk management is linked into capital management, pricing and reserving processes
- the quality and extent of the information given to stakeholders enables them to assess the financial condition of the insurer
- the governance structures are robust
- the risk management operating model is appropriate
The CRO will need:
- to establish a close working relationship with the CFO - since they each have a role to play to make earnings more predictable and less likely to reduce in future
- authority within the organisation
- to understand the insurer’s key stakeholders and drivers of performance
CRF abbreviation
Central risk function
The role of the CRF should include (7)
- advise the Board on risk
- guide line managers on identification and management of risks, and suggest risk responses
- act as a central focus point for staff to report new and enhanced risks
- assess the overall risks being run by the business
- make comparisons of the overall risks being run by the business with its risk appetite
- monitor progress on risk management
- pull the whole picture together.
3 lines of defence
1st: line management staff in the business units
2nd: the CRO, risk management team and the compliance team
3rd: the Board and audit function
The relationship between the first two lines of defence may be characterised as one of (3) models:
- offence vs defence
- policy and policing
- partnership
Outline the offence vs defence model
The first two lines are set up in opposition to each other.
- business units focus on maximising income and
- risk management focuses on minimising losses.
Key disadvantage of the offence vs defence model
The relationship is potentially destructive and damaging to the organisation as business units and the risk management function have opposing objectives (and incentives).
Outline the policy and policing model
Business units operate within rules, which are set by the risk management function and policed by the risk management, audit and compliance functions.
Key disadvantages of the policy and policing model
- policies may become out of date as the risk management function is not in touch with day-to-day operations.
- audit and compliance reviews do not occur continuously, so may fail to identify problems.
- there may be friction between line management and risk management as each fails to understand each other’s viewpoint fully.
- Line management may have little incentive to report problems, policy violations and issues where it is uncertain whether a violation has occurred. This issue is mitigated somewhat by arguments about “the greater good” or if incentives are linked to policy compliance and reporting violations.
Outline the partnership model
Risk management staff are integrated into the business units and the two functions share some measure of performance.
Under this approach:
- Business units and risk management staff work together in a client-consultant type relationship to manage risk.
- Business units must recognise the benefit to long-term performance of a risk management function.
- Risk management staff must recognise the importance of their role as consultants, ie meeting the needs of the business units (the client).