One of the problems with many risk management functions, as I see it, is their reporting structure.
The ideal is viewed by many (including regulators) as reporting directly to the board or a committee of the board. That sets them up as separate and independent of the management team, creating the perception if not the reality that they have a different agenda: preventing management from taking too much risk (whatever that means) rather than helping them take the right risks for success.
If risk officers are seen as standing in the way of innovation and performance, let alone agility in decision-making, why should we expect executives to welcome them into their house?
Should Risk Management Report to the CEO?
The second preferred option for many is to report directly to the CEO.
Does the CEO understand how risk management can help him or her and their team succeed? Or are they under pressure from the board and others to see risk management as helping to avoid failure?
Focusing on avoiding failure inevitably leads to failure.
In addition, the CEO is probably the busiest person in the organization, and it is not easy to get their time let alone their attention. In fact, even when the CRO does report to the CEO, he or she is usually not seen as a member of the top executive team and is rarely included in meetings of the elite group that runs the organization.
What About the CFO?
Most will agree that the CRO should not report to the CFO, as this may:
- Unduly influence the CRO towards financial issues, and
- Create the perception that the CRO is a finance and compliance rather than a business person.
I don’t have any problem with the CRO reporting to (or being the same person as) the chief audit executive (CAE). But that all depends on the CAE. Does he or she have the right attitude about taking risk? Does he or she have the respect of the rest of the organization — as a business rather than police person?
Even then, when the CAE is also the CRO, where should he or she report? When I wore more than one hat like this, I made sure it was clear where I reported for each responsibility.
Related Article: Did Risk Management Fail?
Alternate Reporting Structures for the Risk Management Function
I believe there are two better options. Options that could revitalize a risk function mired in risk avoidance and mitigation.
1. Risk Reports to the COO
The first is to report to the Chief Operating Officer.
This is how CEO Search describes the responsibilities of a typical COO:
- Provide management to staff and leadership to the organization that aligns with the company’s business plan and overall strategic vision.
- Assist executive team members in creating, growing and building a world class, industry leading organization.
- Drive company results from both an operational and financial perspective working closely with the CFO, CEO and other key executive team members.
- Partner with the CFO to achieve favorable financial results with respect to sales, profitability, cash flow, mergers and acquisitions, systems, reporting and controls.
- Set challenging and realistic goals for growth, performance and profitability.
- Create effective measurement tools to gauge the efficiency and effectiveness of internal and external processes.
- Provide accurate and timely reports outlining the operational condition of the company.
- Spearhead the development, communication and implementation of effective growth strategies and processes.
- Works with other c-level executives on budgeting, forecasting and resource allocation programs.
- Work closely with senior management team to create, implement and roll out plans for operational processes, internal infrastructures, reporting systems and company policies all designed to foster growth, profitably and efficiencies within the company.
- Motivate and encourage employees at all levels as one of the key leaders in the company including but not limited to professional staff, management level employees and executive leadership team members.
- Forge strategic partnerships and relationships with clients, vendors, banks, investors and all other professional business relationships.
- Work with the CEO and CFO in the capital raise process, participate in the company’s road shows. Meet, interact and present information effectively to potential investors and private equity firms.
- Foster a growth oriented, positive and encouraging environment while keeping employees and management accountable to company policies, procedures and guidelines.
If the CRO’s primary purpose is to help management make the informed and intelligent decisions necessary for success (as I have argued here and in my books), then it seems to me the COO is a primary customer.
Why not report to your primary customer? That will help ensure that your interests are aligned, and you get his or her valuable support, including time and resources. The COO will have an incentive to make risk management as effective as possible when it comes to both strategic and tactical decisions.
Just like the CAE, the CRO can have matrix reporting. For example, some organizations might want him or her to report to the board (or a committee of the board) and the COO. I could see some variations on this theme, for example reporting to the COO who is the chair of the management risk, strategy, and performance committee. Note how I integrated all three rather than having a siloed risk management committee.
Related Article: Stop Managing and Start Taking Risks
2. Risk Reports to the Chief Strategy Officer
The other option may be a new idea to some: Have the CRO report to the Chief Strategy Officer.
This is how Wikipedia describes the role: “The CSO is an advisory and deal making role; both leader and doer, with the responsibility for formulating corporate strategy as well as ensuring that execution of the strategy supports the strategy elements. The CSO at times functions as a sort of ‘mini CEO,’ someone who must see the issues confronting the company from as broad a perspective as the chief executive does.”
Typical CSO responsibilities include:
- Develop a comprehensive, inclusive strategic plan and growth strategy by collaborating with the CEO, senior leadership and the board of directors.
- Analyze market dynamics, market share changes and product line performance.
- Identify and often execute important capital projects, joint ventures, potential M&A targets and other strategic partnership opportunities.
- Identify and convey strategic risks.
- Communicating and implementing a company’s strategy internally and externally so that all employees, partners, suppliers, and contractors understand the company-wide strategic plan and how it carries out the company’s overall goals.
- Driving decision-making that creates medium- and long-term improvement.
- Establishing and reviewing key strategic priorities and translating them into a comprehensive strategic plan.
- Monitoring the execution of the strategic plan
- Facilitating and driving key strategic initiatives through inception phase.
- Ensuring departmental/unit strategic planning projects reflect organizational strategic priorities.
- Partnering with institutional leadership, special committees, and consultants to support execution of key initiatives.
- Developing inclusive planning processes.
- Translating strategies into actionable and quantitative plans
- Mobilizing and managing teams of individuals charged with executing strategies.
- Acting as a resource across an organization to increase broad cohesion for strategic plans.
- Execute divestments and divestiture.
- Collaborate with the CFO to develop a capital plan in line with the organization’s strategy.
Again, the objectives and responsibilities of the CSO seem to me to be aligned with those of the CRO.
Who Do You Think the CRO Should Report To?
What do you think?
Would a change in reporting structure revitalize and give new energy to a risk management function and practice?
Norman Marks, CPA, CRMA is an evangelist for “better run business,” focusing on corporate governance, risk management, internal audit, enterprise performance, and the value of information. He is also a mentor to individuals and organizations around the world, the author of World-Class Risk Management and publishes regularly on his own blog.