Show
The chief risk officer is responsible for the effective assumption of manageable risk and helps the organization avoid anything that might threaten the successful execution of the company’s duties. The job description of the chief risk officer accounts for the unique set of skills and abilities that allows for the individual to anticipate and hopefully eliminate such threats and keep the company operating effectively. Position DescriptionThe chief risk officer serves with the other managers and executives and oversees much of the financial and accounting departments in the company. Essential Duties and Responsibilities of a Chief Risk Officer
Required Knowledge, Skills and Abilities
Education and Experience
Work Environment
Salary
Boards and chief risk officers (CRO) may need to transform their risk management practices to address new challenges, according to our 2018 global survey of more than 94 leading financial institutions. To respond to a rapidly evolving environment, we explore five key takeaways regarding the governance of nonfinancial risks.
Since 2008, boards of directors have become much more active in providing oversight of the risk management programs at their institutions. Yet the lines have often blurred between the oversight responsibilities of the board of directors and the operational responsibilities more appropriate for the province of management. Financial institutions and regulatory authorities are now recalibrating the role of the board of directors to have it focus more clearly on providing oversight. Core oversight responsibilitiesMore than 90 percent of institutions reported that their board has several core risk management oversight responsibilities, such as:
Although business strategy can often drive an institution’s risk profile, the role of the board in considering these impacts is far from universal. Seventy percent of respondents said that it’s the board’s responsibility to review corporate strategy for alignment with the organization’s risk profile. Monitoring conduct riskEven though conduct and culture risk are an increasing focus of regulatory authorities, only 50 percent of respondents said monitoring conduct risk was a board responsibility. This may reflect the fact that many institutions see this as more of a management responsibility. In contrast, 67 percent said that a board responsibility was to help establish and embed the risk culture of the enterprise and promote open discussions regarding risk. The percentage of respondents who said their board of directors has the responsibility to monitor risk appetite utilization, including financial and nonfinancial risk, was 77 percent, which is down from 89 percent two years ago. This is consistent with the trend that more institutions are having their boards concentrate on oversight, rather than activities more traditionally the province of management. Placing oversight responsibility for risk management in a board risk committee is a regulatory expectation and has become a widely accepted practice.
Independent directorsThere has also been a trend among regulators to expect risk committees to include independent directors who have risk management expertise and skills—and these expectations have had an impact.
Overall, the move toward independent directors is most pronounced in the United States and Canada, where 87 percent of respondents reported their board risk committee was composed of either entirely or a majority of independent directors. This is compared to 67 percent in Europe and 58 percent in Asia-Pacific. Back to top
Over the course of Deloitte’s global risk management survey series there has been progress in meeting the regulatory expectation that financial institutions have an independent risk management function. Ninety-five percent of respondents in the most recent survey reported that their institution has a chief risk officer position or equivalent. Institutions can benefit by having the CRO report both to the chief executive officer (CEO) and to the board of directors, but this is not always the case.
Still, there remains room for improvement. The percentage of institutions that reported a responsibility of their board of directors was to conduct executive sessions with the chief risk officer increased to 66 percent from 53 percent in the previous survey two years ago. But more institutions should consider having their boards adopt this practice. Having the board of directors meet with the chief risk officer, ideally sometimes without the CEO or other members of senior management present, can allow the board to receive an unvarnished assessment of the institution’s risk management program. Back to top
“The strategic planning process is a joint exercise between the business and risk management. Dedicated senior risk leaders are also responsible for providing advice and oversight pertaining to a business risk.”– Senior risk executive of a large diversified financial services company
An important governance decision is how to assign responsibility for each risk type. In particular, a single individual should be responsible for oversight of the risk across the organization or that responsibility should be decentralized across business units or geographies. Having a single individual accountable has become common for financial risks, such as:
When it comes to nonfinancial risks, there is much less consistency. With some nonfinancial risks, most institutions reported that a single executive is responsible, such as:
In contrast, it is much less common to centralize responsibility for other risks, such as:
Institutions may want to consider centralizing accountability for some of these nonfinancial risks to raise their profile in the organization and clarify responsibility. Back to top
Explore the 2018 CEO and board risk management survey Learn more
A written risk appetite statement approved by the board of directors provides guidance to senior management. This is especially useful when setting business strategy and considering the lines of business when making business decisions, and it should be periodically revisited. The importance of establishing risk appetite statements has received greater attention from regulatory authorities in recent years, such as the Financial Stability Board and the Basel Committee. Ninety percent of respondents said their institutions either have a risk appetite statement that has been approved by the board of directors (84 percent) or are developing a statement for approval (6 percent). Yet institutions face a variety of challenges in defining and implementing an enterprise-level risk appetite statement, especially with respect to defining risk appetite for hard-to-quantify nonfinancial risks. The risk types that were cited most often as being extremely or very challenging in defining risk appetite were:
Back to top
Virtually all institutions (97 percent) reported employing the three lines of defense risk governance model, but many said they face significant challenges in deploying it. The issues most often cited as significant challenges typically involved the role of line one (business units), including:
There is also the related issue of eliminating overlap in the roles of the three lines of defense, considered to be a significant challenge by 38 percent of respondents. To address these challenges, 43 percent of institutions said they have revised their three lines of defense model, reassessed their model, or plan to reassess it. Many institutions have been focusing on the role of the first line of defense but have found it difficult to have their business units always assume full responsibility for actively managing the risks they assume. Some business units may resist accepting their responsibility for risk management, seeing it as outside their core mission of generating revenues and profits. Beyond securing buy-in, many business units will find they need to hire or develop a sufficient number of professionals who bring both risk management expertise and experience in the specific business. Back to top
Navigate risk and financial advisory
To successfully confront the array of economic threats and growing nonfinancial risks in today’s shifting business environment, financial institutions will need to reengineer their risk management programs and adopt fundamentally new approaches. As they introduce new methods, institutions must make parallel enhancements to the governance of their risk management programs. The three lines of defense risk governance model will need to be reassessed to clarify the roles and responsibilities of each line of defense, especially the business units comprising the first line. The second line of defense should have a reporting connection to the board’s risk committee and, in many cases, a “dotted line” connection to the CEO. Accountability for managing nonfinancial risks, such as conduct and culture risk and third-party risk, will need to be reexamined. Institutions must develop more robust methodologies and gain access to relevant data to allow them to quantify their risk appetite for nonfinancial risks. Boards of directors should play a key role in fostering new approaches to risk oversight. At many institutions, boards will need to:
Back to top
|