From Gatekeeper to Enabler - The Evolution of the Chief Risk Officer
Strategy management is key to the success of an organization. It prioritizes where the organization chooses to play, and how it will play, so it can achieve its mission. These choices are almost always accompanied by risks that challenge the successful execution of strategy, making it inevitable that the enterprise needs to identify and manage these risks closely.
The choices made by an enterprise whilst defining its strategy are in themselves actions that mitigate risks from macro trends, market dynamics, business model threats or competitive differentiation. Indeed, in these times of massive disruption and rapid transformation, enterprises are compelled to take calculated risks to survive and create value for stakeholders.
Strategy without risk management is seldom effective and organizations need to recognize that they are really just two sides of the same coin.
Today, there is a greater risk of value erosion from an unsuccessful execution of strategy, than from pure operational inefficiencies or from incidents related to compliance. And so, over time, the responsibilities of the chief risk officer or CRO and his enterprise risk management team have evolved from being gatekeepers to becoming enablers of strategy - to shift the conversation from “How do we restrict the enterprise from doing things that will expose it to risks?” to “How can we work towards achieving the company’s goals while managing or mitigating the risks involved?”.
This evolution from being a pure controlling authority to that of an enabler of risk-based decision making requires the CRO’s role to be redefined along several fronts. The modern CRO must:
- Have high levels of engagement in the strategy decision process, the definition of strategic initiatives and in the setting of strategic goals to measure performance
- Be a mandatory member of any forum that makes strategic organizational decisions
- Have an independent channel of reporting into the Board of Directors to provide an objective and risk based assessment of strategy execution
- Have the authority and independent access to all teams that are running strategic, operational and compliance programs and related data sources across the organization
- Be measured based on the extent to which he has enabled the organization to achieve its stated goals rather than just how much risk was mitigated
Enterprise Risk Management at Infosys
At Infosys, the roles of the chief risk officer and the strategy officer are merged, offering a unique vantage point. The same scorecards are used by both the strategy team and the risk team ensuring alignment of mitigation actions with strategic outcomes. Risks are evaluated even as strategic actions are being planned, rather than being assessed after the plan. The exhaustive risk register of the company is completely aligned to three strategic outcomes for the company – in the areas of increasing client relevance, optimizing operational processes and in maintaining the hygiene of secure, compliant and ethical, value-based operations.
Further, the charter of the enterprise risk management office needs to be revisited to include more progressive responsibilities such as:
- Cast a wide net and build a risk register that covers all aspects of organization risk - encompassing strategic, operational, legal and compliance risks across all stakeholders
- Build a risk hierarchy that effectively aligns all the risks of the company with its strategic objectives
- Identify, assess and monitor risks closely and in conjunction with business units and departments
- Implement frameworks and tools across the organization to be able to assess risks using common yardsticks
- Permeate a culture that encourages stakeholders to proactively identify and discuss risks and seek help instead of finding ways of circumventing restrictive policies or being defensive
A key transformation objective of a process oriented company was to enable innovation at scale. A strategic program was unleashed, urging all employees to “think outside the box”. Employees reacted asking for open internet access so they could freely search for information that could help them innovate. Being a large organization with high data leakage risks, tight controls were in place on internet access from within the enterprise. The risk office stepped in to analyze the requirement and to bring together cross functional teams to evaluate potential solutions. With the right governance and risk management systems in place, a technology solution was rolled out that could both protect the enterprise and at the same time enable employees achieve their objective.
Traditionally, CROs have usually focused on skills such as those that enable institution of processes, implementation of operational controls, rigor in quantitative assessment, knowledge of regulatory requirements and efficiency. The evolution of the role of the CRO now requires him to add new skills and traits to his repertoire:
- Deep understanding of the company’s strategic context, strategy and the interplay between various strategic programs and processes
- Deep understanding of the expectations of the company’s stakeholders e.g. executive, employees, clients, investors, partners, vendors and society
- Constant, proactive outreach across the organization to identify risk patterns, rather than waiting for risks to bubble up
- Empathy, inspiration, persuasiveness and collaboration
- Being a change agent - result orientation and decision making through consensus
- Fearlessness in calling a spade a spade, always keeping the organization’s success in sight
Internationally accepted risk framework standards like The Committee of Sponsoring Organizations of the Treadway Commission (COSO), a joint initiative of a group of organizations to combat corporate fraud, have proposed bringing strategy and risk together. But they are yet to specify the approach that companies must take to achieve this. Meanwhile, the complexities of business are transforming at rapid pace and organizations are forced to step into unfamiliar territories.
It is an opportune time for CROs to take the initiative and provide their organizations the guiderails to navigate their next.