Navigating the many risk, compliance, and audit challenges in the modern world is no mean feat for business leaders. For this reason, we are seeing an increasing number of new Chief Executive Officers coming up from the rank of Chief Risk Officer (CRO).
CROs are required to have in-depth knowledge of their business and the sector it operates in, as well as the skills to anticipate the unknown. This involves being able to plan for a comprehensive range of scenarios and know exactly when (and where) changes are needed. Considering these parallels, it is clear to see why more CROs are making the transition.
The ‘Best Scenario’ Strategic Role Of The CRO – Think Chess Master
At Protecht, we say that the role of a CRO is similar to that of a chess master. While the chess master may not know their opponent’s next move, looking closely at the board will offer some clues to help formulate a counter-strategy.
The earlier this strategy is deployed, the more effective it can be. This situation is also true of risk management. Without a crystal ball, there are nearly always some indicators as to the most likely outcome or potential scope of outcomes.
The CRO should focus on optimizing the value from risk management at the highest level and delegate tactical risk management decision-making to a raft of trusted line 1 managers.
The role of an effective risk manager is to identify the warning signs as early as possible and react accordingly to mitigate potential issues. As some high-profile business stories have shown, delays or failure to spot these signs can be very damaging.
How Poor Risk Management Failed Silicon Valley Bank
One such example is the demise of Silicon Valley Bank, where signs were missed that could have prevented its collapse. While the sudden rise in interest rates took many US banks by surprise, these rises might have been predicted by the combination of historically low rates and spiraling inflation.
Consequently, SVB’s over-exposure to longer-term government bonds should have been detected by risk management processes long before it led to the bank’s downfall. Due to these factors, many experts are reflecting on the ineffective risk management approach to prevent similar incidents.
Building An Embedded Risk Culture
It’s important to embed a risk management culture to help optimize organizational risk management in the business by taking an ‘Integrated Dynamic Risk Profiling’ approach. Everyone in the organization becomes a risk manager allowing the CRO to focus on strategic risk.
This approach should start by establishing an effective risk management framework where all pertinent information is consolidated into an integrated dynamic risk profile. This provides the risk team and wider business professionals with a snapshot of the live risks across the business.
Creating an Effective Risk Management Framework
The key foundations of an effective risk management framework include the following:
- Set objectives and critical processes
Risk is the effect of uncertainty on objectives. A good risk framework starts by identifying the operational and strategic objectives and the critical processes and projects that will enable delivery.
- Prioritise risks against objectives
A comprehensive identification of the key risks against these objectives linked to a strong risk categorization/taxonomy allows employees to aggregate risk up to the highest levels of the board when required by using the risk information available.
- Conduct regular risk assessments
Regular risk assessments will enable businesses to identify any new risks as they arise, together with the tactics to mitigate them.
- Periodically assess control effectiveness
Once the key controls have been identified, the next step is to conduct periodic control effectiveness. This enables CROs to accurately assess how effective existing controls are being used in real-world scenarios and adapt them accordingly.
- Conduct continuous risk reporting
To support risk assessments, risk metrics or key risk indicators should also be continuously collected, analyzed, and reported. This helps CROs maintain a more up-to-date and dynamic view of risks and key controls currently in place.
- Maintain accurate incident records
Learning from past mistakes is a crucial part of risk management. Keeping an accurate record of past incidents helps CROs understand what has gone wrong previously and how they were resolved. This way, they will be much easier to deal with should similar incidents arise.
- Identify control gaps
The combination of all the previous steps can help CROs identify areas of existing risk processes that need bolstering. Known as control gaps, these can be addressed accordingly to strengthen the business’s overall risk posture.
- Engage specialist risk expertise
It’s not uncommon to bring in dedicated risk experts to help assess emerging threats or in times of potential crisis. There are easy-to-use technology tools and platforms available today that harness complex risk information into a simple, at-a-glance view. This promotes better team collaboration for the earliest response should an immediate threat arise.
The Evolving Role Of The Chief Risk Officer
Recent high-profile cases have highlighted ineffective risk management can lead to disastrous consequences. It’s easy to make comparisons between the CRO and the chess master and the need to think holistically about the organization and several moves ahead.
Risk management may have an assigned leader, but it’s a team – and a business – effort. Putting an effective risk framework in place and building an organization-wide team of people that share the risk burden to elevate risk management enables the CRO to focus on what’s most important.
As the risk awareness and vigilance of employees increases, the CRO becomes a valuable leader in driving decision-making in wider corporate matters such as M&A, ESG, and beyond.
Craig Adams has been with Protecht since 2020 as the Managing Director for EMEA to support the development of the company in this region. Craig has over 15 years of leadership experience working with a number of SaaS vendors helping them scale and grow their EMEA business.
Craig previously worked for a top 50 SaaS vendor. Prior to that role, he ran his own sales & marketing consulting firm, providing interim leadership services for North American SaaS vendors to incubate & scale their EMEA operations.
Craig has worked in the software industry for companies such as Diligent, HP, and TITUS.