As a former chief risk officer, I remember well that time of year for the formal annual appraisal process. A CRO acquaintance recently called to ask for my advice on feedback he received on his performance evaluation.
In his performance review, the CEO was challenging him on his impact. The CEO said that while he, as CRO, had presciently flagged the top risks, he did not prevent all bad things from happening. The CEO questioned, if this is the case, what was your value?
Brenda Boultwood
When you are stunned, as the CRO, by your annual performance management feedback, formulating a proper response to a critique is difficult. It may be an uncomfortable discussion, but it could go something like this:
You remind the CEO that your role as CRO is to provide decision support, where highlighting top risks and providing the implications for business management is an important and challenging task. Your team, you emphasize, ensures regular risk assessment – bottom-up from the staff, top-down from the board of directors, and horizon scanning of external risk assessments by industry thought leaders. Your team, you elaborate, has worked hard to present this simply in management and board reports, as well as during regular management committee discussions.
On preventing all negative outcomes from happening, you remind the CEO that good risk management provides decision support for leaders across the organization.
Risk vs. Reward
We know that risk often represents opportunity. CROs would never wish to eliminate all hazards, because we want leaders to take risks to realize market opportunities. However, accountability for risks rests with business management. Preventing all risks is simply too expensive and noncompetitive.
But as you run through this dialogue with the CEO, you may very well be on the defensive. How, then, can can the CRO take the offensive, proactive approach to shape the narrative and ensure a clear, widely held view of his or her contributions to the success of the organization?
To answer this question, we need to consider that the typical CRO job has three dimensions: roles and responsibilities, the value-added by risk management, and the importance of the top risk executive in achieving organizational objectives. Let’s now probe a bit deeper into each of these layers.
The Role of Risk Management
Risk managers have clear roles. Foundationally, the CRO is responsible for the implementation of a risk management framework appropriate for the organization’s strategy and business objectives.
Aligned with the board of directors, CROs are responsible for risk oversight – a term that often includes the regular review and assessment of all aspects of the risk management framework.
Figure 1: An Enterprise Risk Management Framework
For many CROs, the enterprise risk management (ERM) framework (see Figure 1) is a work-in-progress, with practices varying by the level of risk management maturity. CROs often manage an organization-wide roadmap to achieve the desired risk management capabilities. They are also responsible for “challenge,” or raising questions about the business application of the risk management framework to transactions and business decisions.
Part of the CRO’s job is to build an effective ERM foundation and to highlight its value. A strong framework offers a plethora of benefits, such as (1) alignment of risk-taking with the organization’s strategy; (2) prioritization of organizational activities, which reduces redundancy and complexity and enhances efficiency and agility to respond to stakeholders’ needs; (3) integration of risk management into business activities to enable earlier detection and response to shifting enterprise risks, both external and internal; (4) consistent management of both financial and non-financial enterprise risks within an established risk appetite; and (5) prioritization of risk treatment action plans via improved decision support.
Through ERM, you can also communicate the critical risks, create a shared vision and ownership of risk, maintain flexibility to respond to new or unanticipated risks, and embed risk management into an organization’s culture – emphasizing, for example, the ability to speak about risks without fear of retaliation.
There is one additional set of criteria to high jump. As CRO, you will be evaluated based on the following standard appraisal criteria for executive performance and leadership:
- Financial performance. How do you manage the team budget and contribute to budget management of other departments when risk management initiatives require resources from across the organization?
- Strategic leadership. How have you contributed to long-term planning and helped the organization adapt to external changes?
- Operational efficiency. Have you adopted innovative technology, process improvements and quality control?
- Team development. What’s your ability to grow talent within your own team, attract talent from elsewhere in the organization and externally recruit necessary skillsets?
- Stakeholder engagement. Do you have good relationships with peers, regulators, rating agencies, investors and customers?
- Ethical conduct. Do you follow the proper protocol and do your morals align with corporate values?
As the CRO, you may be convinced of all the value you are adding. You may feel strongly you are fulfilling your roles and responsibilities, contributing value and achieving all your leadership objectives. But your perception may be just that.
The value and impact of your work is a narrative that you must help design and broadcast, and follow-up with communication to the CEO and across the organization. There’s always more work to do, and your team must be recognized for the ERM framework they manage, the oversight they provide and the value they bring to the organization daily.
Practical Advice
If you are a CRO, you should ask for a weekly meeting with the CEO. Should that request be granted, be prepared to provide regular updates about things like your team, your risk framework roadmap, and ad hoc items. The idea is to make sure the CEO is aware of all the important items crossing your radar.
It would also be logical to ask the CEO to tell you, regularly, how you are doing. This way, you can take steps to ensure that your work and the business surprises you encounter never catch the CEO off-guard.
There will be important hygiene factors involved in these high-stakes meetings. For example, you will need to be flexible to last-minute schedule changes and know they are not personal. You’ll also need to never overstay your scheduled time and understand that wrapping up early demonstrates well-organized thinking and respect for time.
If these regular meetings are not possible, ask if the CEO would be amenable to reading a weekly email update. Whatever the form, be persistent and know the CEO needs to hear all this from the CRO directly, as you help create his narrative about your performance.
Parting Thoughts
Performance management feedback is a gift, and all CROs should therefore strive for honest conversations and regular interactions with their CEOs. In a profession designed to help an organization avoid extremely unpleasant “surprises,” every CRO should take steps to ensure they are never similarly stunned by CEO feedback.
Brenda Boultwood is the Distinguished Visiting Professor, Admiral Crowe Chair, in the Economics Department at the United States Naval Academy. The views expressed in this column are those of the author and do not reflect the official policy or position of the U.S. Naval Academy, Department of the Navy, the Department of Defense, or the U.S. Government.
She is the former Director of the Office of Risk Management at the International Monetary Fund. She has previously served as a board member at both the Committee of Chief Risk Officers (CCRO) and GARP, and is also the former senior vice president and chief risk officer at Constellation Energy. She held a variety of business, risk management and compliance roles at JPMorgan Chase and Bank One.
Topics: Career Development
