Home > Risk > Positioning risk management to succeed

Positioning risk management to succeed

Jim DeLoach of Protiviti is an old friend. We enjoy discussing risk management over a meal, finding that we agree on far more than we disagree. Where we do disagree, it may be more by way of expressing ourselves, or due to our different positions and perspectives (he is a consultant and external advisor to boards and executives whereas I was an executive practitioner, now retired)

His work always, in my experience, merits our careful attention and reflection.

Jim recently wrote Positioning Independent Risk Management to Succeed: 6 Ways to Support the CRO. Here are some excerpts and my comments:

DeLoach: If the board, senior management and operating personnel believe that the CRO is the only person within the organization who is concerned with risk, the game is over before it begins. In these situations, there is a major source of dysfunction lying in the weeds, and it is merely a matter of time before the organization falls victim to it.

Marks: Absolutely correct and a good observation. Decision-makers need to understand and consider everything that might happen and make an intelligent and informed decision. Such a decision leads to taking the right levels of the right risks, that in turn leads to achieving objectives and success.

DeLoach: Effective CROs are concerned with what the institution’s leaders may not know and, therefore, must occasionally offer a contrarian point of view; otherwise, the decision-making process may end up flawed with “group think.” In today’s environment, decision-making processes should be driven by objective assessments of the risk/reward balance, rather than by the emotional investment, management bias and short-termism that underlie dangerous organizational blind spots.

Marks: If the leaders don’t know, why is that? The CRO should help all decision-makers think about all the things that might happen, and do so in a disciplined manner. Teach them to fish rather than giving them fish. In addition, the CRO should question the analysis of the potential for reward – not to tear it down but to ensure it has the same rigor as exercised on the potential for harms. Finally, it’s not about “balance”. Any decision will have multiple ramifications and the CRO can help facilitate the consideration of all of them, not singly but as a combination.

DeLoach: In many organizations, board risk oversight is enhanced when the board and executive management are supported by an effective independent risk management function.

Marks: In many organizations, setting up an independent risk management function creates an atmosphere of mistrust and impairs success. The CRO and his team must consider themselves as aides to management rather than the police function that prevents them taking too much risk.

DeLoach: Tension within an institution between its market-making and control-related activities is inevitable and should be encouraged. Striking the appropriate balance between the two is fundamental to what a CRO attempts to achieve.

Marks: A system of internal control enables success, not just prevents harms. Thinking of the risk function as limited to preventing harm prevents it from achieving its potential.

DeLoach: The Champion” CRO advances and enables the organization’s risk management framework and plays the roles of coordinator and integrator (to ensure consistency across operating units and functions), educator (as a provider of insights), facilitator (of risk assessments and formalization of risk mitigation plans), consultant (regarding application and execution of the risk management framework), communicator and reporter. Champion CROs often establish, communicate and facilitate the use of appropriate risk management methodologies, tools and techniques; facilitate risk-related meetings; and work with risk owners to provide transparency into the capabilities around managing the priority risks across the institution.

Marks: Agree, but let’s add the role of mentor, helping decision-makers understand how to identify, assess, and respond to all the things that might happen as they make decisions.

DeLoach: the CRO establishes and communicates the organization’s risk management vision.

Marks: It’s not about managing risk for its own sake, but knowing when and how to take the right levels of the right risk. Risk management vision is a myopic view that focuses solely on limits to harms. Sometimes, it is right to go all in!

DeLoach: To serve as a second line of defense, a CRO must have sufficient stature with business line leaders and across the organization. Stature comes from the authority, compensation and direct reporting lines that command respect.

Marks: Stature comes from consistently producing results, to the extent that leaders across the enterprise recognize the CRO and his team as helping them and the organization succeed.

DeLoach: the CRO role should not be perceived as a check-the-box compliance function that forces the business to follow rules imposed on it.

Marks: Agree, and this is achieved by acting as a partner in and to the business, helping them succeed rather than policing them.

DeLoach: The CRO should have open and free access to the board (or a board subcommittee).

Marks: Yes, but this should be seen as required only in an emergency. If the CRO cannot work constructively with management, he is failing.

DeLoach: If there isn’t a CRO (or equivalent executive) and/or an independent risk management function, executive management and the board of directors may want to inquire why, in the context of the nature of the entity’s risks inherent in its operations.

Marks: Sorry, Jim, but that’s the wrong question. Let’s get the board to ask the CEO whether and how he has confidence that the right risks are being taken and that decisions across the extended enterprise are intelligent and informed. Further, ask whether the reporting of performance against strategies and objectives includes the likelihood of their success and what might happen to limit or extend success. The CRO doesn’t have to be totally independent to be effective!

Please contrast this article and comments with my other blog on From Risk Management to Risk Leadership.

I welcome your comments.

  1. July 22, 2017 at 4:18 PM

    Reblogged this on RISK-ACADEMY Blog and commented:
    Very nice summary by two of the world’s prominent leaders in risk. I will publish a video soon, because I may have an alternative view

  2. July 22, 2017 at 7:15 PM

    Muito interessante

  3. John
    July 23, 2017 at 7:43 AM

    How long can an Internal Audit VP or Director hold this position or maybe better yet -how long before an Inter Audit VP or Director is asked to hold this position (perhpas permanently)? Does independence take a back seat in this situation?

    • Roger
      August 20, 2017 at 5:06 PM

      Very interesting point, John. I support both views in the conversation, preferring the Norman Marks picture of the ideal world. Yet it is apparently inconsistent with any concept of the risk champion exercising independence. My resolution would be to understand that the CRO is part of management (limited independence), whereas the CAE (Internal Audit VP) is absolutely not, and has full independence. They should not be the same individual.

  4. Glenn Daly
    July 23, 2017 at 2:37 PM

    Agree Norman except for “if the CRO cannot work constructively with management, he is failing”. It takes 2 to tango. Should not this be the “organisation” is failing. My suggested apparent minor correction to your views, has some sugnificant implications, if thought through carefully.

    • Norman Marks
      July 23, 2017 at 2:39 PM

      He is failing but it may not be his or her fault

      • Glenn Daly
        July 23, 2017 at 2:42 PM


        • Glenn Daly
          July 23, 2017 at 6:41 PM

          And if its not his or her fault, am not sure its his or her “failing”. Right?. As I mentioned it is more of an “organisational” failing. Why this occurs…no one likes discussing it (least of all consultants) so I will not bother either.

  5. Jim DeLoach
    July 24, 2017 at 9:04 AM

    Thank you, Norman, for calling attention to my article. Context is important, and the reason I formulated the distinction between the “champion” and “line of defense” CRO is we at Protiviti often get the question, “How do I set up a risk management function?” We point out that that is the wrong first question. The correct initial question is what does the board and CEO expect of a risk management function? Nice to be in your line of sight, my friend, take care of yourself.

    • Norman Marks
      July 24, 2017 at 9:20 AM

      Totally agree, Jim. I also like to figure out how risk management needs to be set up to deliver what the organization needs. Often, the board and CEO don’t know! They are too distant from operating decisions that are made every day.

  6. Oscar Girola
    July 24, 2017 at 10:06 AM

    Creo qué hay excelentes ideas y comentarios que debieran tenerse en cuenta y/o incorporarse a la presentación y reuniones de venta de DFG, que opinan? Abrazo!


  1. July 26, 2017 at 9:31 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: