With risk playing a role in many IT-related endeavors, such as data and physical security efforts and privacy and regulatory compliance initiatives, who keeps track?
Enter the chief risk officer, who acts as an organization's linchpin for enterprise risk management (ERM), including IT and data security. CROs are fast becoming familiar faces among C-level executives at large organizations. According to Forrester Research Inc. in Cambridge, Mass., the executive ranks of any company that has revenue of at least US$1 billion and can be classified as "critical infrastructure" -- such as financial institutions, energy companies and health care providers -- are likely to include a CRO. By next year, three quarters of large, critical infrastructure organizations will have a formal ERM office with a CRO or equivalent role, according to Forrester.
After its early emphasis in financial services, ERM has played an increasingly crucial part in business planning across industries during the past several years. Its widespread acceptance was spurred in part by regulations such as the Sarbanes-Oxley Act for accounting oversight and Basel II for measurement of international banking capital. As different types of operational risk also get included under the ERM umbrella, the CRO's job is to eliminate the "fragmented" approach to managing risk, according to Forrester. With government regulations and the rise of corporate governance policies addressing enterprisewide risk, Forrester and other analyst firms have hammered on the importance of having a single point person in place to oversee its management.
"With the fragmented, siloed approach to risk management, there is no one watching risk across the organization," Forrester analyst Michael Rasmussen wrote in a December 2004 report on ERM trends. "In today's complex business world, one weak spot can impact the entire business. Without a framework to work within, and someone in charge of risk management, organizations are running in the dark."
An Expanding Role
One key to success for CROs is the ability to see the range of risk variations that can crop up across the enterprise. At The PMI Group Inc., a mortgage insurance company in Walnut Creek, Calif., the CRO position was created in 2003 to monitor international credit-risk operations. But the position's description has since been expanded to encompass risk throughout the company, including strategic, operational, external, financial, IT and security (both data and physical) operations.
"Without an enterprise view, things can be missed because you can't connect the risks," says Joanne Berkowitz, chief enterprise risk officer at PMI Group. "If you're just looking at your own little world and don't have an idea of how what you're doing will affect what someone else is doing, you could [inadvertently] create risk for the company."
In IT, Berkowitz says, disaster recovery illustrates this concept.
"We have very detailed business-resumption plans and capabilities. To create these, people in the business units worked closely with me and with our CIO to identify which systems they depend on and to prioritize their recovery times," she says. "This is particularly important because an increasing proportion of our business is automated; 90 percent of our business now comes through systems."
James Lam, president of James Lam & Associates Inc., an enterprise risk consulting firm in Wellesley, Mass., agrees that the ability to see the big picture is key for the CRO.
"The key to success is having a strong background in the most critical risks to the company. You also have to look beyond your specific silos, across the enterprise, and have a comprehensive point of view," he says. "Organizations are realizing that a risk manager can help achieve a company's business objectives while he or she defends it from threats."
An effective CRO has a range of skills that vary depending on the business focus, says Berkowitz.
"There isn't just one set of skills that will work for a CRO, and they'll vary at each company," she says.
The position requires the ability to take a holistic view of the risks that might affect operations anywhere in the company. To that end, the CRO must work with other C-level executives, as well as with business unit managers, says Berkowitz.
"We're attempting to be proactive and to adopt good governance. Here, everyone would agree that the CRO is the person who's leading that effort," she adds.
With a CRO who takes a comprehensive view of risk across an organization, ERM can become a key piece of an overall business plan.
Webster is a freelance writer in Providence, R.I. Contact him at john.s.webster@verizon.net.