Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

CHAPTER 11
Rise of the CRO

INTRODUCTION

The 2008 financial crisis and subsequent scrutiny of corporate governance have put chief risk officers in the spotlight. I was interviewed by the Wall Street Journal for an article¹ aptly titled “Cinderella Moment: The Credit Crisis Means Chief Risk Officers Are Finally Being Listened To. But How Long Will It Last?” The article discussed the rise of CROs, their organizational prominence, and the abundant resources that they were receiving. It also discussed their key challenges in shaping corporate culture and establishing objective performance feedback loops. CROs have come a long way but they must demonstrate that they can add value as a member of the executive team.

In the past, CROs came mainly from risk management backgrounds, such as market risk, credit risk, corporate compliance, and internal audit. Reaching the CRO position was seen as the capstone for a risk management career. Today, many CROs come from business backgrounds and bring a much broader perspective to their jobs (i.e., they see the whole bell curve and not just the downside). Instead of a capstone, CRO positions can now be steppingstones toward the corner office and even the boardroom. Matt Feldman, whose profile is featured later in the chapter, represents this new class of CROs.²

Once only discussed in a financial industry context, chief risk officers are expanding into other highly regulated industries such as pharmaceuticals, energy, and insurance. But with greater exposure comes greater responsibility and accountability—the role has expanded beyond the purely technical. Increasingly, CROs are becoming integral to value creation and overarching business strategy. As companies continue to evolve their approach to risk management, the criteria they use to appoint a risk leader is evolving as well.

ERM is still a relatively young discipline, and the role of CRO remains fluid. The exact function of the chief risk officer can differ depending on the current circumstances of the company. If the firm's ERM program is mature, for example, the CRO's goal is likely to integrate risk into high-level strategy. If the company is recovering from a crisis, however, he or she might focus on guiding it toward stability. These are crucial tasks, and certainly comprise a portion of a CRO's duties. But without a clear overall vision of the role, any ambiguity could hinder any chief risk officer's effectiveness.

In a 2014 Harvard Business School working paper, Anette Mikes tracked the chief risk officer of a large toymaker for three years. At the onset of the study, this CRO's “responsibility concerned the design and facilitation” of the ERM program,³ such as automating a number of critical processes. By the end, however, he had gained full support from upper management to focus on strategic risk oversight and value creation. For this reason, he referred to his function not as ERM, but as Strategic Risk Management (SRM). The evolution of the CRO's role was marked by key learning points—a project-based collection of risk information, a greater understanding of the importance of language, and the introduction of “act” issues (those accompanied by an agreed-upon and detailed action plan).

This study is a good example of what I mean by the fluidity of a chief risk officer's role. Even if the functions and goals are clear in the beginning, they will inevitably shift over time as the risk management process matures. To add to this dynamism, previous literature on the chief risk officer focused mainly on the banking industry. Translating strategies from a large financial institution to companies in other industries is difficult at best and may not always work.

In this chapter, I will provide a more comprehensive review of how chief risk officers work in the financial sector and beyond. We will touch on the rise of the chief risk officer before diving into key roles and responsibilities. And I will discuss potential pitfalls and challenges before laying out detailed steps for those starting a new tenure as CRO. My hope is that this chapter will guide companies to examine relevant criteria when selecting the right chief risk officer, and provide new CROs with a roadmap to success. At the end of the chapter, we will review the profiles and career paths of six current and former CROs.

HISTORY AND RISE OF THE CRO

The role now held by chief risk officers originated in the 1990s in the banking sector, where the initial focus was mainly on financial risks. During this time, risk management was expanding rapidly. Coinciding with advances in information technology, ERM practices developed sophisticated knowledge-based systems and quantitative risk-assessment tools. For example, quantitative tools such as VaR and economic capital enable companies to measure financial risks across products, asset classes, and business units.

I came up with the title chief risk officer in 1993 when I was working for GE Capital. I was tasked with setting up a new capital markets business with specific responsibilities for the middle-office and back-office operations. The middle office included credit, counterparty, market, and liquidity risks. In my fist week on the job, I asked my boss what title I should put on my business cards. He simply said to come up with one that is appropriate for my responsibilities. My inspiration came from the technology side. At that time, GE Capital and other companies were appointing chief information officers (CIOs) whose job was to integrate different technologies and also to elevate IT to the executive level. I thought, why not create a CRO position to integrate multiple risk categories, and at the same time elevate the risk management agenda to the executive level? As the newly appointed CRO, I would be responsible for designing and implementing an ERM program. I held the CRO title at GE Capital and subsequently at Fidelity Investments.

Growing Popularity

Risk management came into sharp focus after the economic meltdown of 2008, when companies prioritized the development of comprehensive ERM frameworks. The value of CROs has risen worldwide as executives were appointed to guide and implement those frameworks.

Increased regulation has also aided the rise of the CRO. The Federal Reserve Board approved a rule in February 2014 that requires U.S. bank holding companies with assets of $10B or more to establish board-level risk committees.⁴ As a result, 71% of surveyed institutions in the United States have such a committee, compared to 39% in Europe and 37% in Asia-Pacific. Notably, the prevalence of risk committees has proven to be a good indicator for the appointment of CROs.

Ongoing regulatory changes in Europe suggest that the percentage of financial institutions with risk committees (and CROs) will likely increase in the next few years. For instance, Article 44 of Solvency II requires insurance companies to have a risk management function that reports to the board. As of November 2012, 84% of insurers have CROs or intend to bring on a CRO.⁵ On the financial side, Lee Guy, formerly of Barclays, joined Morgan Stanley as their European chief risk officer in July 2014.

While ERM in the United States and Europe is more mature than elsewhere, Asia-Pacific is not far behind. Already, 61% of surveyed institutions in the region increased board oversight of risk management after the financial crisis.⁶ For example, OCBC Bank named Vincent Choo Nyen Fui as their new chief risk officer in August 2014. In a statement released by the bank, OCBC's CEO pointed to increased volatility and operational risks as key drivers for the appointment.⁷

As with any significant new development, there has been some skepticism about the increasing influence of CROs. For one thing, adding a new C-suite position challenges the existing executive structure. Critics have argued that other executives, such as the CEO or CFO, should already perform the responsibilities of a CRO. Each company department has different risks, that argument goes, and it's up to the CFO to manage those risks. Appointing a CRO, skeptics conclude, would cause redundancy.⁸

The best response to these critics is that the growth of ERM in both complexity and scope naturally leads to the need for a CRO independent of the CFO and even, to some extent, of the CEO. With more companies interested in developing their ERM systems, there is a greater need for risk leaders to implement them. Just as CIOs became more prominent with information technology advances in the early 1990s, CROs are now in the spotlight because of an increased focus on risk. Indeed, despite some pushback, companies have been adding CROs at a growing rate globally. Of 86 large institutions surveyed in 2012, 89% have CROs, up from 65% in 2002 and 86% in 2010.⁹

It should come as little surprise that CROs are most prevalent in highly regulated sectors and/or those industries with the highest risk profiles, such as finance and energy. For example, the three largest company categories in global consultancy CEB's Risk Management network are energy (18%), financial services (13%), and insurance (9%).¹⁰ Obviously, regulatory pressures drive a need for ERM. For the same reason, the CRO role has expanded to other industries subject to intense regulation, such as pharmaceuticals, telecommunications, and health care. Perhaps not every company needs a full-time CRO, but I believe that any risk-intensive company should at least evaluate the position.

A CRO'S CAREER PATH

The risk management profession has expanded in many ways. In the past, risk managers could only aspire to become experts within a narrow risk function. Generally speaking, risk used to be a career path one fell into, not something one aspired to. Now, however, more and more people seek out risk concentrations as part of their higher education. The career ceiling for risk professionals has been all but lifted. CROs go on to become CFOs, CEOs, board members, and managing partners. For example, Paul Gallagher, who previously served as the head of risk at BNP Paribas Fortis and CRO at ABN AMRO, became the latter institution's CEO in 2013. Likewise, Goldman Sachs recently added CRO Craig Broderick to its management committee, the first time in its history that the company has elevated a CRO to that level.

A look at how CRO compensation has grown over the past few years also serves as an indication of the position's growing importance. Today a CRO generally earns as much as a CFO—up to $10 million annually at large financial institutions compared to $500,000 in 2001.¹¹ In the last five years, the average CRO salary has increased 7.5% across all industries, to $184,000.¹² The rise in salary is a product of the overwhelming demand for CROs and evidence that firms are placing greater emphasis on risk management.

THE CRO'S ROLE

Just as the importance of risk management has fueled the rise of the CRO, so too has the CRO's growing prominence expanded the profession's responsibilities. As a leader for overall risk management, the CRO is responsible for creating, implementing, and managing a risk management function across the organization. This broad, organization-wide mandate differs significantly from the traditional approach to risk management, which operates within functional silos and tends to treat each risk individually, without considering interrelationships or aggregation. For this reason, it is imperative that the CRO have the support of the board and senior management in order to be effective.

A successful chief risk officer should have a clear vision of his or her general responsibilities before accepting the job, whether they are to reinvent the risk wheel or to support an existing foundation. The CRO will then need to identify direct reports and information channels. Beyond the required technical credentials, today's chief risk officer needs a firm grasp of soft skills, such as the ability to communicate priorities, shape culture, and influence others.

Today's CROs have numerous responsibilities, including:

Providing overall leadership and vision for enterprise risk management, including addressing change management requirements
Establishing integrated risk management across separate business units in the organization
Overseeing the risk-taking activities of the organization, including organic and acquisition growth opportunities
Developing risk analytical and data-management capabilities
Implementing board- and corporate-level reporting in all risk areas and regulatory compliance
Developing risk management policies and quantifying firm-wide risk appetite
Communicating the company's risk profile to key stakeholders, including regulators, stock analysts, rating agencies, and business partners

This new, broader role faces three interrelated challenges that any CRO must work to overcome: reporting structure and collaboration, measuring and communicating the value of ERM efforts to key stakeholders, and making risk management an integral part of corporate culture. Let's look at these in detail one at a time:

Reporting Structure and Collaboration

For the uninitiated, CROs have a reputation for being naysayers—little more than in-house regulators. This is a bias that nearly every new CRO must overcome. But successful CROs are actually value creators who operate as partners to the board and senior management. The great challenge of a newly installed CRO, then, is to communicate this value to stakeholders from the board down to line workers. As a CRO gains trust and influence within the company, the role will naturally expand into operations, business development, and strategic decision-making. An effective CRO must be the consummate diplomat, forging relationships upward, laterally, and downward. To take just one example, a strong relationship with the CFO is a key driver of success. It allows the CRO to drive value generation rather than mere cost savings. A successful partnership between the CRO and CFO can implement more holistic risk management, promote a clear vision of global strategy, and support business growth and profitability.

So what does an optimal reporting structure look like? A CRO at a large financial institution generally acts as an independent member of management with a direct reporting line to the CEO. This can often cause friction among C-suite members, especially if the CRO, CFO, and CEO have different views on balancing risk and profit generation. Let me be clear that a little difference of opinion is healthy. What we have to be wary of is conflict that halts progress and innovation. These nonproductive tensions within the C-suite are one of the biggest obstacles to developing the CRO role to its fullest capacity.

One solution is to establish a dotted-line relationship between the CRO and the risk committee or audit committee of the board. An added benefit of this reporting structure is that it will increase the independence of the CRO. For a dotted-line reporting structure to work, it is important that the organization establish a few ground rules, including risk-escalation and communication protocols, as well as the role of the board and management in hire/fire decisions, annual goal setting, and compensation programs for the CRO (and chief compliance officer). The CEO also needs to buy into this reporting structure.

Even with these adaptations, there remains considerable ambiguity when it comes to the CRO's position within an organization. Many CROs outside the financial sector, for instance, still report through the CFO.¹³ However, CFOs often have operational responsibilities such as treasury functions and sometimes IT and HR. It would be difficult for the CRO to provide independent oversight over these functions.

Communicating the Value of ERM

We have already considered that companies who adopt ERM programs receive both intangible and quantifiable benefits. These benefits can be traced back to the CRO. In other words, the value of the CRO is inextricably linked to that of ERM itself.

Often, a CRO's ability to mitigate risk and reduce regulatory issues are the sole measures of his or her success. But the CRO must challenge this approach and show that there can be a working balance between risk and profits. For instance, the CRO can offer alternative perspectives to enrich high-level decision-making. A successful CRO not only manages risk but also uncovers opportunities for growth. By identifying risks and exploring sustainable competitive advantages, the CRO creates impact not only by preserving value but also by developing strategies that create value anew.

The clearest way to evaluate ERM and the CRO role is to measure success with objective metrics. This is already the case for disciplines including IT. Companies can measure a CIO's success using metrics such as the percentage of projects that met or exceeded expectations, for example. By contrast, ERM is rarely evaluated via quantitative measures. It's not that such metrics don't exist; rather that they are rarely employed. In reality, there are several effective tools for evaluating the success of a company's risk management program. Examples include the minimization of unexpected earnings volatility or the maximization of risk-adjusted profitability. Other tools include key performance indicators (KPIs) and key risk indicators (KRIs) that can compare a company's risk profile (actual risk level) against its risk appetite (target risk level). The typical board may not be familiar with all of these metrics, so simply presenting them is not sufficient. The CRO must educate the board and persuade it of their usefulness.

Bear in mind that while these metrics are quantitative, they are nonetheless dependent upon an individual firm's business model and approach to risk. For example, the World Bank uses a software tool to analyze operational risk based on detailed questionnaires. Risks are scored and aggregated to expose areas of concern.¹⁴ Such a questionnaire would look quite different, however, when deployed at a healthcare provider or energy firm. In other words, the specific metrics used, and the way they are analyzed, will inevitably vary from firm to firm. With that said, I believe that there should be some quantitative measures of value in place.

Instilling a Risk Culture

What gets measured get managed, so implementing the appropriate risk metrics will lead to changes in decision-making and behavior. However, the CRO must go beyond quantitative metrics to effect culture change through risk awareness and education programs. As ERM continues to mature, the goal becomes less about creating risk infrastructure and more about fostering a risk-intelligent culture.

History tells us that the biggest hurdle to change is usually a cultural one. The risk function is often seen as the police force or naysayer, putting the brakes on innovation. A clear example of what happens when a company doesn't buy into risk culture is the collapse of Lehman Brothers. Although the company had talented bankers and sophisticated analytics, senior management repeatedly ignored then-CRO Madelyn Antoncic's warnings of impending disaster. While the board seemed to value her input during a strong economy, they turned a deaf ear when the economy weakened and the firm had to take greater risks to meet earnings expectations. In particular, CEO Dick Fuld chose to disregard Antoncic's warnings about the bank's risky exposure to mortgage-backed securities. She was sidelined for months as executives continued to engage in high-risk bets. Despite Antoncic's protests, the bank raised its risk limits from $2.3 billion to $3.3 billion. When she was fired in 2007, the company raised the limit to $4 billion. Lehman Brothers famously collapsed shortly after, in 2008.

Clearly, in order for a CRO to implement change, the board and CEO must be supportive. The board must prioritize the CRO as a key C-suite executive with an independent voice. The CEO must set the tone at the top, embracing ERM so that the company as a whole embraces it as well. Only with this support in place can the CRO promote a risk-aware culture throughout the entire organization.

At the same time, the CRO must forge relationships laterally across senior management and the heads of other business groups. Managing risk can't just be the CRO's job. Risk has to be a firm-wide concern, and senior executives must not only understand its value but also accept ownership for risks that fall under their purview.

The CRO must spearhead this buy-in. As we will discuss in the next section of this chapter, this is why CROs need strong soft skills such as the ability to motivate change. Implementing culture change is arguably one of the toughest challenges in a CRO's journey.

HIRING A CRO

What does the ideal CRO look like? The many CROs I have worked with come from diverse backgrounds, including business, risk, legal, audit, and finance. There is no clear path to becoming a CRO; history has shown that great candidates can come from different disciplines. Nonetheless, there are a few criteria to look for when appointing a CRO. First, he or she should have core technical skills. Moreover, there are crucial soft skills such as leadership, the ability to influence others, and excellent communication. Whether hard or soft skills are more critical depends on the ERM maturity and culture of the organization. Let's take a look at these skill sets in greater detail:

Technical Skills. The CRO should have technical skills in order to develop the analytical frameworks and risk assessment tools across the risk areas:
- Core risk, financial and quantitative modeling skills
- Experience in strategic, business, credit, market, and operational risks
- Knowledge of compliance and regulatory requirements in the relevant industries
- A solid foundation in strategic planning and capital management
- A deep understanding of the business and competitive landscape
- Critical-thinking and problem-solving abilities
A firm should look for a CRO who has at least 15 years of risk and/or industry experience. Direct experience in risk management or finance functions is a plus, but the more important criterion is knowledge of the industry's customer base, value proposition, and regulatory environment. Having experience in the firm's most crucial risk function is also desirable. A company that faces market risk wouldn't want to bring in a CRO who has never dealt with it, for example.
Leadership: The second skill set to look for revolves around leadership. A CRO must be a trailblazer for change, identifying opportunities and strategies to drive business growth and long-term goals. Specifically, a CRO needs to:
- Drive innovation and change.
- Manage diverse risk teams.
- Lead the implementation of various tracks in the ERM program.
- Have credibility with and the trust of C-suite executives, the board, and regulators.
- Provide thought leadership and introduce new management approaches.
It's one thing to be able to analyze and summarize risk; it's quite another to have the credibility to influence business decisions and effectively improve processes. A leader with a seat at important meetings gains visibility and the opportunity to include risk in the conversation. At the same time, however, anyone in the CRO role is likely to receive heavy pushback, particularly if risk management is a relatively new concept in the organization, and especially if they are the company's first CRO. A chief risk officer needs to stand firm in his or her beliefs and have the courage to provide objective opinions. In times of doubt, the CRO must lead by example, ensuring that risk management teams have the skill and capacity to be effective. It's easy to lead when everything is going smoothly, but has this candidate successfully led a team through a crisis?
Evangelism: The third skill set centers on the ability to convert skeptics into believers. CROs must motivate change. Though they are responsible for risk oversight, they need to influence others in order to do so, even as they encounter strong resistance. A candidate whose resume includes technical aptitude and leadership skills still may not be the best choice if he or she can't influence others. The evangelistic skills to look for are:
- Self-awareness and authenticity
- The ability to persuade management to “buy-in”
- A desire to provide risk-related guidance on strategic business decisions
- The capacity to deliver timely and practical advice to individual risk owners
- A willingness to promote a positive risk-aware culture
A CRO who must change a culture that may have been decades in the making faces a tough challenge with much at stake. Culture change is often the biggest hurdle to the success of an ERM program. If individual managers don't understand why they must take responsibility for their business unit's risk, the battle could be lost. For these reasons, a CRO candidate should have a history of influencing others and implementing change. If they have been successful in the past, it is much more likely that they will be successful in the future.
Communication: The last skill set to look for in a CRO relates to communication. This isn't just the ability to speak well or even to listen carefully. It means having a high EQ and the ability to engage others through timely and transparent dialogue. Communication is often the most important tool for driving culture change and raising awareness. Specifically, a CRO needs to:
- Listen to the board, senior management, key stakeholders, and all other levels of the firm to understand their needs and expectations.
- Deliver concise and direct information supported by facts and data.
- Simplify complicated risk information using language that is understandable to someone who has little to no risk background.
- Engage key stakeholders to build trust and value within the organization.
- Have an understanding of complex business issues and the ability to explain them to others.
The CRO needs to set a clear vision for the firm and communicate top priorities for implementing that vision. An additional benefit of excellent communication is an engaged, collaborative team. A strong CRO will include business-unit managers as early as possible in the implementation process to garner valuable feedback and win their support. As managers seek out the collaboration of other employees, they will be better positioned to integrate risk tools in their day-to-day activities.

A Harvard Business Review study listed “translation” as a top competency for risk management chiefs.¹⁵ Effective communication, the researchers found, begins with removing technical jargon from reports and deliverables to make them more understandable and to better engage one's audience. The repercussions for failure can be dire: In the study, the group that used technical jargon to suggest economic capital forecasting as a tool for aggregating risks was shut down. An effective CRO will help others understand ERM tools, interpret the results, and drive action.

A CRO'S PROGRESS

What do a new CRO's first few months look like, and how do priorities change over time? A successful ERM process is deliberate, planned, and fluid. Most importantly it takes time. Depending on the current structure of the firm, a CRO's journey to strategic business partner could even take a few years, but he or she should be making a positive difference well before that. A CRO's path may involve four fundamental phases: uncovering risk appetite, developing tools, embedding culture, and creating value.

1. Uncover the Firm's Risk Appetite, Strategy, and Goals

A new CRO's first task is to understand the ins and outs of the business. Before jumping into program development, a CRO should be clear on not just the organizational dynamics of the company and its operations, but also the mission and values it supports. Some appropriate questions to ask might be:

What does the short- and long-term strategic landscape look like? Plugging directly into the company's competitive position and strategic goals helps focus priorities and emphasizes to others the link between risk management and strategy.
How does risk strategy fit into business objectives? Again, the answers to this question in a company without a strong risk culture may be vague and subjective. It is the CRO's job to strengthen the relationship between risk and strategic objectives.
What makes this company tick? What are the driving principles and values? Who are the decision makers and influencers at the company, on the board?
What are the company's risk appetite and limits? These may be new concepts, so the CRO might need to interpret highly qualitative responses into quantitative measures.

While engaging others in the organization to gauge sentiment toward risk, the CRO should also assess the company's risk absorption capacities prior to any risk-management efforts. Here's where an effective stress-testing program can help. The results of a stress test can help a CRO understand the firm's risk profile and define its risk appetite, as well as identify, plan, and set risk strategy. They also provide an excellent tool for demonstrating the need for ERM.

2. Develop an Appropriate Risk Framework

Next, a CRO should develop a framework that includes the definition of roles and responsibilities, implementation of various risk management tools, and documentation of risk policies. Using tools such as risk-assessments, key risk indicators, loss-event databases, risk analytics, and scenario analyses, a CRO can create an effective risk infrastructure that supports ongoing ERM operations. In this stage, a CRO's goals are to:

Implement a risk framework that integrates the firm's strategy and risk appetite, using key metrics that tie specific risks to business objectives.
Assign clear roles and responsibilities for risk management throughout the organization.
Create transparent processes and procedures for evaluating, measuring, managing, and reporting risk.
Incorporate risk management practices into performance evaluation and compensation plans.

A note on this last goal: Revising compensation plans to reflect risk management results is a relatively new concept. It comes from the need, exposed during the financial crisis, to better link risk responsibility with performance. Especially in risk-intensive institutions, risk officers should provide feedback during executives' annual reviews. Either the CRO or CEO should bring up risk assessment when the conversation moves to bonus appropriation.¹⁶

A new CRO settling into his or her job will naturally revisit and revise steps 1 and 2 as new challenges come into play. There will likely be some process of trial and error as the CRO develops proper risk management tools and receives feedback. In the end, the CRO should take the firm's ERM to a level of maturity that is appropriate for the size and complexity of the business. On the way, a clever CRO can create a virtuous cycle of continuous improvement: The more understandable and rhythmic the framework, the easier it becomes to drive culture change.

3. Embed Risk into the Firm's Culture

The third and most important step in a new CRO's journey is embedding risk into the firm's culture. Risk culture is the bridge between risk assessment and value creation. It also means integrating risk into the first line of defense with respect to business and operational decisions. It can make or break a new ERM program. Sustainable culture change begins with improvements in risk practices from Steps 1 and 2. Once an operational system is in place, the CRO can focus more on promoting positive risk culture.

A CRO should work to embed a strong risk culture by:

Working with the board and CEO to set the tone from the top, emphasizing the importance of risk management in achieving the company's strategic objectives
Developing strategies alongside managers that balance revenue generation with intelligent risk taking
Holding workshops and training programs to instill a common risk taxonomy and vocabulary among employees
Having one-on-one meetings with managers and executives to address specific concerns
Creating a positive learning environment with sufficient training and education
Conducting annual risk culture surveys to gauge where the company is relative to target risk culture attributes

It is important to note that risk culture is not an input or lever that management can control directly. Risk culture is an outcome or consequence that is derived from the many ERM components that we have discussed throughout the book. If a company doesn't have the desired risk culture, it must change one or more of these components.

4. Become a Strategic Business Partner

Earlier in this chapter, we briefly touched on CROs becoming strategic business partners. This is the fourth and final stage of a CRO's journey. Once a CRO has established an operative ERM framework and nurtured a strong risk culture, he or she can devote more time to business strategy.

The best CROs are not only facilitators of good risk management practices. They are also key members of strategic decision-making who have formed strong relationships with the CEO and executive team. A CRO should engage with other members of the C-suite and provide opportunities for value creation.

CROs will know they are at this stage when:

Risk is integrated into decision-making within the C-suite and across business units.
There are measured improvements in the ability of the company to reach its strategic goals.
The CRO and other risk officers have high visibility with upper management.
Dialogue between board members naturally involves risk; members are comfortable with the language of risk management.
The CRO may suggest increasing risk when good risk/return opportunities are present and the company has excess risk capacity.
The organization, particularly senior management and the board, fully understand the value of the CRO.

I believe that the true value of a CRO reaches full realization at this stage. Once CROs have established the elements of a full-fledged ERM program, they can create value by promoting risk-informed decisions. In practice, it takes time, patience, and flexibility to reach this stage.

Chief risk officer is a relatively new position, particularly outside the financial sector. But it has quickly proven to provide significant value to organizations across the globe. There is no common path to becoming a CRO, and the role may shift depending on the maturity of a company's risk program. Nonetheless, great CROs share a few common attributes. They are technically knowledgeable not only in their own field, but in the business in general. The have strong leadership qualities and the ability to communicate well and influence others. These so-called “soft” skills are particularly important when it comes to developing a risk-aware culture across the organization and becoming a strategic partner who contributes shareholder value and helps steer the direction of the company.

CHIEF RISK OFFICER PROFILES

Over the next few pages, you'll meet six prominent ERM practitioners, all of whom are or once were chief risk officers. Each of these professionals took a separate path to becoming a CRO, with backgrounds such as theoretical mathematics, commodity trading, and policymaking, and they work in different industries. But while their experiences are widely varied, they share a few commonalities. Each, to one degree or another, had a hand in defining their role as CRO. Some were even the first to hold that position in their organizations. Each felt that the most important skills they brought to the job were strong leadership, communication, and collaboration with their peers. While all are highly proficient, technical abilities seem to take a back seat in their narratives. As you read their stories, think about where each of these professionals came from—and where their careers in risk management ultimately took them.

Paymon Aliabadi, EVP and Chief Enterprise Risk Officer, Exelon

The Importance of Change Management

Paymon Aliabadi's journey to risk management began more than 25 years ago at Pacific Gas & Electric (PG&E), where he was among the first wave of gas traders in the United States. His job was to optimize PG&E's gas contracts, and he innovated this task by taking risk (in the form of Value at Risk) into consideration before the advent of sophisticated software platforms to do so. Other traders quickly adopted the spreadsheet that Paymon created to calculate VaR. This eventually led to the development of an entire book about risk that was distributed throughout the company's gas department, and which Paymon would later present to the company's board.

In 1998, the energy sector began a period of restructuring. PG&E moved away from a trading model to a merchant business, acquiring pipelines, developing merchant assets, and building a national footprint through partnerships with companies such as Shell and Bechtel. Risk became a more prominent focus for the company, which asked Paymon to become PG&E's corporate risk manager. With its enterprise-wide approach to credit aggregation, credit exposure, and aging bad debt, the position made Paymon a prominent player in ERM. In addition, the company tasked him with creating and deploying a proprietary ERM system.

In 2013, Chris Crane, CEO of Exelon, approached Paymon about joining the $27.4 billion energy provider as CRO. Crane made it clear that Exelon wanted to implement a risk management framework across the enterprise, a novelty at a time when active risk management was typically limited to the trading floor. The company was concerned about growing risks from new endeavors such as fracking and shale gas, and so established the goal of installing a best-in-class framework that would reduce negative surprises.

Paymon knew that the buy-in of senior management and the board would be key to his success at Exelon. At the time, CROs in the energy sector did not typically have broad authority, but rather reported to the CFO, leaving risk management dependent upon the financial function and subject to its priorities. He asked for assurances from Crane that he and the board would support, sponsor, and champion risk management, to which Crane agreed.

Implementing a New Risk Management Framework Through Restructuring

Paymon's first act as CRO was a 90-day plan to lay the groundwork for an enterprise-wide ERM program. He spent the first few weeks meeting with teams across the company to better understand its various lines of business and overall corporate culture. Then, he laid out the foundational elements, budgeting, staffing, and scheduling for phases of ERM implementation.

One of Paymon's goals was to integrate risk into day-to-day operations. He established an eight-person ERM operations group tasked with creating risk-management positions embedded in key functions. He formed a seven-member analytics group, and transferred 10 employees from trading to enterprise credit roles. Additionally, he established that each of Exelon's operating committees would include a director of risk management. These accomplishments didn't occur overnight. It took between nine months and a year to create and fill the new positions.

Before Paymon's arrival, the risk management committee was a cumbersome 50- to 60-person operation whose deliverable was a lengthy monthly report. Paymon often found himself chasing down initiatives raised at this committee's meetings only to discover little follow-through. At Paymon's recommendation, a smaller group of senior executives has replaced this committee, meeting biweekly to make decisions and take action. The group is armed with a standing agenda and a project template with metrics, established standards, and next steps for maximum efficiency.

Taking a Pause to Clearly Define ERM Value

Eighteen months after his first day as CRO, Paymon had filled all of the risk management senior positions and decided to take stock. He reached out to different teams in Exelon for feedback on Exelon's ERM implementation. He found that Exelon's trading group implemented risk management most effectively, with well-defined roles and clearly established processes. However, the broader organization had little understanding of risk and how it affected performance. Many divisions, such as the Utilities and Generation Companies group, had only recently implemented risk management policies. There was a sense that the new, company-wide emphasis on risk management was moving too quickly, leaving many individuals behind.

Paymon's inquiries led him to realize that he needed to focus on change management. At this stage, Exelon had already made good progress against its benchmarking models but there was a concern that further improvement could face roadblocks. “We wanted to take a momentary pause to the extent appropriate, invest some time in education, and explain best-in-class risk management to every stakeholder.”

One of the biggest challenges in earning this buy-in, says Paymon, was getting an impatient management to recognize that speed of execution is not the only success metric. Implementation required an investment in training and communication that can't help but impact daily operations. “Risk management is a very fuzzy concept, and as you start to explain to folks some of the principles, it gets very technical,” he argues. “It is important to balance the speed of execution and change-management education.”

His goal during this pause was to demonstrate ERM's value proposition in order to generate a base of support from stakeholders to build upon in the future. Paymon engaged consultancies to help with the ERM roadmap and provide coaching for the senior leadership. This work made clear how ERM could support and drive business strategy, add value, and foster partnerships. I give Paymon a lot of credit for thinking outside the box to address a common stumbling block in ERM implementation through this thoughtful approach to stakeholder engagement.

What's Next in Energy?

Looking forward, Paymon sees risk management continuing to increase its focus on supporting strategic growth, rather than merely reducing negative risk. People are uncomfortable with uncertainty, he reasons, so one of the educational tasks that the risk group must take on is letting management know that it's okay to move forward without complete information—as long as you've established contingency plans and a process of evaluating progress. Certainly, he notes, there will continue to be an emphasis on compliance. But in the energy sector, he sees two key areas of focus: operations and innovation.

On the operational side, high-profile negative events such as the 2010 PG&E San Bruno failure,¹⁷ the BP Gulf of Mexico oil spill, and recent spills off the California coast, have led to increased public and regulatory scrutiny that demands more rigorous risk management. Paymon sees the utility part of the energy industry getting closer and closer to being compliance focused like the banking and financial industry.

However, the future of energy production promises tremendous change and innovation for the industry. Future CROs in the energy space will need to focus more on strategic risk as emerging technology such as renewables and micro-grids promise seismic shifts in business models. What renewable energy projects should companies invest in? How will they manage inevitable failures and dead ends? Should companies reduce strategic risk by holding off investing in new technology until it proves its worth, or might such caution put them behind the innovation curve?¹⁸ This, along with the growth of analytics, drives how risk committees need to react with future trends.

Advice to Aspiring CROs

Finally, I asked Paymon what advice he would give to aspiring CROs. Here's what he told me:

Understand business fundamentals and the space you're working in. Having actually been in the business and managing the business earns you credibility, respect, and trust. The second thing is emotional intelligence. If you're too aggressive, you can wear out your welcome. If you're too passive you can be pushed over. The key is building relationships and having strong people skills.

Then, you need to have that fine skill of being operationally focused on the one hand while able to quickly change pace and become very strategic. You need to take strategic and fuzzy concepts and information, and translate them into actions, programs, and tactical steps.

The biggest hurdles new CROs are going to face are not the technical aspects, Paymon concludes. Culture, change management, and education are as important as modeling risk. ERM is still a relatively new field, he emphasizes, and it needs time and collective experience to mature. As you take out your new, shiny fleet, you want to make sure the rest of your sailors are behind you.

Matt Feldman, CEO, Federal Home Loan Bank of Chicago

From CRO to CEO

When Matt Feldman became CEO of the Federal Home Loan Bank (FHLB) of Chicago in 2008, he broke the perceived career ceiling for chief risk officers. Matt served as the bank's chief risk officer from 2004 to 2006, and prior to his appointment as CEO, few expected risk professionals to reach that level.

Matt's earlier tenure as CRO was marked by a vastly improved relationship with the bank's regulator, the Federal Housing Finance Board, which had been problematic when he stepped into the role. He used his 15-year experience at Continental Bank, where he had interacted with regulators around the world, to repair that relationship with open communication, transparency, and responsiveness.

Focusing on Change

From the outset, Matt saw FHLB Chicago's problem as demanding transformative, not incremental change, which he says requires assuring that people, systems, and stakeholders are all focused on the same outcomes so that the organization is moving in one direction. As CRO, he realized that he had to align the bank's culture to bring risk management into the decision process.

As CEO, Matt committed to open communication with the Board of Directors and providing the board access to a much larger group of executives than had previously been the case. A highly engaged and well-informed board with a large group of executives who had direct access to the board was key to the transformation of the Bank. This same open approach to communications was essential for the Bank to gain credibility with its members, which are both the owners and primary customers of the Bank, as well as with other important constituencies, such as the other FHL banks and the regulators of the members.

The Bank faced a number of challenges as it sought to recover from its own challenges as the Great Recession unveiled new, significant risks for the Bank and its member institutions. Matt had learned about how vulnerable large financial institutions can be from his experiences at Continental Illinois and the Chicago FHLB was no exception. At its lowest point, the bank's market value (marked-to-market value) of equity was negative $740 million. With the transformation that occurred, the Bank achieved a positive change in market value of over $5 billion.

Recovering from the Brink

Matt began his tenure as CEO by creating a new senior executive team with executives promoted from within the Bank. He continued to build management's relationship with the board by opening new communication channels so that the board had a better understanding of what was going on throughout the company. To better align senior management with strategic goals, he based compensation on key performance measures. Until the bank was profitable, none of the executive team would receive incentive compensation, and he deferred his own incentive compensation even further—until the bank paid a dividend. “I thought this was an important statement to make to the membership that our interests were aligned,” he recalls. “We were not going to receive incentives for improving the bank. We were going to receive incentives for fixing the bank.”

Having served in both roles, Matt emphasizes that CROs and CEOs must work together. While technical skills are important for CRO candidates (particularly to earn the respect of subordinates) an ability to communicate effectively is essential. What's more, CROs must maintain an organization-wide perspective, with the same fundamental understanding of the business as the CEO. That is not to say that there can be no difference of opinion, he cautions, only that a CRO should understand how to manage risk within the broader business context. Those skills, Matt argues, make CROs good candidates for the top position. “There is no reason to believe that a CRO need end their career as a CRO,” he says.

The best general advice for success and ability to grow in an organization, Matt tells me, is this:

Try to follow your passion, so that even on bad days you don't have any qualms about getting up in the morning and arriving at work with a spring in your step. Focus on making meaningful contributions to the organization. Don't limit yourself to simply fulfilling your job description. If you see a need for change, try to handle it in a helpful, not obstructive manner. Guide rather than hammer the organization into the place you'd like to see it. Sometimes that requires a little more patience, and often requires a lot more pain. It is wildly more effective if you do it that way.

Excellent advice from one of ERM's most successful practitioners.

Susan Hooker—Former CRO of Assured Guaranty

ERM as a Multidisciplinary, Cross-Functional Role

In many ways, Susan Hooker's career in risk management has paralleled the evolution of ERM itself. She began with credit risk. After receiving an MBA in finance, Susan started working in a start-up operation with Financial Security Assurance (now part of Assured Guaranty Corp.), the first mono-line financial guaranty company to focus outside the municipal area. In this role, she proposed underwriting standards for new products, developed initial corporate financial models, put reinsurance programs in place to syndicate the company's underwriting risk, and informed decisions on the company's financial operations as a whole. This required her to delve deeply into the underwriting operations behind the company's business-generation efforts, the firm's financial operations and information systems, and the legal, rating agency, and regulatory constraints that the company faced.

Over time, Susan took on successive roles at different organizations that touched on risk management across markets and at all stages of a company's life cycle: expanding financial guaranty operations to London for both Financial Security Assurance and Assured Guaranty; becoming chief underwriting officer of Assured Guaranty; and re-underwriting portfolios and adjusting the mix of business lines as executive vice president at RVI Group. Most recently until 2015, she served as CRO of ACA Financial Guaranty managing the run-off of its book of business following the 2008 financial crisis. Susan says her big takeaway from these experiences was that chief risk officer is a multidisciplinary, cross-functional role that requires a clear understanding of how ERM fits into the organization's strategy and operations as a whole.

Managing Credit Risk and Satisfying Rating Agencies

Financial guaranty companies insure principal and interest payments under various types of debt obligations and Susan's main responsibility at Assured Guaranty and at ACA Financial Guaranty was managing the risk of payment defaults in the insured portfolio. At the front end, with Assured Guaranty, this meant establishing clear underwriting standards and applying them consistently to new business opportunities. At the back end, with RVI and ACA, she re-underwrote existing risk portfolios to identify weaknesses and direct loss mitigation efforts. She also focused on assessing the companies' capacity to cover insured liabilities, examining asset–liability risk characteristics and ensuring capital and liquidity resources are adequate to meet claims. In addition, Susan directed remediation efforts with non-performing credits, set loss reserves, adapted to new regulatory requirements, and put proper risk systems in place. Much of her focus was on tracking market developments that influenced portfolio risk. “New types of investors targeting distressed debt were creating new dynamics in loss mitigation,” she says. “It is important to understand the differing motivations of investors, and to be alert as the market introduces new instruments that can be used to hedge portfolio risk.”

Ratings agencies such as Moody's and Standard & Poor's are key players in the financial guaranty business. The value of financial guaranty policies depends on maintaining high credit ratings that can reduce interest costs for bond issuers. In order to continue to write business, guaranty firms must satisfy these agencies that they have sufficient capital to support portfolio risk. For this reason, credit agencies serve as de facto regulators. As CRO, Susan was responsible for demonstrating capital adequacy to rating agencies.

The Importance of Managing Cross-Functional Relationships

One of Susan's accomplishments at Assured Guaranty was developing a risk management framework that would allow the company to move successfully from what had been almost exclusively a reinsurance operation to an operation that could encompass primary business on the municipal and non-municipal side, as well as international operations. This required developing a deep understanding of the different stakeholders within the company so that she could make a realistic assessment of the resources required to broaden operations and obtain buy-in from these constituencies.

As Assured Guaranty's chief underwriting officer, Susan reported directly to the CEO. Overall management of the company was conducted through several C-level management committees. Susan led the committees that focused on risk-related decision-making, for example, those that established loss reserves, underwriting policies, transaction approval, and credit remediation. Multiple levels of approval were required before any proposal was brought to a management committee and one of Susan's critical roles was to keep an open dialogue with different functional areas (finance, legal, marketing) to identify concerns and smooth the way for ultimate committee approval. Understanding the different priorities and goals of each different functional area was key to her success at Assured Guaranty.

When talking about the challenges of engaging staff to risk management practices, Susan says that “there was significant pushback due to a lack of understanding of the changing market dynamics and the need to continually reassess long-held views. So, trying to get people to acknowledge that analytical tools and practices need to change at different stages in a company's life cycle was difficult. For example, risk management for an active underwriting operation required a very different approach than at a company in wind-down mode, and some people were not be able to make that transition.”

Looking for Growth in the CRO Role

Susan agrees with me that CROs have seen their roles grow in the past ten years, which she compares with an earlier growth in the CFO role. “I'm hoping that there will be an equal importance placed on the CRO role, which will mean that future CRO candidates must be truly multidisciplinary,” she says.

Specifically, Susan believes that an aspiring CRO should be able to communicate clearly across disciplines and cut through jargon to clarify technical concepts. For example, it is critical for the CRO to get their technical experts on board to support the CRO's initiatives. Those experts are quantitative innovators and serve as a third-party check to risk strategy. “As a CRO, you always need to look for the next and the new, but you can't fall into the trap of going with the crowd and assuming that the next biggest risk of your industry as a whole is indeed the most relevant for your company,” she says.

She also feels that risk management must shed its gatekeeper reputation. “It doesn't help to just say no,” she says. “A CRO needs to help people understand the source of discomfort with any given business or operational proposal so they can work together to figure out ways to mitigate the risk. Just pointing out problems isn't enough. You have to go the next step and figure out how the problems can be overcome.”

A good lesson is looking at the opportunity side of risk management.

Merri Beth Lavagnino, CRO, Indiana University

Bringing Risk Management to Academia

If you had asked Merri Beth Lavagnino five years ago where she'd be today, she would never have said risk management. With 30 years of experience in higher education, Merri Beth has traced an unconventional journey to the CRO's office that reflects a strategic mindset and passion for her vocation.

In her previous post as Indiana University's chief privacy officer, Merri Beth had been tasked with establishing IT policy and complying with data protection laws, a natural fit given her IT background. When the university sought to create a centralized compliance office, they put Merri Beth in charge of the project. Soon after, the board was looking for a new chief risk officer. When the university finished their nationwide search, they found that many applicants had extensive ERM knowledge but little to no background in higher education. They didn't know the business, and they didn't know the university. So, they turned to Merri Beth in 2013, and she accepted the challenge.

Different Mission, Different Metrics

The structure of Indiana University's ERM function is different from what we might see in the corporate world. First, Merri Beth's focus is only on strategic ERM and associated risk mitigation for the university rather than the full gamut of risk management. Indiana University has a separate group to handle insurance, loss control, and claims. Individual business units and subject-matter experts handle operational risk management. Merri Beth manages the work of the Enterprise Risk Management Committee, which sets priorities, requests action, and monitors results.

Risk management is still a new concept in academia, and Merri Beth faced challenges that she says arose from a prejudice against so-called corporate approaches. ERM's reliance on accurate measurement of metrics and their impact against the bottom line, for example, raised hackles. But Merri Beth argues that metrics, though different from the ones a corporation may use, are nonetheless important. “The university's primary goal is to be an outstanding undergraduate and graduate institution,” she says, “but what does outstanding education look like? How do you measure it?”

Accordingly, one of Merri Beth's proudest accomplishments was the creation of a set of risk metrics that reflected an academic institution's unique mission. The ERM Committee focused primarily on strategic risk, developing measurements for risks including likelihood, and severity of impact on academic quality, incoming student quality, public perception of the university, net revenue and expense, safety, and distraction from the mission/turmoil. As you can see, many of these seem purely qualitative. For example, the academic quality metric includes measures of faculty recruitment and retention as well as the quality of faculty, teaching, and research. Merri Beth established a ratings scale based on professional consensus that applied numerical values to these otherwise subjective criteria. A rating of 1 means that a specific factor posed little risk. At the top of the scale, a rating of 5 means that the situation has potential long-term consequences and the University risks damaging its status as an elite educator.

Most of IU's strategic risks are unique to higher education, as compared to corporate risks. For example, one of the biggest risks the university faces is competition from high school and community college credit as alternatives to first- and second-year curricula. If students choose to take dual credit courses in high school, they will likely skip introductory courses such as Biology 101. This could impact tuition income, and if this trend grows, curriculum adjustments to respond to a disproportionally larger proportion of juniors and seniors could cause reductions in staff for first- and second-year programs and services, and growth of those serving third and fourth years. Another risk has gained national attention in recent years: sexual assault. Merri Beth and Indiana University are tackling the problem with increased focus and resources aimed at mitigating the risk of sexual assault on campus.

Gaining Acceptance and Trust through Communication

Communication is a key weapon in Merri Beth's battle for the hearts and minds of academia. Her office publishes a monthly environmental scan newsletter, The Risky Academy, and distributes it to about 200 of the University's ERM participants. Articles illuminate trends affecting risk in higher education. A recent issue reported, for instance, that “64% of responding NCAA athletic trainers and team physicians said that concussed athletes had sought premature clearance to play, while nearly 54% felt pressure from coaches.” Items are categorized by risk area (athletics, research, student life, etc.) for easy scanning, but Merri Beth hopes that readers will look beyond their own field to better understand risks to the entire university. That in turn should increase the maturity and effectiveness of their day-to-day and long-term decision-making.

Despite these successes, Merri Beth acknowledges that academic culture is not going to change overnight. She still faces pushback when it comes to defining risk appetite, for example. She thinks she'll wait out the current ERM cycle before raising the subject again, perhaps substituting the term risk principles or boundaries for the corporate-sounding risk appetite. In addition, because so much of enterprise risk in higher education centers on strategy, Merri Beth feels that the chief risk officer and the chief strategy officer could work more closely. “I'm interested in continuous strategic planning and continuous risk management,” she says. “Strategy and risk management work best when they work hand in hand. CROs will have to increase their skillset in communication in order to connect with different stakeholders within the university.”

To new risk practitioners, Merri Beth offers this advice: Build a strategic mindset. Understanding how to manage risk across the entire organization and forging a strategic vision are more important than acquiring technical knowledge. That, she adds, will come with research and practice.

Merri Beth is a trend setter in academia, where she is demonstrating that ERM can add value in strategic risk management.

Bob Mark, CEO, Black Diamond Risk

Making Risk Transparent

Bob Mark is the CEO of Black Diamond Risk, a provider of corporate governance, risk management consulting, risk software tools, and transaction services. He has over 20 years of experience in risk management, previously serving as the CRO of Canadian Imperial Bank of Commerce (CIBC) and as partner in the Financial Risk Management Consulting division of Coopers & Lybrand (C&L). An ERM pioneer, Bob received the GAARP Risk Manager of the Year award in 1998.

Bob's journey to the risk management space began when he was a PhD student in applied math at New York University. Already interested in the use of mathematics in the financial space, Bob eventually focused on trading and risk management under the guidance of his thesis advisor, Ed Thorp, author of Beat the Dealer: A Winning Strategy for the Game of Twenty-One. As one of the early quantitative minds in risk management, Bob was driven to discover how quantifying trading risk could help reduce it.

Balancing Risk with Growth

When CIBC decided to create the position of chief risk officer, they sought a candidate with market experience—someone who understood risk, who would take action, and who could use aggressive expansion tactics in the treasury area. CIBC, one of Canada's five Tier 1 banks, was in the midst of an aggressive strategy that included increasing market share and expanding into new capital markets. What's more, they were growing by leaps and bounds in derivatives. For these reasons, the bank was looking to up its risk-management game, and Bob delivered. During his 10 years at the bank, CIBC led innovation in the use of risk management techniques. Following the Basel Committee's adoption of Basel I in 1988, CIBC was among the first banks in the world the governing body approved for all areas of market risk detailed in the accord. Under Basel I, banks were required to categorize their exposures into various asset classes, which were then used to establish an overall risk multiplier. The Basel Committee not only approved CIBC for all asset classes, but they also assigned it the lowest multiplier among member banks.

Creating Risk Transparency

One of Bob's top priorities as CRO was to make CIBC's risk more transparent to the board and management. That meant educating these groups in identifying and prioritizing risks. Luckily, he had a direct reporting line to the CEO, and sat on the board's management committee. Early on in his tenure, Bob enumerated the bank's top 10 risks and took the time to explain why they were important and what potential effects they could have. He recalls an occasion when those risks became manifest, on a day when the markets moved dramatically and the bank saw significant losses. “I remember going to the board and describing [the root causes behind] the loss,” he says. “Things went wrong in a variety of places, but 93% of those losses could be attributed to the top 10 risks I'd outlined previously. I remember the CEO saying, ‘You know what? We’re not happy that we lost money, but we're very happy that the risk was made transparent.'”

Essentially, despite the losses, the bank's management committee understood that they entered into the situation with their eyes open thanks to Bob's analysis. This is a great illustration of a point I've been making throughout this book: Risk management doesn't equal zero risk. Rather, it means taking smart risks, and being prepared for potential negative consequences.

Getting CIBC's board and management to understand risk in these terms didn't happen overnight. When Bob first arrived at the bank in 1994, its risk function consisted of 100 or so relatively inexperienced employees. By 1997, his staffed numbered 700. But Bob didn't just increase headcount. He notes that one of the biggest challenges was finding—and keeping—the experienced practitioners he was looking for. At the time, risk professionals were not highly compensated, but Bob understood that their value grew with experience, and that he would need to convince the board that they had to be compensated accordingly. How? By showing that risk management could positively impact the bottom line. Although driven in no small part by quantitative application and analytics, Bob's success speaks to a softer side of ERM: collaboration, risk culture, and transparency, as well as the power of persistence.

Finally, I asked Bob what advice he would give to aspiring CROs. Here's what he told me:

A CRO has multiple stakeholders and you need to see the world from the vantage point of these stakeholders. Stakeholders include shareholders, the board, the management committee, business units, the risk team and regulators.

Clarity of thought is essential to be an effective CRO. Success hinges on your ability to effectively communicate and partner with all stakeholders in order to make the risk transparent.

At some point in your career it is important for you to work in a revenue generating function .You must think of managing risk in both defensive and offensive terms since risk management and risk taking aren't opposites, but two sides of the same coin. If you see the world from the perspective of a business unit that is making choices about risk in relation to reward, then you can more effectively (in your role as a CRO) help your company manage their performance from a risk-adjusted return perspective.

Jim Vinci, Former Chief Investment Officer, Sierra Vista Advisors

Prioritizing Risk on the Front Lines

Risk management has long been central to Jim Vinci's career, but lately it has become a matter of life and death. Jim once served as chief risk officer or partner at large financial institutions including Lehman Brothers, PricewaterhouseCoopers, Paloma Partners, and Mount Kellett Capital Management. But a change of heart made for a rewarding and dramatic career change.

In 2011 while chief investment officer of Sierra Vista Advisors, Jim joined his town's volunteer ambulance corps. His initial motive was to give back to his community in his spare time. He soon discovered, however, that he enjoyed the work—so much in fact that in 2013 he left his 30-year Wall Street career to enroll in the paramedic training program at New York's St. John's University. He recalls a day in Queens in 2012 when he responded to a woman in traumatic cardiac arrest and intubated her in the middle of the street. The moment he felt her pulse return, he knew this was what he wanted to do full time.

Jim sees many parallels between his CRO days and being a paramedic. There is a similar sense of urgency and accomplishment when overcoming challenges. One of his toughest as chief risk officer was gaining buy-in for risk management within the organization. He compares the role of a risk manager to that of a hockey team's goalie. A goalie can't possibly block every shot if the team's defensive line is ineffective, he explains. Similarly, a risk manager can't be expected to mitigate every risk if front-line managers fail to prioritize risk management in the first place. “You have to find a balance,” he says. “There has to be some level of buy-in and support.”

At Lehman Brothers, Jim focused on market risk and leverage while making a point of showing the C-suite how risk measurement can benefit shareholders. When he moved to PwC, he advised clients on risk issues and consulted with management to craft market-risk measurement and capital allocation methodologies. Jim considers his holistic approach to business as one of the most important drivers of success. You can't be a good risk manager, he argues, unless you understand the bottom line and how the business operates.

Jim applies this balanced mentality toward his day-to-day work as a paramedic, which combines business considerations, emergency medicine, and no small degree of selflessness. Whether risk management or healthcare, Jim's enthusiasm is clearly contagious: Not long ago, his daughter followed his career path by becoming an emergency medical technician.

NOTES

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.