20-10-2016 | POINT OF VIEW
The Evolution of the CRO

The regulatory agenda doesn’t focus on optimising shareholder value – instead it aims to maintain financial stability in the economy.

CROs are placing so much emphasis on meeting regulatory requirements that there is little thinking on what the actual tangible risks are for their firm. Where CROs are meeting the specifications as outlined by their job descriptions, in reality they’re not the specifications needed for effective risk management.

Regulation has led to complexity squared. Brexit will lead to complexity cubed and the digital revolution is taking that complexity into the fourth dimension. In order to counterbalance this, risk management needs to change. In fact, because there are so many risks out there we don’t yet know about, it should instead be called ‘managing uncertainty’.

Right now, CROs simply follow the regulatory agenda, whilst regulators are currently focusing on four high-priority areas:

  1. The Inherent Riskiness of the Business Model
– where and how are earnings generated, is there an extreme or concentrated dependency on a particular source or sources and how is the associated risk articulated and addressed?
  1. Tail Risk – has a competent process been established to identify tail risks and have the risks been objectively and realistically assessed vs. being underestimated?
  1. Pricing – does pricing reflect the inherent riskiness of the business model and the assessment of tail risks?
  1. Risk Governance Model – how well defined and embedded is the risk governance model? Is the assurance function being used as a management control or substitute for quality assurance and peer review practices by risk taking areas and the risk management function? Does the governance model align with and support the principles of a sound risk management and control culture?

However, adopting this approach often results in risk being organised into silos, with no integration and no one having an overarching awareness of what the core risks are.

What can we learn from disasters in other industries?

Fukushima Tsunami – asking the ‘crazy’ questions

A risk manager looking into whether Fukushima Daiichi was suitable place for a nuclear plant would likely have carried out a series of stress tests to assess the riskiness of this decision.

When assessing the impact of a potential tsunami, the highest predicted level would likely have peaked at 3 metres, and if a risk officer had suggested a possible peak of 10 metres it would have been confined to the realms of fantasy. In reality however, the tsunami of 2011 peaked at 30 metres.

It was a similar rejection of extreme possibilities and a reliance on manageable levels of risk that lead to the financial crisis. There was a view, generally accepted, that the largest expected loss of a diversified portfolio of subprime debt couldn’t be higher than 5%. In reality, it reached 40%. It is therefore up to CROs to ask the ‘crazy’ questions, in order to properly assess the impact of differing levels of risk.

BP Oil Spill – reading the warning signs

Looking at the share price charts, the BP Deep Horizon oil spill of 2010 probably wouldn’t have been forecast as all indicators pointed towards a growth phase.

In order to understand, and to a certain extent predict, what happened, a look at the key performance indicators would have demonstrated that there were reasons to be suspicious. It also illustrates the importance of understanding a company’s DNA; thereby seeing the risks based on what the company is striving to achieve.

BP was motivated by an ambition to continually grow, making riskier acquisitions and increasingly working with third parties. A look at the recent history prior to the spill reveals collapsed joint ventures, explosions and smaller oil spills. None of these accidents were too serious in isolation, but as a collective show a risk culture which increased the probability of failure.

This illustrates why CROs need to have an acute understanding of more than just a company’s compliance, but also the culture of the company itself. It’s not enough to look at charts in silos, risk needs to be integrated so CROs can join the dots.

Lessons learned from the subprime mortgage crisis

What became apparent in the wake of the financial crisis was that while regulatory instruments and structures had been built, and while conventional wisdoms and assumptions had been developed, these faced no real challenges and were in effect taken as gospel.

Meanwhile risk teams were collecting lots of data, and spent time looking at processes, but with no one asking the right questions. If they had, alarms may have been raised sooner.

Today we do have stress tests, and that’s a good thing, but it’s not good enough, as we also have to look at profitability and revenue. The new regulatory instruments have been put in place to protect the financial system and maintain stability in the markets, but they bear no consequence on the riskiness of one particular company. It is up to CROs to take it that step further, add value to the business by becoming a trusted adviser, tell companies where the risks really are and ensure they have a seat at the boardroom table.

An Integrated Business Model

In order to best mitigate these issues, traditional silo based functions such as Finance, Risk and Operations need to be reorganised both in terms of competencies and architecture into an integrated model managing the complexities. Parker Fitzgerald works with clients to identify how they can best readdress their business models to best meet these challenges – for example, by linking P&L and Risk, which is a strategic imperative for regulatory initiatives such as BCBS 239, Stress Testing and MiFID II.

Silos cripple the ability to think. By operating in an integrated way, CROs will be better able to assess where the business model is viable and where it is vulnerable. It’s crucial to have a strong understanding of the commercial vision and strategy of the company, the competitive environment and the commercial environment. From this, CROs can address three key questions: Do you think the business model is viable? Do you believe that it’s sustainable? Where is the business vulnerable?

Integration is also vital in ensuring risk departments actually deliver tangible value. On average, compliance equates to 30% of a company’s costs, but with the added weight of Brexit and the manpower it will require, this is likely to rise significantly. Add to this the digital transformation journey that companies need to embark on – an issue that will be bigger than the whole of Brexit – and real challenges arise for those who aren’t fully prepared.

While in practice it may seem like a tall order to run a truly integrated business model, it is imperative that firms move in this direction if we are to avoid another financial crisis.

Conclusion – how the CRO should evolve

In essence, CROs need to be ex ante, and not ex post. It’s not enough to operate on a merely reactive basis to new regulation as it arises. CROs need to be proactive, and core drivers of innovation, by identifying risks early and gaining detailed knowledge of a company’s weaknesses by joining the dots.

Break down all silos where possible, understand what the core integrated risks are and use Risk Enterprise to support the CEO in managing the business.

After all, the difference between risk and uncertainty is that risk is a metric that can be identified and measured. Uncertainty is about being able to cope with the unknown unknowns – which is why it is imperative we become Chief Uncertainty Managers, not Chief Risk Officers.

For more information contact:


@p_f_g - Parker Fitzgerald