Other board members and C-suite executives are overwhelmingly confident in their risk management practices, but CROs still aren’t being given a proper seat at the table. A recent survey by Deloitte found that senior stakeholders overstate their risk capabilities, proving what many risk professionals have long felt: risk managers are underrated.
There is a mismatch within organisations between how risk management looks on paper versus how it operates in practice. While nearly all the companies included in the survey indicated that risk is being managed in an official capacity – 87% reported having a full-time CRO or an equivalent – the more important question is whether those roles are defined accurately and properly designed to contribute their full potential.
CEOs are increasingly aware that risk management goes beyond risk avoidance. The upside of risk –the value creation – is an area with ample room for development, especially given the opportunities presented by emerging technologies. “Risk management needs to address both value creation and value protection,” says Sam Balaji, global risk advisory business leader at Deloitte. “CROs play an important strategic role to help executive management and boards balance risk and opportunity. This is especially true in the era where digital disruption is the new normal.” 87% of organisations say they recognise the benefits of risk management driving value creation, yet fewer than 18% of those surveyed in Deloitte’s report are making conscious efforts in this regard.
The structure of the CRO role has traditionally been designed to focus on threat avoidance. Only about two-thirds of companies in Deloitte’s survey had a full-time CRO, and for those without, the CRO role is often either part-time or risk management duties are folded into another position. In either case, risk management is often relegated to a “check-the-box” type of activity that limits the scope of any efforts beyond threat avoidance.
To fully capitalise on risk opportunities, the CRO should hold a C-suite position. Only two-thirds of CROs report directly to the CEO and only one in ten reports to the board, according to Deloitte. To align the realities of the CRO position with senior stakeholders’ interest in using risk management to drive value creation, the CRO must have the opportunity to collaborate with the executive team on strategy.
This will expand the historic duties of the position by enabling risk managers to form direct relationships with the C-suite and the board as a strategic partner. “CEOs and boards are realising the importance of risk and reputation and are relying on the CRO to provide insight that drives key strategic decisions,” says Chuck Saia, CEO, Deloitte Risk and Financial Advisory.
While CEOs and the C-suite are quick to confirm their importance, risk managers remain underrated in practice. “Given the pace of change and these findings,” says Balaji, “it is clear that a healthy dose of self-reflection accompanied by concrete action is imperative to harness the power of risk management to achieve market leadership.”
However, looking to the year ahead, there are promising signs that such a change may already be underway. “We’re seeing chief risk officers in industries that typically haven’t had them in the past, such as travel and hospitality services,” says Saia. “That’s a clear indication that risk is an increasingly top-of-mind concern for organisations. I see the elevation of the CRO role continuing in 2018 and beyond.”