For chief risk officers at banking institutions, having the ear of the chief executive has proven necessary but not sufficient.
To really be effective, companies also need to make sure that their CROs have unobstructed access to their boards, and vice versa.
Those lines of communication, if they weren't open before, certainly are open now at many banks. At Fifth Third Bancorp, for example, CRO Mary Tuuk has regular executive sessions with the board's risk and compliance committee, without any other members of management in the room, and meets monthly with the committee chair, again without other management present.
Tuuk has had what she calls a "dotted-line reporting relationship" with the risk committee since its inception in 2003, and she also makes presentations at regular meetings of the full board.
Risk management experts and corporate governance watchdogs say that those kinds of interactions provide an added aura of authority for CROs, and another layer of controls within a company. And even then, things may still go awry. But as companies reassess their tolerance for risk and the ways to apply it to decisions ranging from loan approvals to executive bonuses, maintaining a CRO-board dialogue — even after the financial crisis passes and the scrutiny of risk management practices comes down from its current red-alert level — will remain critical.
"There seemed to be minimal or nonexistent two-way access, or even one-way access, between boards and CROs at many of the large banks when we've looked at them in years past," said Patrick McGurn, special counsel on corporate governance issues for the advisory firm RiskMetrics Group Inc. "Coming out of this meltdown of the sector … there has been a recognition that there are going to have to be these lines of access."
The recognition appears to have spread quickly. In a 2009 Deloitte LLP global survey of 111 financial institutions, 53% said their CROs reported directly to the CEO, up from 42% in 2006. The percentage of respondents who said their CROs have a reporting relationship with the board or a board-level committee — either in lieu of or in conjunction with a direct reporting line to the CEO or another officer — jumped from 37% to 52%.
McGurn said he sees "a lot of resignation" on the part of CEOs that directors are "likely to be more noses-in on these issues now." Directors, meanwhile, are scrambling to get up to speed on risk issues they may have glossed over in the past. And risk managers themselves are glad for the attention to their work, and for the extra influence they can wield when empowered with access to the board.
While reporting into a CEO generally is "viewed positively" by risk officers, many want the additional option of dealing directly with boards, said Emma Hawkins-Haile, whose London search firm, Hawkins Haile, places risk professionals at financial firms around the globe.
"I have definitely seen in my high-level candidates great concern around whether or not the role reports directly into the board, as they believe this is often evidence of how seriously the organization takes risk and has it as an embedded part of their organization," she said.
Veteran risk manager William Martin knows how important the power of board access can be, as someone who has been granted it, stripped of it and bestowed with it again.
When he joined the old NatWest Group years ago, Martin was thrilled to have the opportunity to make regular board presentations, a task he described as terrifying but exciting. When the firm got taken over by Royal Bank of Scotland Group PLC, which had a different governance structure, his contact with the board stopped.
"Losing that report into the board took away a lot of my authority," Martin said this month at a conference of the Global Association of Risk Professionals, for which he is trustee board chairman.
In an interview from his office at Commonfund, the asset manager where he now serves as chief risk officer, Martin said he once again has a line into the board, reporting into the vice chairman and audit and risk management committee as well as the firm's CEO.
"That direct report adds credibility and responsibility to the role of the CRO," Martin said. "In reporting to the CEO, you're talking about hard things — numbers, analysis, capital, potential losses. Reporting to the board, you're talking about what I would call softer things — you're talking about ethics, you're talking about risk appetite. In practice, the softer issues are the harder issues."
Hank Prybylski, global financial services risk management leader at Ernst & Young LLP, said some banks have taken the idea of board access even further, extending the dialogue to executives outside the risk function.
"One of the best practices we'll hear from board risk committees is that you shouldn't just talk to the CRO but that you should also be talking to the heads of the business," Prybylski said.
"The heads of the businesses own the risk. The CRO is a lens into the organization [but] shouldn't be the only touchpoint for a board committee."