The role of the Chief Risk Officer (CRO) has risen in prominence over the past decade, their profile shifting from a behind the scenes technical risk and compliance role that reported to the CFO or Legal Counsel, to a strategic and important member of the CEO’s inner sanctum.
The risk function has moved from being a ‘policeman’ to a business enabler. The Global Financial Crisis certainly elevated the role from the edges of an organisation to the centre and into the C-suite. The Financial Services Royal Commission has further broadened the profile of risk from financial and regulatory to one that includes culture.
As the CRO role has moved from operational to strategic, the status of a CRO has also changed. At Korn Ferry, we have seen an increase in demand for CROs who have the breadth of experience, pragmatism and commercial acumen to be an integral part of the executive team, in many cases they report directly to the CEO and Board and in the financial services sector, they almost all do.
Korn Ferry recognises that risk management plays a critical strategic role for financial institutions and other industries and one poor decision can dramatically impact a company’s bottom line or in some cases where the decision has catastrophic consequences, lead to insolvency. Risk leaders must have the political skills to navigate and manage complex relationships with regulators, boards, the C-suite, and other external shareholders. They must also have the business acumen to oversee current business operations, and the strategic agility to model for potential outcomes.
Today’s CRO will possess the strategic foresight to implement plans that qualify acceptable levels of exposure and minimise business losses. They will also have the strategic capability to work with the Board to set the risk appetite and tolerances for the business and ensure processes are in place to keep the business operating within those tolerances. They do this with awareness of the global political, economic and social factors that can influence their organisation and industry.
The contemporary risk function is expected to operate within four key areas; Strategic Partnership, Culture, Organisational Capability and Executive Leadership. The CRO requires the following skills and experience to lead these areas:
- Strategic Partnership – the CRO offers wise counsel and is prepared to challenge the CEO, Board and broader business. Risk aligns with the business with a pragmatic and balanced risk/reward approach.
- Culture – the CRO understands the present risk culture and strategically steers and develops it so it fits the needs of the business. The CRO creates an environment where learning from mistakes is possible while building a network across the organisation to embed a mature risk culture.
- Organisational capability – the CRO creates and maintains a pragmatic, business-focused framework and systems to support risk/reward business decisions and culture. This involves considering internal and external factors in the design and coverage of the function. The risk function partners with the business, enabling the business to take ownership of risk.
- Executive leadership – the CRO creates a vision and purpose for the risk function that inspires excellence in the business partnership to create credibility and value. The function is enterprise-wide and balances the framework, policy and process with forward thinking capability. The CRO constantly considers future challenges including succession and future-proofing the function.
Korn Ferry utilises proprietary data and proprietary processes to help organisations attract, develop, and engage risk management leaders with the varied skill sets and leadership capacity to oversee risk in organisational operations, regardless of size or geography. We apply proven strategies to help them navigate corporate culture and build functional teams. And we help them define and communicate their strategic vision and align the teams and processes to proceed thoughtfully and act confidently when risk is highest – and the opportunity is greatest.