Images of a Chief Risk Officer

Indians are euphoric this April due to two major victories, one that is an Indian passion and the other is slowing making India hollow. Yes, I am talking about two most common words you are likely to hear this season – Cricket and Corruption. The elation of Indian cricket team winning the World Cut hadn’t died down when Anna Hazare launched his protest against the Lokpal Bill. Government bowed down to the public protest and both the wins made Indians proud.

The two events got me thinking. The Indian cricket team honored Sachin Tendulkar with the win. Each team-member said they wished to honor him for 20 years of dedicated commitment to Indian cricket. Sachin’s attributes are that he has domain knowledge of the game, an expertise few players have, he mentors and supports junior players, team depends on him for taking them out of tough spots and he is dependable and reliable. He doesn’t have a formal leadership role. He gave up captaincy when he realized he is not suited for it.  Clearly a man who knows his strengths and limits!

If you see Anna Hazare, he is a 72-year-old man who enjoys the reputation of impeccable integrity. The government listened to his demands as he commands a moral authority, which few leaders enjoy. It is not that everyone can go on a fast-unto-death and expect the government to agree to modify a proposed law. People supported him because he led from the front; he has sacrificed his life for the community without any interest in power or money. Again, he has no formal authority as he is not an elected member of parliament nor does he hold any position. People respect him for his moral courage and commitment.

Now look at the qualities of these two men- Sachin Tendulkar and Anna Hazare. Aren’t these what a Chief Risk Officer (CRO) of an organization should be having? Risk managers generally complain that they have limited access to board and CEO and business team do not listen to their advice. Hence, they are struggling to be heard by senior management and business teams. However, if you think deeply does it not appear that senior management and business managers are not relying on risk managers because they might be reflecting incorrect attributes?

In my view, a CRO provides value to the board and CEO at strategy and policy level. The CRO is not the captain of the ship, but should be able to guide senior management in understanding the risks and address them. For business managers a CRO needs to mentor them in running business operations with minimum risks. To do so, CRO needs to have a combined reputation of Tendulkar and Hazare. S/He  needs to have a reputation of impeccable integrity, domain knowledge and expertise, trustworthiness and reliability , a team player and with an ability to sacrifice personal agendas for greater good of business. If s/he has this reputation, probability is that both senior management and business managers will be more forthcoming in involving him/her to understand and mitigate risks.

Images & Shadows

This prompts me into thinking the second aspect of the problem. What are the images CRO have in the organization and how are these benefitting or negating them?

1.       Nitpicker  to Troublemaker

 Most CROs complain that they are unable to get into CEO’s cartel. The challenges they face are that on one hand CEOs and board think that CROs are nitpickers who can’t provide much value add at strategic and business level. On the other hand, the CROs who do manage to attend CEO and board meetings may face significant resistance to their views.  I had covered this aspect in the article “Independence of Internal Auditors – An Oxymoron”.  As per KPMG Audit Committee report of 2010, 73% of Chief Audit Executives’ jobs are at risk if they hold a contrary view than the board. The attitude of the management is  that ”we don’t need someone on our board who doesn’t appreciate our views.” In such a situation the CRO has a choice between the devil and the deep blue sea.

Auditing and advising are two sides of the same coin and CROs needed to fulfill both of them diligently to ensure organization risks are managed effectively. CROs can learn from Hazare and Tendulkar on how to lead senior management without holding formal authority. They need to develop a reputation of a “guy who can be counted on to give the right advice and support.” To do so they need to work towards changing the image of bean counters and focus on developing strategic perspectives at macro level.

2.       Busybody to Watchdog

The employees of the organization sometimes view GRC staff as tale tattlers. According to the negative perceptions of business employees, the sole purpose of risk managers is to report to the management everything nasty to satisfy personal agendas and play political games. Generally, the image is formed when CRO is perceived as using audit and other risk management reports to gain political power and  uses them negatively. With an image of Dr. Jackal and Dr. Hyde, there is significant trust deficit at all levels of the organization. The downside is that business teams instead of developing risk aversion, develop an aversion to risk managers. Here, the CRO fails to establish a reputation as a genuine business advisor willing to hand hold business teams to improve risk management.

 CROs need to take a leaf out of Anna Hazare’s life. Anna Hazare gathered political support and led from the front in the Lokpal Bill protest. He garnered support as public understood that he was sacrificing himself for the greater good of the community. He showed he had the moral authority to lead others and protest against corruption on their behalf. The CROs should aspire to have a similar reputation where management and employees trust him/her to work for the benefit of the organization and be above petty politics.

3.           Scholarly to Acerbic

Frequently business managers view a CRO as “S/he is theoretical, is woefully obtuse about the practical aspects of business.” Or worse, “S/he thinks the job is to criticize, is always thumbing his/her nose at business managers.” The problem results as CROs and their teams are unable to cut ice with senior management and business teams when their reputations are that they are paper pushers, paid critics, think others as lesser mortals or are amusingly ridiculous in their ideas. S/he is never on the guest list of the business managers meetings. Here, the CROs fail in establishing their expertise and domain knowledge; hence lack credibility.

Taking a lesson from Sachin’s case, would he enjoy team respect and fan following if he lacked domain knowledge and expertise.  He has earned respect with his humble attitude and willingness to share his knowledge with teammates. The CRO needs to make their internal brand one of an enabler rather than a critic. The risk management technical expertise can be successful only if applied in addressing business challenges. Hence, a balance needs to be maintained between risk management and business issues. The willingness to train and mentor business managers on risk management aspects will go a long way.

In nutshell, risk managers should focus on their internal branding within the organization. We may rely on facts but perceptions matter. If senior management and business managers develop negative perceptions of the CRO, the organization and risk management teams suffer. People generally do not listen to people whom they do not respect and trust. Hence, CROs first task should be to develop a reputation of impeccable integrity, and being a good mentor and a domain expert.  

Welcome your opinion.