When Stephen Rietiker took over as CEO of Sulzer Medica at the beginning of August 2001, he knew he faced a tough challenge. Not only had the $880-million-in-revenues maker of medical devices been spun off from its parent just three weeks before, but it also had a slew of lawsuits in the U.S. following the recall of thousands of its hip and knee implants.
To help get the Zurich-based company on an even keel, Rietiker made two key appointments. First, he hired Urs Kamber to be the company’s new CFO. For his second hiring, however, Rietiker was less conventional — he appointed a chief risk officer (CRO) to sit alongside the CFO on the executive committee.
According to Gabor-Paul Ondo, who was given the job, the idea behind the CRO role was “to build a holistic view of the company’s risks.” In other words, the CRO had to identify all the threats and opportunities that Sulzer Medica faced, and then combine them into an integrated and company-wide approach to risk management. It wasn’t an easy task, which is why Rietiker sought a CRO rather than a more junior — and traditional — risk manager. As Ondo explains: “Truly integrated risk management needs to come from the top.”
A growing number of executives share Rietiker’s view, leading some observers to predict that we’ll be seeing a lot more CROs soon. In fact, while banks and energy companies were the first to appoint CROs — in the mid-1990s — other businesses from outside these sectors are now following suit. The big debate, however, is whether the CRO craze is fad or fixture.
Great Ape: CIO as Model
The man credited with creating the role of CRO is James Lam, founder and vice chairman of ERisk, a New York-based consultancy. Lam claims he was the first-ever CRO, inventing the job title in 1993 when he was working for U.S. financial services giant GE Capital.
His inspiration was the rapid rise of the role of chief information officer (CIO) at the time. In general, says Lam, CIOs were responsible for two things: the integration of IT throughout a company, for instance mainframes with PCs and client-server technologies, and raising the awareness of information technology on the executive board.
“I saw a parallel between IT and risk, and so I came up with the title of CRO,” explains Lam. “The role has responsibility for integrating all forms of risk within a firm — including credit risk, market risk and operational risk — and elevating the awareness and understanding of these risks to the board level.”
Since those early days, the number of CROs has been escalating. Felix Kloman, editor of Risk Management Reports in the U.S. and a veteran commentator in this area, reckons that 200 companies around the world now have a board-level CRO. One of the main reasons for that growth, adds Kloman, is corporate demand for “enterprise-wide risk management” — itself a response to increasing pressure from shareholders, regulators and senior managers for more accurate risk information.
This trend was highlighted in a survey released in September 2001 by MMC Enterprise Risk, a division of insurance broker Marsh & McLennan, and the Economist Intelligence Unit, a sister company to CFO.com. The global survey, which polled 200 senior finance professionals, revealed that only 15 percent of companies have “complete systems for looking at risk across the organization.” But 43percent were expecting to have them within three years. For this to happen, say commentators, a senior executive empowered from the top needs to take charge of the process.
Bruno Porro, CRO of Swiss Re, the reinsurance giant, couldn’t agree more. Risks at Swiss Re had long been managed by different people in different departments. For example, underwriting risks were handled separately from the risks tied up in Swiss Re’s investment portfolio. And when it came to credit risk, the company was ill equipped to deal with it before the credit crunches of the early 1990s. Today, however, it’s a different story.
“Thanks to new technology and to risk quantification tools, it’s now possible for a CRO to combine these three types of risk to give a complete view of the risk-adjusted capital of the firm,” enthuses Porro. While many corporates have embraced the concept of the CRO, opinions still differ as to whether it will gain universal acceptance. For many observers, the appointment of a CRO is often just a temporary measure — once an enterprise-wide risk management process has been installed, the need for a permanent CRO declines.
What’s more, many risk experts believe that CFOs themselves should act as CROs. Tom Kaiser, chief executive officer of Zurich Corporate Solutions, part of Zurich Financial Services, observes, “The critical thing is that someone is both empowered to seek a company-wide view of risk and also able to make decisions based on that. Sometimes we find that this individual exists in the form of a CRO, but equally, forward-looking CFOs are increasingly taking this role on themselves.”
So why have a CRO? At ERisk, Lam likes to return to his CIO analogy. “Not all firms have a CIO because not all companies need one,” he states. “Just as a company will only need a CIO if it is technology-driven, or if technology is a large part of its operations, a company is only likely to need a CRO if dealing with risk is a big part of its business.”
For that reason, CROs have found most favor to date within financial institutions. Indeed, a survey by the Conference Board of Canada, Tillinghast Towers Perrin and the University of Georgia polled 80 CROs in North America and found that 45 percent of them worked for financial services organizations, 40 percent for utilities and energy companies, and the rest for other types of operations.
Is this beginning to change? Evidence from non-financial firms such as Sulzer Medica suggests that it might be. Another example comes from Delta Air Lines. In December, Delta’s CFO, Michelle Burns, promoted Chris Duncan from the position of risk manager to CRO, reporting directly to her. For almost a year before then, Burns had been toying with the idea of hiring a CRO thanks to a growing awareness that the risks Delta faced were getting tougher to manage — and not just traditional property and casualty risks but new exposures such as information security. But it wasn’t until the terrorist attacks on September 11 that Burns was finally convinced of the need for a CRO.
“As CFO, I needed someone who didn’t control or own the company’s risks, but who was both taking note of Delta’s risk issues and who had a view on the financial implications of those risks,” says Burns. As such, Duncan’s job is to keep Burns appraised of all the risks at Delta and to put a value on them. According to Burns, that doesn’t mean he has to develop “an enterprise risk management framework for the company and boil down all its exposures to a single measure of risk.” Instead, she says, the aim is to achieve “increased visibility of risk across the company”.
From Duncan’s perspective, his role is a work in progress. “It is going to take several years to see where this is going,” he says. “This is the first time an airline has created a CRO role and embarked on a project to view risk from a more holistic level, so the role of the CRO here is going to be different than it might be in a company in a different industry.”
At Swiss Re, Porro says there’s a clear need for both a CFO and a CRO to work alongside each other. He explains that a simplified way of defining the relationship between the CFO and CRO is to say that the CFO looks at the return side of the company, while the CRO looks at the risk side, with the two views balancing each other. “We have to limit the business that we do according to the amount of capital that we have,” he says, “and my role, together with our CFO, is to direct capital to where the risk-adjusted return is greatest.”
Tools to Follow
It’s a similar story at UBS, the Swiss bank. Walter Stürzinger, UBS’s CRO, says the CFO has too many other responsibilities to manage the bank’s risks alone. So Stürzinger focuses on the technical and operational side of UBS’s risks, but then works closely with the group controller and the head of group strategic analysis to ensure that all the company’s risks are taken into account in the company’s budgeting, planning and controlling processes.
Whatever the responsibilities, a CRO’s job isn’t an easy one, as Stürzinger attests. To be effective, a CRO has to deal with all parts of an organization and get them working together. At UBS, Stürzinger does that via the group finance and risk committee, which brings together the heads of the communications, strategy, risk, treasury, legal and finance departments every fortnight, and is chaired by the president of the group executive board. “The bank is run by the company executive board, which consists of the CEOs of each business group and the president,” says Stürzinger. “But the risk committee reports on the risk profile of UBS as a whole, which cuts across the business groups.”
CROs also have to grapple with a lack of good tools and techniques. For example, while most CFOs have robust systems that flow vast amounts of data to them from all parts of the company, CROs do not, even though their reporting channels must be just as good. And even when a CRO is able to gather data from across an enterprise, there are few standardized tools available today that can help analyse all of it.
But CROs shouldn’t lose heart, says Tom Wilson, head of finance and risk at consultants Oliver Wyman & Co. As he sees it, CFOs faced a similar challenge in the early 1990s, as they tried to make the transition from being a “chief accounting officer” to being more of a strategic guardian of a company’s value.
“The CRO’s role will move from simply understanding the firm’s exposures both on and off the balance sheet towards building a dynamic picture of the firm’s risk-adjusted performance,” he predicts. After that, CROs will begin working with CFOs on the risk-adjusted economics of a company’s different businesses to determine which create the most value.
Until that happens, however, some say CROs will have a hard time justifying themselves, particularly when they do a good job. John Davies, vice president at risk consultancy Marsh Consulting, says: “The questions for a CRO are, ‘How do you measure the success of an enterprise risk management project? How do you show the value of events that didn’t happen or losses that weren’t realized? What price effective corporate governance?’ The demand a CRO dreads is, ‘Show me the money’.”
A thankless job? Not according to Sulzer Medica’s Ondo. “It’s an immense challenge to create a function that hasn’t existed before. But the chairman and all the directors are behind this project, and it is a huge privilege.”