Risk Management

Risks and Benefits: The CFO as CRO?

The Fannie Mae agreement that sundered the top finance and risk management jobs could cause other companies to do the same.
David KatzOctober 14, 2004

At first glance, chief financial officers seem splendidly positioned to be the czars of enterprise risk management.

Indeed, many already oversee one traditional area of risk management: the operational hazards often covered by property-casualty insurance. Typically, the corporate risk manager — who identifies, assesses, and decides how such risks are financed — reports to the treasurer who, in turn, reports to the finance chief.

These days, however, the risk management “tent” has grown into a “big top” called enterprise risk management (ERM). To be sure, the discipline should help companies cope with natural disasters, worker injuries, lawsuits against directors and officers, and other traditionally insurable perils, according to the long-awaited ERM framework issued late last month by The Committee of Sponsoring Organizations of the Treadway Commission (COSO).

But COSO, a voluntary private-sector group that aims to boost the quality of financial reporting, includes in its plan a bevy of corporate risks that goes much further. In the committee’s view, a company’s overall risk management plan should capture upside potential as well as likelihood of loss. Thus, the framework includes such risk factors as capital availability, liquidity, and the rises and falls of the capital markets.

Finance chiefs, of course, are often at the helm in all those areas. If, as COSO hopes, its broad definition of risk takes widespread hold among senior managements, boards, and regulators, then many CFOs would seem to be in a good spot to add the title of chief risk officer (CRO). From that perch, top finance executives could gauge their companies’ appetites for risks of all kinds and set up a consistent plan for managing them.

But there’s a big obstacle on that rosy career path. If a single executive manages the potential upside as well as the possible downside of a company’s moves, there’s the chance that the executive’s decisions might be overly biased. If the CFO/CRO is especially fond of taking risks, then the company might end up excessively exposed to disaster; if the officer is too risk-averse, opportunities could be missed.

That, apparently, was the reasoning of the Office of Federal Housing Enterprise Oversight (OFHEO) when it sharply criticized J. Timothy Howard’s dual roles as CFO and CRO at Fannie Mae in a September report on the mortgage company’s accounting.

Howard, who’s also vice chairman of Fannie, is in charge of the company’s treasury and portfolio-management tasks, as well as the controller’s office. “The combination of these responsibilities does not provide the independence necessary for an effective Chief Risk Officer function,” maintained the OFHEO report, which also asserted that Fannie had misapplied generally accepted accounting principles.

The company’s board later agreed to name a CRO who would “be independent of other corporate responsibilities and to have duties crafted in consultation with OFHEO.” Despite the synergy suggested by the COSO framework, the news of such a prominent sundering of the top risk and finance jobs could sound a death knell to the notion of the CFO as CRO.

The question then becomes: How does finance fit into the new, integrated ERM framework?

The two-volume COSO document, which subscribes to a broad, principles-based approach overall, offers few specifics. In terms of ERM, it calls the CFO “a key player when objectives are established, strategies decided, risks analyzed, and decisions made on how changes affecting the entity will be managed.”

More helpfully, the framers of the framework caution against treating the finance chief as a mere expert in financial risks. “Any attempt by management to have him or her more narrowly focused — limited to principally areas of financial reporting and treasury, for example — could severely limit the entity’s ability to succeed,” they write.

CFOs should have broad, strategic role in ERM because their involvement in such tasks as companywide budgeting, financial reporting, and performance management gives them a broad, strategic view of their companies, as well as a great deal of clout, the authors reason. The finance chief can be an “enabler to help launch an [ERM] initiative,” said Rick Steinberg, who worked on the document.

Because of the influence the CFO exerts in many different areas of the company, the finance chief should be “a major player, if not the spearhead” of the effort, added Steinberg after a COSO press conference in New York.

Strategic partner, enabler, spearhead: finance chiefs could play all those parts in the collective management of a company’s upside expectations and downside perils. In the wake of the Fannie Mae agreement, however, don’t expect many of them to become, as a CFO headline once put it, the “top cops of risk.”