Again, thank you to everyone who responded to my recent survey on your preferred topics for me to blog about, and the type of training you may be seeking. I have had the time to peruse all the requests and I have broken them down into general topics of Strategy, People, Technical, Operationalising and Other.
Last week I wrote about how to build an enterprise risk management strategy. Staying with strategic this week, the topic requested was “Repositioning a risk function (how the risk function is perceived) rather than an add-on or tick in the governance process box in a highly regulated and hierarchical organisation.”
I hope the topic automatically suggests to you that this is a strategic decision. The reason being that perceptions are reality. Many, many years ago I was told by a very senior risk person in an ASX listed company that because he had audit and risk, whenever he went in to have a conversation about risk, managers would see an ‘A’ for audit’ stamped on his forehead. And, unfortunately, audit for the vast majority of managers means “be wary”!
Another CRO of a university who also had audit, asked my advice on dealing with the inherent conflict of interests that arise. We used the conversation to help him discuss with the Executive and Council why the roles should be split.
Since those days the prudential regulator in Australia, APRA, has required separate Risk and Audit Committees and that the Chief Risk Officer must report to the CEO. On a downside, they make their role one of “challenge” rather than one of “advisor” as I prefer in my Tri-Partite Model of risk.
Where should the CRO and the risk function sit? It is not a simple answer, because of tradition. Traditionally, support functions like risk sit under the CFO or a Head of Corporate Services that has Finance reporting to them. And for smaller organisations, you will often find audit mixed in, in large part because of the resources available and care factor of other executives.
I have seen risk functions sit under a Chief Operating Officer successfully. They are like a consulting arm to decision makers in operations. This 100% suits the Tri-Partite Model. If it is highly likely that risk will need to sit under an executive support function like Legal, People and Culture, Finance or a Head of Corporate Services, the aim should be to position it as part of the enabling services of strategic planning and performance reporting. This sends a message it is about organisational success more than organisational compliance.