BRYAN'S BLOG

Surprise Surprise!

I was working with a CEO recently who had been in the job for about a year. When they started, they found – surprise, surprise – all was not as it was made out to be. It was a very difficult environment. The challenges were more than challenges, they were wicked problems. And the road ahead a very, very rocky one.

It got me thinking about you and what you might want to consider before you accept a CRO, or other senior, job offer in risk. Here are my top three tips:

  1. Due Diligence: Is this organisation right for you? What is the organisation’s mission, vision and, most importantly, values? Nice start. Do they live their values? Head over to social media and see what you can find. Then to the job search companies like Seek and Glassdoor to check out company reviews. Better still, talk to someone who works there if you can.

    What about their management of risk? Can you check out company performance over the last five years. Publicly listed and public sector organisations will have the most information available. Most not-for-profits publish pretty detailed annual reports that you can put a discerning eye over, however, in Australia where I am based, the Australian Charities and Not for Profits Commission (ACNC) has a company overview for all registered charities. Each overview has a History page which will include any enforcement action by the ACNC.

    Then there are all the other regulators of industries that public and private for-profit organisations operate in e.g. finance sector, aged care, food, tertiary education. Each of these regulators can be a source of information about enforcement actions or other issues you may find concerning.

    Please, don’t do your due diligence through rose coloured glasses because you want the job that badly! Maybe get a close confidant to give an opinion on what you find. However, the reason they may be seeking your skills is because they truly want to turn around their culture and/or performance, which leads on to the next two tips.

  2. Authority: What are your reporting lines and your decision-making authority? Do they reflect an organisation that is serious about managing risk for success rather than managing risk to meet compliance obligations? Ideally a CRO is on the executive team. When it comes to access to board and committees of the board, this depends on the risk management model in place or desired by the organisation. In the Three Lines Model favoured by regulators, it is very clear that the CRO must have direct access to the board and board committees. In a tri-partite model of risk management where the CRO is adviser, as opposed to challenger, the approach would be to have standing agenda type items where the board or committees hear the CRO’s views on future performance and advice on key decisions.

    If the role you are looking at is reporting to a CRO or an executive on the leadership team who is the notional CRO, I would be trying to understand their level of understanding of what it takes to have a fantastic risk culture. And as you know, it starts with the executive team. It will be hard work if you have to constantly fight to be heard by the executive and board.

  3. Budget: The proof is in the pudding. Ensure you have your own budget, and it is sufficient for the resources you will need. Too many times I have worked with CRO’s that had to get approval from the Audit and Risk Committee to spend what I would consider a small amount of money in the scheme of things.

    When negotiating budget, I hope you have quantification of risk on your mind. Many organisations have data, or could create data, for much more informed decision making about risk. Quantifying risk is easier when it is strictly about finances. However, it has been well proven by the likes of Doug Hubbard, author of How to Measure Anything, that much, much, much more can be done than is the case in many organisations.