Does your company or organization need a chief risk officer?Some companies have taken the role of risk manager to anotherlevel. Think of the risk management job on steroids and you have achief risk officer. (Think of an athlete on steroids and you have amajor league baseball player.) CROs are executive level positionsakin to chief financial officers or chief operating officers.

Why might organizations create CRO positions? They might add theCRO slot to their organizational charts for various reasons.Establishing a CRO position offers a better chance of thinkingstrategically about risk, not just insurance risk, but otherchallenges, as well. This includes currency risk with foreignexchange rate fluctuations, climate changes and their implications,brand identity, and preservation of intellectual propertyrights.

Historically, these niches have been off limits to most riskmanagers. Of course, in a perfect world, we would expect riskmanagers to address these issues for their respectiveorganizations. In the real world, however, risk managers often arespread thin just sweating out their next property renewals, notaddressing these challenges, which are somewhat 20,000 feet abovedesktop level.

At some point, one wonders whether the expanding jobresponsibilities of risk managers have outstripped the abilities ofeven the most talented and hard working professionals to do justiceto them all. Short of cloning, risk managers may find that theylack the resources to address many of the broader risk issuesconfronting today's organizations. This is another fork in the roadat which an organization might decide to upgrade the risk managerposition to CRO, or to add a CRO to focus more strategically onrisk issues. Creating this reporting chain frees the risk managerto address more day-to-day operational issues, of which there iscertainly no shortage.

Others argue that most organizations will have either a chiefrisk officer or a risk manager, but not both. Most companies likelywould find these positions redundant. In fact, an organization witha full-time risk professional might have either a chief riskofficer or a risk manager, but certainly not both. Therefore,ascent to the CRO slot might be a career aspiration of ambitiousrisk managers who have designs on entering the C-level executivearena.

According to Douglas J. Borg, director of Duke Medical CenterRisk Management, “It's been my impression, at least in health-carerisk management, this [CRO] title is most often associated withenterprise risk management programs, those programs thatconsolidate all corporate risks under one management area.” Thenotion of a CRO is fairly new for hospitals and health systems, headded, noting that it seems to be catching on. In a CROarrangement, Borg envisions situations in which an organizationmight still have risk managers who specialize in specific areas ofrisk.

Steering the Enterprise

Accompanying the emergence of a chief risk officer position isthe increased attention to enterprise risk management. Thisanalyzes all risks across the organization's spectrum to assessthem, quantify them, and prepare action plans to address them. Itis not biased toward insurance, although it includes insurance asone tool.

The CRO position is focused more on speculative risks(investments, currency fluctuations, things traditionally handledby the company treasurer or comptroller), with pure risk management(fire, liability, etc.) as an afterthought. A CRO's duties mightalso include employee benefits, traditionally human resourcesturf.

This is not to say that the CRO role is just a board-roomposition, an ivory-towered theoretician with his head in theclouds. To the contrary, the individual should be hands-on, up tothe elbows in assessing risks from a company's activities andbusiness environment. CROs should address the broader spectrum oforganizational risk, which can be divided into four main sectors:financial, compliance, operational, and strategic.

Assuming that a risk manager is interested in advancing to a CROtitle, what are the steps? In assessing a CRO's ideal background,we should not overlook the obvious. A full-time risk manager wouldbe a likely candidate. We cannot pigeon-hole this, however, asother professional backgrounds might also equip one to be aneffective chief risk officer. These include auditing, investorrelations, strategic planning, and line operation management.

Putting aside job backgrounds, a good CRO should possessspecific skills. These include communication skills, broadstrategic vision, a technical grounding in hazard analysis, andfacilitation skills.

One question that CROs will face is, “What are the companies'strategic plans and what risk implications do those plans hold?”New markets, new products, and new partnerships are excitingbusiness opportunities. All may entail varying degrees of risk. TheCRO's job is to assess these risks and implement mechanisms toreduce their likelihood or to cushion their financial impacts.

In terms of the risks managed by CROs, semantic word games areverboten. Businesses are subject to different risks: operational,business, pure (insurance), credit, etc. There may be specific riskmanagers in these areas. An insurance risk manager would notnecessarily have the same skills as a business risk manager or abank's credit risk manager, for example. These people may report toa chief risk officer who must possess an overview of all thesedisciplines.

Some observers express caution at the proliferation of jobtitles. Is it just a mark of careerism or a matter of pouring oldwine into new bottles? With all the Chief (fill in the blank)Officer positions today (CEO, CIO, CFO, CRO, COO), most entitiesalso need chief ethics officers. (On second thought, the CEOacronym is taken, so perhaps we would have to call them chiefhonesty officers, or CHOs.)

Others warn that creating a position of chief risk officer sendsthe wrong message, a notion that managing risk is one person's job.(We also could make the same argument against the wisdom ofcreating a risk manager position.) In truth, however, preventingloss and curbing risk should be every employee's mission. Is itpossible to create a distinct CRO job title, while still creatingand maintaining a culture of ownership regarding safety and risk?This is the challenge for many organizations.

Let's also be realistic. Only very large companies will have theluxury of creating CRO positions. For storefront businesses ormedium-sized enterprises, such job creation just is not realistic.Organizations need a certain heft and risk profile before there isany chance of their creating such positions.

Looking for new challenges in the risk management realm? Tiredof seeing the risk management slot as a dead-end position? If so,set your sights higher and acquire the skills to propel yourselfinto the role of chief risk officer.

Kevin Quinley, CPCU, is senior vice president for MedmarcInsurance Group in Chantilly, Va. He can be reached [email protected].