ERM Success Rests on the CEO & CRO

An editorial in this month's US Banker magazine discusses the role of both the Chief Executive Officer ("CEO") and the Chief Risk Officer ("CRO") in managing risk. It all starts with the CEO establishing the appropriate risk culture and setting the risk appetite for the organization. When this is fully delegated to the CRO as part of an enterprise risk management program, the CRO is doomed to failure. Here's why.

The CRO cannot be expected to do what only the CEO can do—which is to take the lead in strategic risk-taking, protecting the franchise and building a strong risk culture. But if the CEO takes on these fundamental risk management responsibilities, the CRO can be an effective and valuable contributor to the bank's success. The CRO helps the CEO and the board implement a credible, consistent risk management framework to govern the bank's risk-taking across all businesses; provides expert, unbiased advice on risk issues; and offers constructive ideas that use smarter risk management to unlock new business opportunities.

Handing off full responsibility for the bank's enterprise risk management is the wrong reason to have a CRO. The result is likely to be an expensive compliance bureaucracy that creates a false sense of security. The CRO becomes merely an actor in a diverting farce that presents the façade of risk management without the reality of risk management. As many banks discovered in the financial crisis, this farce can turn into a tragedy when the music stops.

A solid CEO/CRO partnership is crucial to the long-term success of an enterprise risk management program. Even more crucial is having a CEO who understands and is willing to accept his/her role as the true risk leader in the company.