Last week I had the privilege again of hosting a Compliance Week editorial roundtable, this time gathering a dozen chief risk officers in the financial sector to hear their thoughts on the current challenges of risk management in their industry—which are more complicated than the risk management challenges in most other industries. As usual, we’ll have in-depth coverage of their discussion in one of our newsletters later this month. But let me fire off a few preliminary observations while I’m here…

First, this crowd is really anxious about what regulations might come out of Washington to confront them later this year. We went around the room asking each attendee his or her biggest worry for 2010, and almost all of them cited some sort of fear that they won’t understand what Washington expects of them or (more likely) that Washington won’t understand what corporate risk-management efforts are able to do. Given some of the obtuse questions I’ve seen lawmakers ask Wall Street executives during any number of hearings Congress has held recently, I’d say this fear is well-founded.

Second, one of the most insightful comments came from one risk officer who talked about which risks he warns other executives to monitor. Like lots of other businesses, his company classifies its risks with a cute color scheme of red, yellow and green—and then this particular attendee tells his board and senior executives to “watch the greens.” Why? Because everyone already knows reds are dangerous risks, and spends plenty of time monitoring them. The true danger is the green risk that elevates into something more serious while nobody is paying attention. Write that down somewhere, folks; if the mortgage industry had been thinking like this in the 2000s, the world would not be in the mess it’s in.

Third, there is lots of uncertainty about how much more authority chief risk officers will gain in the wake of the financial crisis. All seemed to agree that CROs should be treated as part of the strategic team, helping to steer the company around whatever risks might lie between it and the company’s overall goals. But a skeptical minority warned that boards and senior executives will always revert back to viewing risk management as a “service function” like marketing or IT; decide on your course of action, apply a fresh coat of risk management, and then forge ahead. This is exactly the attitude the attendees do not want their boards to have. I agree completely, but I suspect boards need constant care and attention to keep from slipping into that trap.

The corollary to that question of authority was interesting too: How much increased responsibility should CROs have? For example, if a CRO accurately foresees the risk of some decision and warns the board, which then overrules him and proceeds anyway, and the dire outcome the CRO predicted comes true—should the CRO get sacked along with the rest of the management team?

My gut instinct was to say no; the CRO acts as a valuable and high-level counselor to top management, but is not immersed in top management. Others weren’t so sure, and perhaps the increased responsibility is the price CROs will pay for increased authority. As one attendee bluntly said: “If I didn’t convinced the board of the danger, then I didn’t do my job either.” And others noted that regardless of whether sacking the CRO is right or wrong, it happens anyway.

I never did come to a satisfying answer on that question, but as usually happens at these roundtables, I did walk away deeply thankful that I only have to write about this stuff, not live it.

Topics