We all understand the critical role played by the Chief Executive Officer (CEO) in protecting and enhancing the company’s value, but we should consider that the CEO is also responsible for managing significant uncertainties that may become obstacles to the achievement of the company’s objectives or desired outcomes. These uncertainties are referred to as business risks. This makes the CEO the Overall Risk Executive (ORE), being technically the owner of all the critical risks of the company.
With this enhanced risk management responsibility given to the CEO, it is imperative that he or she is very much familiar with the framework, principles and process of risk management, particularly enterprise risk management (ERM), which has been recommended by the Philippine Securities and Exchange Commission (SEC) in its various codes of corporate governance. ERM has also been mentioned in the guidelines for well-governed companies released by the Philippine Stock Exchange (PSE).
THE RISK MANAGEMENT EXECUTIVE TEAM
The CEO as the ORE should be assisted by his executive team, usually composed of executives who are co-risk owners in the organization. This is usually referred to as their Risk Management Executive Team (RMET). In most companies, this could be the management committee or executive committee. Oftentimes, the RMET is composed of the following:
• Chief Financial Officer — for financial risk;
• Chief Operating Officer — for operational risk;
• Chief Information Officer — for information risk;
• Chief Legal Officer — for legal risk;
• Compliance Officers — for regulatory risk;
• Chief Innovation Officer — for new and emerging risk related to markets and competition; and
• Other key executives who are critical in identifying and managing uncertainty
Another role which is critical is that of the Chief Risk Officer (CRO) or its equivalent. The CRO is usually part of the RMET unless the board requires the CRO to functionally report to the Board Risk Oversight Committee (BROC) directly and to the CEO for administrative support (similar to that of the internal auditors). Another factor to consider is the sector to which the company belongs as there can be some regulations in the area of reporting protocols.
There is a common misconception that the CRO, which should ideally be a full-time role, is the owner of all the risks in the organization. The reality is that the CRO (again in a full-time capacity) does not own any risk except for the failure of the risk management process, making the CRO the owner of this process. It is important to note that the function/process owners (i.e., CFO, CIO, CLO, among others) are actually the respective owners of the risks within their purview.
The CRO’s primarily role is to make sure that all the members of the RMET, who are co-owners of the risks, are working together as a highly integrated, collaborative, cross-functional team. Let us liken the CRO to a conductor of an orchestra, whose job it is to ensure that all the different instruments and performers come together into a harmonious whole. As most of the risks are interrelated and have interdependencies, business risks should not be managed in silos to better maximize the resources needed to manage them. This also ensures that no critical risks fall between the cracks.
The CRO (or its equivalent) is the face of the CEO in the risk management activities of the company. But the tone from the top is the responsibility of the CEO supported by the leadership team.
THE CEO AT THE FOREFRONT OF IDENTIFYING AND MANAGING BUSINESS RISKS
In most of the board sessions that I have attended, the CRO reports to the BROC on behalf of the CEO. However, for questions on decisions made about how risks are prioritized and managed, the CEO provides his insights to the BROC and also solicits from the latter additional insights to further strengthen their risk management strategies. This emphasizes that the CEO is given the responsibility to ensure that critical risks that will significantly impact the company are identified and managed at acceptable levels.
A layman’s definition of business risk is “anything that keeps management awake at night.” That is why the CEO is also referred to as the chief paranoia officer in some circles. Of course, that is just to emphasize the critical role they play in risk management.
I would like to share an anecdote about a presentation I made to the board of one listed company. I showed a slide presenting the layman’s definition of business risk. The CEO immediately made a comment that he can sleep well at night. His colleagues in the board room said jokingly that this made the CEO their biggest risk, since he did not know they had risks to manage. At an event after that session, the CEO approached me and said, “You know, Leo, after your session with us, I can no longer sleep well at night.”
We had a good laugh but that said it all.
This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinions expressed above are those of the author and do not necessarily represent the views of SGV & Co.
Leonardo J. Matignas is the EY ASEAN risk management leader and a business consulting partner of SGV & Co.