Clean. Simple. 100% Finance.

Archive for the ‘CRO’ Category

Who is the owner of risk in an organisation?

In Banking, CRO, Finance, Insurance, Legal, Risk Management on July 17, 2016 at 5:10 pm

In this blog, I indulge in a debate that who is the owner of risk – Is it CEO, CRO or different parties and how organisational risk is linked to society?

Chief Executives such as CEO and CRO provide foundation to a firm’s sustainability with their generic, specific capabilities, expertise and leadership to control and administer resources in current dynamic business environment. Role of CEO and CRO in relation to risk have presented greater ambiguity in practice and questioned the existence of widespread myth “CRO is the owner of risk and is the ultimate risk manager of the company.

Roles of CEO and CRO are significantly different however, often it is considered that CEO is expected to make risk based decision making while ownership of risk lies with CRO and accountabilities is set to the board.


An actor is not implementer, an implementer is not decision maker and a decision maker is not held accountable.

During practice, a CEO acts as a ‘Risk Manager’, ‘Decision maker’ and ‘Influence of risk culture’.  To become a successful CEO, a CEO has to demonstrate his/her abilities to cope up with failures while gaining strategic leverage by exploiting opportunities.  A CEO influences significantly the risk culture of an organisation. Consider an organisation with Japanese, Chinese, British or American CEO, you may imagine the difference in culture as different expectations are set. A CEO style should complement with Company’s culture. If a company is relationship focused, and believes in shared decision making, its CEO should promote collaborative efforts. Another CEO may bring a ‘PUSH-PUSH BACK’ culture by enforcing rules without understanding the difficulties of ground staff.

A CRO acts as ‘Implementer and reporter of risks’, ‘Risk Advisor’ and ‘Communicator of risk culture’. CRO implements risk management policy and reports integrated risks to CEO. He/she also advises on critical risks for important projects, supports in formulation of risk policy when needed by the board and further to CEO on risk related matters. Expectations are set by the board, Chairman and CEO in risk related matters such as how much and what kind of risk the company is willing to take.

Other than CEO, CRO and board, there are other contender of ‘ownership of risk’ in the company.

  • Each and every person working in the organisation are the owners of their own risk.
  • Head of Departments are owners of their department’s risk
  • Shareholders are the owners of the company’s entire risk
  • Stakeholders are the owners of company’s entire risk
  • Risk and uncertainty is beyond the capacity of ownership

This week, I attended International Sociological Association (ISA) conference in Vienna which impacted my thought process of linking risk with society. A business success cannot be determined by its profit/loss or share market price without thinking of impact of its actions on society. Roots of organisations emerge from sociology as organisations are considered as ‘social entities’. Thinking about only economic benefits leaving society apart, may not be a sustainable long term strategy. This is perhaps the reason why ‘reputation risk’ has become one of the challenge for companies in global markets. Companies have burnt their fingers and learnt several lessons in recent financial crisis. The need of clear ownership, roles and responsibility of risk have been clearly known to companies and require attention in risk policy formulation and implementation. Michael Porter, a Professor of Harvard known for his highest influence on executives and countries, highlighted that businesses need to focus upon ‘shared value’ by integrating their economic interest with interest of the society to promote sustainability.  This raised a question “Should companies bother about ‘social interest’ in their risk related decision making process?”

Risk management based on ‘shared value’ for all stakeholders considering social interest has a great potential in promoting sustainable practices. Perhaps, this can deal with the issues of ownership of risk. It is usually debated who owns the risk but it is hardly discussed to whom this risk belongs to.



Role of CRO Forum in India

In CRO, Insurance, Risk Management on February 26, 2016 at 3:57 pm


This blog is in continuation from my previous blog ‘Do Indian insurance market need a professional CRO forum?’. Indian insurance market essentially needs a Chief Risk Officer (CRO) Forum to set new standards of professional practices. Most of the insurance companies in India are head-quartered in different cities. A CRO forum can bring together geographically spread talent and knowledge of CROs of various insurance institutions to benchmark good risk management practices. The overall aim is to promote robust risk management practices within insurance industry.

Most of the academics and practitioners such as Anette Mikes, Robert Kaplan (Professors from Harvard University) and James Lam (Famous Risk Practitioner and first CRO) in risk management area claimed that risk is evolving and need to be discussed. A famous Professor from MIT Peter Senge provides insights upon the stages of learning. He defined advanced stage of learning of experts is through discussion and participation.


At beginning level, the role of CRO Forum in India could be:

  1. To promote best practices in risk management to enhance business
  2. To discuss issues and challenges in dealing with risk and risk based decision making
  3. To provide insights on emerging and long-term risk
  4. To discuss regulatory shifts and implications
  5. Involves a theme based monthly learning and discussion eg: Fraud Control, risk reporting etc.

At later stage, A CRO forum may involve publication of white papers, special issues and risk based discussions.

Essentially, forming a CRO forum is a forward looking and proactive approach for the industry to spread awareness of emerging and complex risks and to enhance overall risk based capacity of the industry. The process can be started with five steps approach:

‘Identify’: The list of risks insurance companies are facing

‘Prepare’: A well discussed and repeatable plan for the risks faced

‘Capability’: Understand your industry capability to handle those risks

‘Detect’: A continuous monitoring plan to detect and monitor the risk

‘Share’: Sharing the risk learning (theme based) within the group every month

Kindly share your view points.