Who is the owner of risk in an organisation?
Who is the owner of risk – Is it CEO, CRO or different parties and how organisational risk is linked to society?
Chief Executives such as CEO and CRO provide foundation to a firm’s sustainability with their generic, specific capabilities, expertise and leadership to control and administer resources in current dynamic business environment. Role of CEO and CRO in relation to risk have presented greater ambiguity in practice and questioned the existence of widespread myth
“CRO is the owner of risk and is the ultimate risk manager of the company”.
Roles of CEO and CRO are significantly different however, often it is considered that CEO is expected to make risk based decision making while ownership of risk lies with CRO and accountabilities is set to the board.
An actor is not implementer, an implementer is not decision maker and a decision maker is not held accountable.
During practice, a CEO acts as a ‘Risk Manager’, ‘Decision maker’ and ‘Influence of risk culture’. To become a successful CEO, a CEO has to demonstrate his/her abilities to cope up with failures while gaining strategic leverage by exploiting opportunities. A CEO influences significantly the risk culture of an organisation. Consider an organisation with Japanese, Chinese, British or American CEO, you may imagine the difference in culture as different expectations are set.
A CEO style should complement with Company’s culture. If a company is relationship focused, and believes in shared decision making, its CEO should promote collaborative efforts. Another CEO may bring a ‘PUSH-PUSH BACK’ culture by enforcing rules without understanding the difficulties of ground staff.
A CRO acts as ‘Implementer and reporter of risks’, ‘Risk Advisor’ and ‘Communicator of risk culture’. CRO implements risk management policy and reports integrated risks to CEO. He/she also advises on critical risks for important projects, supports in formulation of risk policy when needed by the board and further to CEO on risk related matters. Expectations are set by the board, Chairman and CEO in risk related matters such as how much and what kind of risk the company is willing to take.
Other than CEO, CRO and board, there are other contender of ‘ownership of risk’ in the company.
- Each and every person working in the organisation are the owners of their own risk.
- Head of Departments are owners of their department’s risk
- Shareholders are the owners of the company’s entire risk
- Stakeholders are the owners of company’s entire risk
- Risk and uncertainty is beyond the capacity of ownership
This week, the International Sociological Association (ISA) conference was held in Vienna which impacted many professional thought process of linking risk with society. A business success cannot be determined by its profit/loss or share market price without thinking of impact of its actions on society.
Roots of organisations emerge from sociology as organisations are considered as ‘social entities’. Thinking about only economic benefits leaving society apart, may not be a sustainable long term strategy. This is perhaps the reason why ‘reputation risk’ has become one of the challenge for companies in global markets. Companies have burnt their fingers and learnt several lessons in recent financial crisis.
The need of clear ownership, roles and responsibility of risk have been clearly known to companies and require attention in risk policy formulation and implementation. Michael Porter, a Professor of Harvard known for his highest influence on executives and countries, highlighted that businesses need to focus upon ‘shared value’ by integrating their economic interest with interest of the society to promote sustainability. This raised a question
“Should companies bother about ‘social interest’ in their risk related decision making process?”
Risk management based on ‘shared value’ for all stakeholders considering social interest has a great potential in promoting sustainable practices. Perhaps, this can deal with the issues of ownership of risk. It is usually debated who owns the risk but it is hardly discussed to whom this risk belongs to.