It’s the job of a CEO to be the Chief Risk Officer
At his annual shareholder’s meeting Warren Buffet repeated his belief that there is no substitute for CEO attention to risk.
Anyone who has tried to do the CRO job without full unwavering support of the CEO would doubtless agree. The CRO job, just like the COO and CMO and other C suite officers job is delegated responsibility of the CEO. It is not independent of the CEO. Boards who try to set up a CRO function that reports directly to them and is intended to act as a check on the CEO are at best wasting their own and the CROs time. At worst they are creating a very unhealthy dynamic in the firm.
If a CRO is given the job of defense against killer losses and the rest of the firm is given the job of winning customers and making a profit, guess who will lose whenever there is a conflict. An adverserial risk function is not a healthy way to manage a company. By refusing to delegate the risk role, Buffet is sending a message to all of his companies that risk is important to him, the CEO of the firm that owns their company.
Now Buffet (or any other CEO that goes this route) needs to do more than refuse to appoint a CRO. A CEO who does not want any risk management to slow down his firm can quote Buffet and not appoint a CRO and then totally ignore risk.
The CEO/CRO needs to make it constantly known that they are concerned about risk by their words AND deeds. They need to talk the talk and walk the walk of risk management.
As Buffet knows, that does not necessarily mean that he needs a risk register of hundreds of risks. Berkshire Hathaway is in dozens of businesses and is actually exposed to hundreds of risks. But BH is also very large and diversified. There are actually only a few risks that need to be on Buffet’s plate as the CEO/CRO.
And what Buffet and other CEO/CROs need to do is to make sure that they are totally aware of what their firm is doing with the handful of truely killer risks. They need to make sure that:
- Everyone who could make a decision to increase the firm’s exposure to these killer risks knows that the CEO/CRO must be involved in that decision.
- The firm is being properly compensated for the killer risks that they are taking.
- The Risk Treatment programs for these risks are being properly maintained and operated.
- The firm has alternatives to the current risk treatment programs in case the existing programs become less effective or unavailable.
- The firm is carefully monitoring the risk environment that impacts those risks and any change or even strong hint of future change is brought to the attention of the CEO/CRO.
- The board is kept informed about all of the above.
Interestingly, this list does not change at all if the CEO decides to appoint a CRO. The list above can be a major part of the agenda when the CEO and CRO have their daily meetings.