earth globe planet


My takes from leading CROs

Excerpts from Deloitte's 2019 survey of risk management

The majority of executives now acknowledge risk management’s strategic importance. The task now before risk management functions—and chief risk officers—is to rise to the challenge by equipping themselves to provide business-focused insight. Read how CROs from Becton Dickinson, Exelon, and General Motors are tackling today’s risk management challenges.

Featured my take: Angela Hoon

Executive director, Strategic Risk Management, General Motors (GM)

Could you tell us about your current role and scope of responsibilities at GM?
Our CEO, Mary Barra, also considers herself the chief risk officer. I lead GM’s global strategic risk management program and am responsible for supporting senior leaders in cultivating a risk mindset and driving a “risk” thought process into strategic and cross-functional decision making. I also facilitate reporting of key enterprise risks to the board risk committee, work with the leadership to understand their risks, and facilitate risk discussions to help in complex business challenges.

Do you report directly to the CEO?
I report to the general auditor who reports to the CFO who reports to the CEO, and I have access to the chairman of the risk committee of the board.

Can you tell us about that risk governance structure?
In 2014, Mary designated a full risk committee of the board, which meets four times a year. GM senior leaders facilitate discussions around selected key enterprise risks they own, current responses, and mitigation plans. We also have a management-level risk advisory council with an executive lead from every business function or unit, which meets monthly to discuss enterprise and cross-functional risks.

Much of our risk management efort focuses on integrating risk into the business, risk mitigation, and decision support. Ten times a year, one of the business functions or units meets with Mary to have a discussion on how they integrate risk into their business, key risks to their business goals, and what risks are emerging. Over a two-year period, we’ll have cycled through all of our business units.

This sounds like a leading practice. How did you get here?
Mary determined that risk had to be more part of governance at the board level and a driver of the business, and her taking the role of CRO was instrumental. Without that tone at the top, it wouldn’t have happened. We realized as an organization that we needed to look at risk across functions and on a more enterprise-wide basis to avoid a check-the-box routine. In order to test this and gain management buy-in, we facilitated pilot workshops to develop techniques to engage teams and to help them to use a risk lens to analyze risks and solve complex business challenges.

What else worked for you on this journey?
We avoided risk terminology like risk appetite, tolerance, culture, and residual risk. We use the language of the businesses and talk about threats, consequences, and responses. We’ll ask about alternatives, contingencies, and how to be agile. We brought in all the risk concepts but without the 􀁍argon, and ultimately got better results, as business leaders could relate and understand the implications of risk to their objectives. Another key was the use of cross-functional workshops and techniques like wargaming, game theory, and pre-mortems. As part of the context of the risk discussion, we incorporate emerging risks, consider current industry trends, and look at external players.

My take: Paymon Aliabadi

Chief risk officer, Exelon

How is risk management organized at Exelon?
I report directly to the CEO. Five years ago, we had a risk management organization and program dedicated to supporting our trading business, focused primarily on financial risks market and credit. During the last five years, we have established a broader enterprise risk management ERM program to supplement our best-in-class commercial risk.

The ERM program is composed of two elements. We have an ERM Operations group—senior risk professionals embedded in our operating companies including generation and utilities—which had not been a focus. In addition, we have established the ERM Analytics team to address strategic risk management. ERM Analytics is responsible for a broader review of our business risks, strategic risks, emerging risks, and disruptive trends. They look at the whole portfolio and develop the CRO report for the board at every meeting. ERM also provides risk management support in our business services group, which houses finance, HR, supply, IT, and strategy.

Five years ago, I could only give you our exposure in our trading business, but not across our enterprise. We now have an expanded scope and we evaluate and aggregate risks across the broader enterprise in one snapshot. This is also a much leaner team, yet with an enterprise perspective.

As CRO, what is your view of reporting directly to the CEO?
I believe, it is critical. If I wasn’t a direct report to the CEO, I would lack visibility to my colleagues managing various parts of the business. I have a seat at the table as a peer and can participate in decision making as a full team member. This reporting structure elevates the standing of risk across the organization in terms of how you influence and drive priorities or initiatives.

Any other benefits of being a direct report to the CEO?
Well, without that there’s the potential of limiting the potential impact of risk management to a narrower role. There is another key factor: We have board members with deep banking and private equity backgrounds and they “get” risk management. They insisted on a standing risk committee of the board, with active participation across the board. It is where transactions come up for review and approval and risk topics are discussed. As part of that, I am expected to participate, present, and help manage the board agenda with respect to risk priorities. It’s just a different dynamic when reporting to the CEO.

My take: Steve Richard

Chief audit executive, senior vice president, Internal Audit and Enterprise Risk Management, Becton Dickinson

How is risk expected to deliver value in your organization?
For us, risk management isn’t this separate activity, but rather an integral part of the business. I have a relatively small ERM team that works very closely with leaders across the business, who need support to achieve their objectives. We focus on avoiding bad things, but also on enabling the businesses to operate without disruption. We partner with our executives to make sure what we ask of them is less intrusive and as efficient as possible. We want the benefits of a sound ERM program with as little burden as possible.

Are there examples you could share on how you create that environment?
Some things are macro risks and affect everyone. Cyber is one of those, and the businesses assume we have that covered. Since we are a manufacturer, we address supplier disruption and think strategically about single-source suppliers and how they can impact our strategy. People in the business do this as part of their job. This is a really important point. We are not adding something new. We’re just helping to provide some common framework and structures for work already being done.

How do you foster that ownership?
It doesn’t have to be encouraged or forced, because it is wholly consistent with the businesses meeting their objectives. So they are already focused on potential disruptors and they welcome our help toward minimizing risk. You need to have only one issue with a key supplier to not meet your objectives. So, it’s easy to get people’s attention. I try to create the how—how we go about it.