Attempts to professionalise risk management through certification schemes have reopened discussions about the evolving role of the chief risk officer. Asa Gibson reports
The role of the chief risk officer (CRO) has always been tricky to pin down. Expectations and functional duties vary between companies and across industries. Now, for better or worse, a movement to professionalise risk management has added a dimension to the debate.
Several industry bodies have introduced certification schemes for risk professionals within the past 18 months, which some observers have described as "opportunistic land grabs" in an underserved community.
Not all have been successful. The UK's Institute and Faculty of Actuaries binned its proposal of a certificate for actuaries practising as CROs, owing to the "varied and wide" skills required to carry out the role.
"You have to separate to some extent risk functions from CROs – it's not always your best auditor that ends up as head of audit," Alex Hindson, CRO at Argo
Undeterred and leading the plight for professionalism in risk management are the UK-based Institute of Risk Management (IRM) and the Federation of European Risk Management Associations (Ferma, see box).
Although neither scheme explicitly intends to define or shape the role of a CRO, their influence on risk functions has raised concerns in some quarters that they might prematurely pigeon-hole risk professionals with certain skills and competencies, limiting diversity and ultimately the development of the CRO.
"The CRO role is not mature enough yet, there is still a lot of development happening with more needed, and introducing qualifications and criteria might limit that development too early," says the CRO at Lloyd's managing agent Apollo Underwriting, Phil Ellis.
With many of its members insurance buyers, Ferma's Rimap scheme accredits educational bodies and courses in risk management, requires continuous professional development (CPD), recognises experience and sets out a code of ethics. The IRM's scheme is similar in that it encourages individual CPD, recognises experience by distinguishing certifications for members and fellows, sets out a code of ethics and sets behavioural standards.
The main difference between Ferma's scheme and the IRM's is the latter provides the educational programme, whereas Ferma accredits other educational bodies for risk management qualifications. To achieve the basic level of certification, Ferma requires three to five years of experience in the field and the completion of a three-hour multiple choice exam, requiring 100-150 hours of study time. The IRM requires three years of experience and the completion of the IRM diploma in risk management, which requires 200 hours of study time per module, of which there are seven.
The role is often said to be in its teenage years, as people struggle to define its identity within the corporate structure (any stroppy behaviour during the Solvency II preparations is purely coincidental).
Boundaries are being pushed and finding the right balance between creative freedom and structure is an unenviable task for responsible guardians.
Taking on the role of a responsible adult, the Lloyd's Market Association's (LMA) CRO committee will convene in April to discuss the topic – primarily for the benefit of senior executives and board members to develop ideas about what should be expected of insurance CROs.
Beazley's CRO and LMA CRO committee member Andrew Pryde welcomes the initiatives by Ferma and the IRM to professionalise risk management, but isn't convinced that a CRO's core skills can be learned through certification schemes.
"I liken a CRO to a cocktail made with one quarter technical skills and three quarters of communication skills, with a heavy dash of resilience," Pryde says, acknowledging that among smaller insurers this mix could shift in favour of technical skills.
Pryde is not sure a certification scheme comprising exams and guidance can completely arm a risk professional with the softer skills required of a CRO. "I'm not sure you can teach that – it comes more naturally to some people." He says he wouldn't want the industry to think that "all you need in a CRO is a technical expert with certified status, because that only gets you part of the way."
Alex Hindson, Argo CRO and member of the IRM's standards & certification committee, says the institute's scheme will complement rather than interfere with the CRO role's development, citing an emphasis on behavioural competencies in the IRM's programme. In the main, he says there is a distinct need for the development of the risk function.
Separating risk teams from the CRO
"I think there is an absolute need to improve the professionalism of risk functions and by that I mean all the way from risk analysts through to risk managers and head of risk to CRO," he says, adding: "you have to separate to some extent risk functions from CROs – it's not always your best auditor that ends up as head of audit."
Hindson highlights how the connection between a CRO and risk function, in terms of skills and competencies, has widened since the first wave of CROs emerged.
"There was a point in time when I could do everything that my [risk] team did, I just didn't have the time to do it all," says Hindson – a chemical engineer by background. "More recently I have had responsibilities for things, such as legal affairs, that I couldn't actually do."
"Everybody knows that the CEO and CFO are on the board and are influential. I wouldn't be shocked if CROs get there," Phil Ellis, CRO at Apollo
As Pryde suggests, the role for most CROs has become more managerial and less functional, owing much to an increased remit though the growth of enterprise risk management. To this extent – and with increased regulatory scrutiny of risk management practices – certification schemes might be welcomed as a means for CROs to build technically strong risk teams around them.
"Stakeholders and governance bodies have ever higher expectations of risk management," adds Ferma's vice-president and chairman of its certification steering committee Michel Dennery.
"To be resilient, organisations will need more than ever to ensure their assets are protected beyond just insurance. This requires a set of skills and experience that can be certified and so recognised," he adds.
From a recruitment perspective, the establishment of professional standards in risk management offers value, but it could also narrow the skills at a CRO's disposal within the risk team, and even create barriers for non-certified professionals to enter risk management.
"One of the things the risk function has done quite well is that a range of people with different skills and backgrounds have made contributions to its development," says Ellis, who also sits on the LMA's CRO committee.
This variety of backgrounds and competencies within risk teams and among CROs is a reflection of the different board-level needs between companies, adds Ellis. Furthermore, he says risk teams need some flexibility to adapt to the changing demands of the risk landscape.
"The CRO generally developed from a tick-box compliance-type role into a managerial role about five-to-seven years ago, with greater strategic contribution," he says.
"Then about three or four years ago it suddenly went much more technical as Solvency II approached. A lot of CROs are responsible for their insurer's internal models and it's good to have somebody that really deeply understands it."
Now that Solvency II is in force, the focus will inevitably change again.
"In five years with Solvency II implementation behind us, I think we will be back to adding value, helping the business make decisions, which means articulating the threats and opportunities associated with business strategies," says Argo's Hindson, adding that areas like brand reputation, emerging risks and sustainability may rise on the CRO's agenda.
Whether or not the initiatives to professionalise risk management will benefit the development of the CRO role, the attempts by Ferma and the IRM are helping bring to light its complicated position. Incumbent CROs have mixed views on the benefit and relevance of certification schemes.
Deloitte's Marco Vet, past chairman of the CRO Forum and Achmea's former CRO, says: "I think [the schemes] are useful. It underlies the development and the growing maturity of our profession so it will trigger discussions on the role of the CRO and will therefore help mature our profession."
Dennery agrees, claiming the European umbrella association's scheme could "add to the appreciation of the special role of a CRO," adding that "the various initiatives for creating certification in risk management are evidence there is a need for it."
Unum's CRO Kevin Borrett says the development of the CRO role can be underpinned by qualifications and certification schemes, but notes "the nature of the firm itself and the board requirements are crucial to how a CRO functions."
However, Apollo's Ellis says he will not be taking much notice of the certification schemes and hopes "nobody mandates anything silly". He believes the CRO role will continue to rise in estimations and status regardless of certification.
"Everybody knows that the CEO and CFO are on the board and are influential. I wouldn't be shocked if CROs get there. In some places they already are, so I think it's a fun time to be a CRO. There is plenty going on," Ellis says.
Pryde echoes his fellow LMA CRO committee member and says the primary challenge facing CROs is to address understanding of the role on boards, which are "still learning how to get the most from their CROs."
The measure of success of the certification schemes will be their rate of adoption in the industry; for the certification to gain ground, risk professionals will need to see it as useful and relevant to their career aspirations.
The pressure to adopt may come from senior managers appointing staff into risk roles, for whom qualifications can provide a balm against regulatory and board concerns.
But it's crucial that certification finds a balance between defining the skills for the role and recognising the need for flexibility and diversity. If certified risk professionals find unqualified colleagues beating them to CRO roles, it will swiftly diminish the value of certification.