Chief risk officers aren’t just for banks anymore, but analysts say the position still is only necessary for certain companies.
A position that first appeared in the financial services industry to deal with a bundle of compliance and security issues, chief risk officers, or CROs, are now spreading to other large corporations faced with regulations such as Sarbanes-Oxley that require strict internal controls over the flow of data and access to information.
Forty-five percent of the companies surveyed by the Economist Intelligence Unit had a CRO or equivalent position in place, with 24 percent planning to add such a post in the next two years. A separate survey by consulting firm Deloitte & Touche said the number of CROs grew 65 percent between 2002 and 2005 in the financial services sector.
To date, most are focused on heavily regulated industries such as banking, energy and insurance. However, a recent Forrester Research report suggested that by 2007, 75 percent of large publicly traded corporations in certain fields will have a CRO in place.
Forrester analyst Michael Rasmussen said the C-level risk-related position is emerging in part because corporations are overwhelmed by the compliance challenges they face. For instance, just one section of Sarbanes-Oxley has implications for data management, auditing and executive oversight of information controls.
“Organizations are looking for a structured approach that lets them quantify risk,” Rasmussen said. “As organizations face an increasing amount of compliance obligations, the mandate will come for a formal compliance management program.
Risk and Reward
The trend is being driven largely by concerns that falling out of compliance could pose a significant risk to a corporation, dealing a competitive blow. Other enterprises have recognized that such high-level compliance oversight can also yield competitive business benefits by providing strategic consideration of how data is handled and managed.
Corporations are “responding to increased expectations from regulators, the public and others” including partners with whom they share information “to ensure sound governance,” Deloitte & Touche managing partner Jack Riberio told the E-Commerce Times.
Deloitte has seen regulation and compliance become an impetus for corporations to make changes to their financial management approaches that can pay business dividends, he added.
However, translating that to smaller and mid-sized companies, where resources are not as plentiful and the return on investment in such compliance activities is not as significant, remains a challenge.
One challenge that companies will face as they seek CROs will be in finding the right skill set to handle the position, analysts say. The position will require attention to both policy and technical issues, and an understanding of how the two interact.
“With this position, the devil truly is in the details,” David Morrison, a spokesman for Business-Oriented Software Solutions, which makes compliance tools for corporations, told the E-Commerce Times. “It will probably require a skill set that includes the ability to connect the dots between the big picture security/compliance risks and some rather esoteric, even mundane, lower-level technology issues and capabilities.
As an example, Morrison cited the issue of patch management, which can have compliance implications since a failure to patch can create security risks. Few C-level executives know the nitty-gritty details about patch implementation apart from those who rose up through the information technology and security ranks, he said, while other forms of compliance require a different background altogether.
Forrester said in the near-term, the CRO position is needed only at large, global companies. Rasmussen singles out those with $1 billion in annual revenues that are also part of the “critical infrastructure” that includes not only finance and energy but healthcare, transportation and telecommunications.
Proceed with Caution
“The title ‘chief officer’ should not be used lightly, Forrester security research Vice President Steve Hunt told the E-Commerce Times. “Officers assume liability.” He noted that many organizations put chief security officers in place after 2001, though the growth of that title has slowed as businesses seek other solutions that apportion responsibility to different executives.
Also, Rasmussen cautions against using the establishment of such a position as the focal point of a compliance strategy, or of thinking that naming such an executive will be an effective answer to the compliance question. Rather, businesses should lay the groundwork for dealing with data management and security issues. Often, it’s better to start with a small project or two, with those often driven by regulatory deadlines.
One benefit of a C-level position to deal with the issues, however, is that it sends a clear message that such issues are important to a company’s executives and its board of directors.
“Risk and compliance cannot operate in a silo but must integrate into the business,” Rasmussen said. “The controls and measurement of risk and compliance require that they be integrated.”