Today’s rapidly changing risk environment puts new pressures upon companies and their boards to successfully manage their organizations’ evolving risk profiles. Increasingly, we see that boards are playing a larger role in holding the executive team, and the chief risk officer (CRO) in particular, to a high bar for risk practices and outcomes.
To identify the practices essential to CRO and risk excellence, McKinsey engaged more than 30 high-performing current and former chief risk officers of major global institutions. Below we share an excerpt of our insights from that research, which boards can use to deepen their understanding of what it takes to build a resilient organization and to engage the CRO and CEO on their organization’s risk profile and program.
Great CROs are explicit about risk and resilience, purpose and vision, and champion a risk-aware culture.
Given the expanding scope of potential risk, employees need a risk North Star more than ever. The most effective CROs relentlessly pursue the North Star—and the risk culture to match—and continually evaluate whether an organization is achieving it. To develop it, risk leaders need to think beyond regulatory compliance and safeguarding the organization. While both remain essential, they are no longer sufficient. Risk leaders should reflect on the question: What aspect of risk will help our institution grow?
For some CROs, the North Star is articulated in a mission statement. One risk team used 360-degree feedback from C-Suite leaders, business lead, and the risk team to come up with one. One CRO described it as a “cultural journey” in which risk and resilience principles slowly permeate into all levels of the organization.
Great CROs invest in, empower and create the next generation of risk leaders.
The demands of managing today’s risk environment require CROs to build a bench that meets the moment. They do so by building a team of diverse thinkers, delegating to and empowering the team and planning for leadership succession from the beginning.
Many CROs recruit non-traditional risk professionals and purposely shift workers in and out of risk and between the first and second lines of defense to gain a broader perspective while making external talent attraction easier.
Developing talent also includes exposing risk talent more directly to the executive team and the board which supports both growing talent and giving the board more insight into the risk function.
Great CROs lead beyond risk by engaging deeply with the executive team and board to accomplish risk and business objectives.
Today’s successful risk leaders don’t simply inform the board and CEO; they become a trusted adviser to the board, building deeper relationships to align risk with the organization’s mission. They communicate early and often and generate debate. Those interactions go far beyond formal meetings—successful CROs have regular informal talks with their board risk committee chairs. In fact, CROs may define a part of their success as “being called into the room when you don’t need to be there.”
An ongoing dialogue between risk and the broader leadership makes hard discussions easier, fortifying the principle of “no surprises.” Relationship building also requires adapting the language of risk and resilience to the language of the board. Successful CROs see themselves as translators for the rest of the risk organization, using business rather than technical jargon.
Great CROs treat supervisors as partners, and are fully transparent.
Just as risk leaders must understand and engage C-Suite leaders and boards, they must establish similar successful working relationships with their organization’s supervisors. They should find common ground to understand their perspectives while emphasizing transparency and proactivity when discussing each development. A key to building a constructive relationship is internalizing the supervisor’s priorities and the problem the supervisors intend to solve. “The important thing for any of us is to take time to understand what the regulator is trying to achieve,” said National Australia Bank’s (NAB’s) Shaun Dooley. “We need to see them as partners, not adversaries.”
Great CROs integrate risk insights across the organization.
Leaders and the board may be influenced by short-term goals and pressure from investors. But the CRO is in a special—if not easy—position to help an organization find balance. As Sadia Ricke, group CRO at Standard Chartered, put it: a CRO needs to develop “influence and gravitas” to remind leaders of the medium- and long-term impact of short-term decisions. She said, “You may, at times, not be the most liked person in the room, so you need to be prepared for this and be courageous nonetheless.”
