Companies face an ever-growing list of risks in a variety of areas, including technology, finance, climate and geopolitics. A recent McKinsey & Co. study identified six “habits” of highly successful chief risk officers (CROs) that help them address those risks, build greater corporate resilience, and ultimately strengthen their leadership role within the organization.
The study primarily considered the role of CROs at financial institutions who historically focused on financial risks but now also address nonfinancial risks to bolster the bottom line. As the scope of risk management has broadened to include risks across the company, the CRO’s role and leadership responsibilities have been elevated, making good habits more important. “CROs that have a broader grasp of some of those key areas are probably playing a more strategic role in their organizations,” said Stewart Goldman, co-head of risk and compliance at executive search and management consultant firm Korn Ferry.
Not only do today’s CROs advise corporate leadership on risks they identify throughout the business, but they have become the face of the risk appetite approved by management and the board, disseminating it through the organization and generally promoting a culture of risk awareness.
Playing off Stephen R. Covey’s book The 7 Habits of Highly Effective People, the following habits—perhaps better described as capabilities or aptitudes—can enable CROs to pursue their role more effectively, as well as provide a guide for all risk professionals to “level-up” and take a more strategic approach to risk management within their organizations:
Explain your risk and resilience vision and champion a risk-aware culture. According to Joseph Agresta, an assistant professor at Rutgers Business School and previously a procurement leader at Johnson & Johnson, it is important for CROs to clearly explain and champion their vision of risk and resilience to help create a risk-aware culture.
“If a company wants a risk culture, everyone has to think like a risk officer, so the visibility of the CRO and leading by example becomes very important,” Agresta said. “The CRO should be working with [department] leaders to identify which corporate muscles need to be developed to strengthen the business so that, in a dynamic and changing environment, the company can react more quickly. They set that example by driving the conversation.”
Risk leaders need to not only develop a risk management vision—what McKinsey refers to as successful CROs’ “North Star”—but they must also develop a way to continually evaluate whether an organization is following it, said Sim Segal, founder and director of Columbia University’s master’s program in enterprise risk management (ERM) and president of ERM consulting firm SimErgy Consulting. Segal recommends a value-based ERM program that allows organizations to focus on 20 or 25 key risks and calculate the likeliness of achieving or missing their strategic plans based on those risks. “That is the most important number for the organization,” he said. “Everyone’s job promotion and bonuses are tied to achieving that plan.”
Invest in and empower the next generation of risk leaders. Today’s complex risk environment requires building a diverse team from different backgrounds and perspectives and shifting staff roles, both within the risk function and among other parts of the business. This can create opportunities for team members to share insights and reinforce the risk culture.
In addition, identifying top performers and finding opportunities for them to interact with the company’s top executives helps empower them for future growth and career elevation. “You do not want to be defensive of your own position; if [junior risk partners] are successful, you will be successful,” former Goldman Sachs CRO Craig Broderick said in an interview with McKinsey. “A CRO should not be insecure in that regard. For a successful organization and a successful person, there is more than enough credit to go around.”
Engage deeply with C-suite leaders and the board to accomplish business resilience and risk objectives. Engaging with leadership requires a common language and measurement system, enabling the CROs and risk leaders to clearly describe the risks bubbling up through the company to senior management and the board. Whether those risks stem from proposed business ventures or other internal or external changes, applying a methodical standard provides apples-to-apples comparisons to measure the impact of different risks.
Leading CROs do more than simply inform the board and the CEO—they are vital members of the executive team and trusted advisors to the board, according to McKinsey, which added that the CROs they interviewed said they spend up to 56% of their time with the executive team and board.
To quantify risk and measure its impact and probability, a common language is critical, Agresta said. For example, Johnson & Johnson developed a common language and measurement system, dubbed the “80% standard” because 80% of the system could be used across all the company’s numerous and varied functions, leaving 20% for business specific areas. The approach was applied across the company’s consumer, medical and pharmaceutical business lines, enabling the company’s risk officers to use the same tools to generate a consistent register of risk.
“Based on that common language and system, the head of risk understands the process used to measure the risk and articulate it, and can then present it to appropriate leadership that prioritizes it and makes decisions,” he said
Treat department supervisors as partners. A common language and measurement system is equally important in the other direction, when risk leaders gather input from the supervisors of the company’s other business units and functions. CROs should establish working relationships and find common ground these business unit-level leaders, meeting with them often to discuss what is happening in their areas.
That has not always been easy for risk management, given that its role as a risk mitigator has often led to a reputation as a constraint on business leaders who want to take on additional risks to increase profits. Segal suggested that a risk management methodology such as value-based ERM actually provides upside benefits as well, recasting CROs as arbiters of both risks to avoid and which ones to take.
Segal noted the importance of consistently applying a common methodology, including analytical tools, terminology and definitions. Different areas in a company often develop different cultures, whether from geographical differences or other factors, and they may be tempted to tweak a methodology’s inputs without alerting risk management. “If risk does not detect those differences, then it may be trying to add up apples, oranges and bananas,” he said.
A common methodology enables risk management to analyze proposed changes arising from the company’s business areas to determine how they increase or decrease the organization’s risk and value. If the risk of a proposed change decreases corporate value, then risk leaders can offer insight into how to address weaknesses and provide upside instead. Risk professionals and department supervisors become partners. “Supervisors trust risk and see that it is not trying to block everything they are trying to do,” Segal said. “The risk department is trying to help them measure the risk and make better bets.”
Integrate insights across the organization to anticipate future threats and strengthen resilience. Integrating insights is just as crucial as explaining and championing a risk-aware culture, according to Segal. “You are gathering information from the company’s leaders but you are also subtly training them not to have groupthink, but to define risk,” he said.
Risk is fundamentally an analytical practice and companies still prioritize prospective risk leaders’ analytical abilities, according to Carl Gargula, executive vice president at Risk Talent Associates. Integrating—and communicating—insights across the organization is critical. “CROs must communicate down to their teams, up to management, and across and within the organization,” he said.
Monitor personal effectiveness and take steps to manage time. McKinsey says risk leaders must reflect on their own effectiveness and be deliberate about how they spend their time, set goals and prioritize. This includes identifying strategies to maintain work-life balance, both for their own long-term sustainability and to motivate their team. To drive continual performance improvement, it is also essential to seek out feedback from peers and colleagues, particularly since the role of a risk leader cuts across the entire company and involves a wide range of issues and stakeholder demands.
Agresta said that such reflection should not only encompass a practical “what happened and how do we fix it” approach, but also an element of compassion, or what he called a “servant-leader” mentality. “Sometimes risk events are very scary—a hurricane, a pandemic,” he said. “As a servant-leader, the CRO must empathize with all the people impacted by the risk event, whether it is financial, supply chain-related or something else.”