Common Objectives of the CRO and the CAE

Uploaded on

1. Learn about the evolving role of the chief risk officer (CRO) both before and during the current global economic crisis. …

1. Learn about the evolving role of the chief risk officer (CRO) both before and during the current global economic crisis.
2. Develop an understanding of the complementary aspects of the CRO and chief audit executive (CAE) roles, as well as the potential conflicts to avoid.
3. Discover strategies and critical success factors for an effective CRO and CAE partnership.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. 2009 Internal Audit Solutions for Tough Times Conference San Diego, California Presented by: John A. Wheeler, Managing Principal Wheelhouse Advisors LLC
  • 2. Learn about the evolving role of the Chief Risk Officer (“CRO”) both before and during the current global economic crisis Develop an understanding of the complementary aspects of the CRO and Chief Audit Executive (“CAE”) roles, as well as the potential conflicts to avoid Discover strategies and critical success factors for an effective CRO & CAE partnership 1
  • 3. GE Capital In 1993, GE entered the capital markets business and needed a broad understanding of a risk profile that it did not understand well The CRO title was coined by James Lam who first served in the role Responsible for developing an integrated approach for credit, market and operational risks within the Financial Guaranty Insurance Group Based on a similar concept of the Chief Information Officer (“CIO”) who is responsible for integrating IT resources and elevating the role of technology in the business Source: “Enterprise Risk Management: From Incentives to Controls”, James Lam 2
  • 4. Original version published in 1992 and served as the foundation for auditors and management to evaluate the interrelationships of risks and controls Focused primarily on operational risk, but promoted a newly adopted risk-based approach to auditing 3
  • 5. Over the next decade, internal auditors worked to implement COSO Developed a more complete risk mindset Educated management as well as the board of directors Were limited in their ability to fully implement an effective risk management program due to independence concerns COSO viewed as a good start, but incomplete 4
  • 6. Clients, Products, & Internal Fraud Business Practice People Damage to Physical Employment Practices Assets and Workplace Safety External Operational Process Events Risk External Fraud Execution, Delivery, & Process Management Systems Business Disruption and System Failures 5
  • 7. In 2004, COSO enhanced the integrated framework to extend beyond operational risk Emphasized the continuous nature of an effective program Established the critical link to strategic planning and solidified the need for a true CRO within an organization 6
  • 8. Product Pricing / Valuation Methods Liquidity Credit Risk Risk People Operational Underwriting Counterparty Failures External Operational Risk Standards / Process / Fraud Events Risk Management Documentation Systems Compliance Market Risk / Legal Risk Statistical Modeling / Value-at-Risk 7
  • 9. Articulating the organization’s risk appetite Integrating risk management disciplines and streamlining approaches Wavering support from the board of directors and/or the CEO Not having the full complement of skills required for the role Tight budgets / making a compelling business case Organizational culture Misaligned incentives and lack of accountability 8
  • 10. The Chief Audit Executive (“CAE”) typically has both the full appreciation and perspective of the company’s entire risk portfolio The CAE and the CRO share a common goal of providing reasonable assurance of the successful achievement of company objectives 9
  • 11. Chief Risk Officer Chief Audit Executive • Providing the overall leadership, vision and • Evaluating the risk portfolio and determining direction for Enterprise Risk Management business activities to monitor and/or exam • Establishing an integrated risk management • Providing independent assurance on the framework and developing the supporting effectiveness of the risk management infrastructure program as well as compliance with • Developing risk management policies, applicable laws and regulations including the articulation of management’s • Investigating and reporting incidents of fraud risk appetite or ethical violations • Implementing a set of risk indicators and • Serving as an internal consultant on risk reports related activities such as providing education • Allocating economic capital to business and facilitating risk evaluation activities based on risk profile • Communicating independent view and key • Communicating the company’s risk profile findings to management and the board of to key stakeholders directors 10
  • 12. Reporting relationships – CAE must maintain independence Political influence over decision making Inappropriate shift of responsibility, particularly during times of expense control and resource / skill constraints 11
  • 13. How has the recession and economic Recent crisis turmoil impacted your ERM approach? 0% 10% 20% 30% 40% 50% demonstrates the need for a holistic, integrated Reinforcing role of the CRO approach to ERM Involving board and senior In most cases, ERM executives more in ERM cannot be led on a part- Expanding ERM to cover more types of risk time basis by the CEO or other member of C-suite Reassessing risk culture Need to combine risk Involving all employees in ERM discipline and analysis with sound business Not making any changes judgment Source: 2009 Treasury & Risk Magazine ERM Survey 12
  • 14. What aspect of risk management is posing the greatest challenge to your company? Board members from major Other 3% U.S. public companies see room for improvement in their ERM programs in Assessing risks Indentification 17% many areas of risks 17% Addressing these concerns Tracking and reporting on will require a solid risks Mitigation of partnership between the 9% risks 21% CRO & CAE Understanding Acting on the the link Right skills and technology risk information between strategy and are critical to successful 8% risks improvement 25% Source: 2009 KPMG Audit Committee Survey 13
  • 15. Chief Risk Officer Chief Audit Executive Ensure risk management is Provide objective, unbiased fully incorporated in the viewpoint of risk strategic planning process management practices Align performance, risk and through peer and compensation management competitor benchmarking systems Perform risk-based audits Focus on both quantitative that equally challenge both and qualitative aspects of risk high performing and poor profile – do not blindly accept performing business units model results Exercise authority to Maintain consistent investigate fraud communication channels and Proactively communicate agreement on risk appetite any gaps in risk assessment or mitigation plans to management 14
  • 16. Risk & Control Program Analysis Program Maturity Evaluation Benchmarking Gap Analysis Enhancement Road Map Enterprise Risk Assessment Framework Construction Risk Catalog Creation Risk Appetite Definition Risk Assessment Methodology Governance, Risk & Compliance Automation Requirements Definition System Evaluation / Selection Implementation Assistance Compliance Process Improvement Organizational Review Process Analysis & Redesign 15
  • 17. Wheelhouse Advisors LLC 1170 Peachtree Street Suite 1200 Atlanta, Georgia 30309 John Wheeler, Managing Principal +1 (404) 805-9203 x1703 16