Governance at the C-Level: The Evolution of the CRO and Other Factors Driving Risk Management

 Name shutterstock
5 min read


Organizations continually adapt as markets, operating environments and demands change. Business roles, responsibilities and management structures have shifted in the face of today’s mobile, social, global and networked world.

To keep pace with this change, responsibility for governance, risk management and compliance (GRC) has moved up the hierarchy and, appreciating its significance in driving business performance, C-level executives (aka CXOs) are working to embed a GRC ethos into the business fabric.

A robust GRC program seeks to mitigate and manage many significant risk and compliance issues. These include product recalls; compliance failures and fines; corporate scandals; uncertainty around social, economic and political turmoil; and cybersecurity breaches. The latter, in particular, has been a mainstay in our newspaper headlines — and that’s not surprising when you consider that 66 percent of organizations have faced at least one cybersecurity attack in the past 12 months.

Organization-Wide Reorganization

C-level roles are evolving and responsibilities in the organization are also being realigned. For example, compliance used to report to the chief legal officer (CLO), whereas it is now under the auspices of the chief risk officer (CRO) at some banks.

This is a step forward. Not so long ago, GRC activities were often managed in small power centers or by a tiny group of individuals. Now, the responsibility is more central to the business. Indeed, an encouragingly high proportion (69 percent) of respondents to a 2016 GRC survey cited senior leadership as a role/function most likely to add value to GRC activities.

Senior sponsorship and embodiment of a GRC ethos is critical, but so too is an awareness and understanding throughout the organization. GRC activities must have a wide reach (both within and outside the company), and there is evidence that this is increasingly understood.

Take, for example, the position of partners and suppliers. In the past, they have often been excluded from GRC planning, activities and monitoring. But now roughly 70 percent of organizations include third parties in the scope of their cybersecurity programs.

This is a sign of progress — but there is more to do, nonetheless.

All Eyes on Corporate Governance

Good corporate governance not only sets out and communicates key policies (including those around ethics and policy compliance) but also covers enterprise risk and regulatory management. Moreover, it lays down the company’s risk philosophy, explaining how risk will be monitored and mitigated.

Of course, a comprehensive risk approach can’t be stationary — it needs to be agile and responsive. At some times, and across different parts of the business, the company may need to be more or less risk averse, depending on conditions, objectives and performance goals.

The goal is corporate growth and performance, but it has to be sustainable, ethical and verifiable through a business’s reliability and transparency — as well as through positive audit outcomes. This is why corporate social responsibility (CSR) is a strong emerging element under the corporate governance umbrella and occupies an increasingly prominent role in C-level priorities.

Business reporting must cover not only operations and performance but also compliance and risk management. To ensure effective corporate governance, reporting insights must account for the entire value chain — including vendors, strategic partners, government and regulatory agencies, analysts, investors, employees and customers. Here, we see GRC technology playing an enabling role.

Tone at the Top

A recent research report found that 92 percent of respondents believe organizational culture is a key contributor to enterprise resilience, suggesting that “… business longevity is not just a matter of being able to survive the latest disruption. It is about evolving in the face of change in a dynamic and complex world.”

Culturally and structurally, we do see that organizations are starting to take proactive steps to establish a strong ‘tone at the top’ that is reflected throughout the organization. Ensuring that all employees embody the firm’s risk and compliance vision — and, moreover, deliver its objectives through their day-to-day actions — is critical.

Of course, culture develops slowly and is often the last thing to change. Embedding GRC activities into systems and processes helps establish work habits that will, in turn, influence culture and establish good practices through documented (periodically reviewed) policies and procedures.

However, employees still need to be motivated to get on board with change. Only through their engagement will corporate culture start to shift to where leadership wants it to be. This is where a proper incentive program can help.

As Lori A. Richards, the former director of the SEC’s Office of Compliance Inspections and Examinations (OCIE) once suggested, corporate compensation systems should incentivize production, but in a manner that is consistent with the law, a firm’s code of ethics and the internal compliance and risk culture of a firm. “If the firm’s compensation incentives include only hard production numbers — how many accounts did you open, how much profit did you generate, how many deals did you ink — the firm may encourage employees do so at any cost, and at cost to the firm, to its reputation and to its customers and clients,” Richards advised.

Welcoming a Changing Workforce

Mature millennials are now moving into, or already occupy, senior positions — and their outlook, attitude and ways of working now influence and even lead organizational change. This younger segment of the working population doesn’t relate to rigid hierarchies or inflexible linear processes.

They are used to social collaboration, mobile working and the use of cloud from their own personal lives. Their progressive outlook is impacting organizational and business models, with management structures springing up that support quick decision-making, faster cycle times and agility. Not surprisingly, more and more technology companies in Silicon Valley are adopting so-called ‘flat’ structures.

This agility, flexibility and ‘can-do’ attitude is a breath of fresh air in many organizations — but matters of governance must always be covered. At inception, company founders must not only ask themselves how the company will be sustainable over the long-term but also put in place the foundations for a sustainable, risk-aware corporate culture.

This is critical, as it is the responsibility of founders and leaders to give the ideal culture every chance of thriving through a blend of creative minds, diversity and different experiences and backgrounds.

From the top down and bottom up, everyone must play a role in the integration of GRC into the fabric of an organization. This firmwide approach preserves corporate integrity and protects the brand and its reputation, creating prime conditions for high performance.

The original blog is featured on GARP. You can view it here.

Gaurav Kapoor

Gaurav Kapoor Co-CEO and Co-Founder, MetricStream

Gaurav Kapoor serves as the Co-CEO and Co-Founder, MetricStream Solutions & Services. Gaurav has been involved with the company since its inception and is responsible for strategy, marketing, solutions, and customer engagement. He also served as the CFO of MetricStream until 2010.

Previously, Gaurav held executive positions at OpenGrowth and ArcadiaOne. Prior, he spent several years in business, marketing and operations roles at Citibank in Asia and in the U.S.

He also serves on the board of Regalix, a digital innovation and marketing company. Gaurav has a bachelor's degree in Technology (with Honors) from the Indian Institute of Technology (IIT), a degree in Business from FMS, Delhi, and an MBA from the Wharton Business School at the University of Pennsylvania, where he graduated as a Palmer Scholar.