Today’s enterprises face a lot greater uncertainty, as well as a wider range of risks — existing and emerging. How much risk does an enterprise believe it needs to accept, in order to deliver its objectives? Most enterprises fail to define this clearly, making it meaningless for those making daily business decisions.

One expects the board of directors to understand risks, not just financial or compliance based. The board needs to form a view of the risk culture in the company and the extent to which that culture supports the company’s ability to operate consistently within its risk appetite. Risk governance is about setting the scope for everyone in the organisation to understand their role — in taking and managing risks, while pursuing their business goals. Among the structures that may help the board is the establishment of a board risk subcommittee and in appointing a chief risk officer (CRO).

Less than 10 per cent of the Indian listed corporates actually do have a position of CRO. Amongst those who do, if not for regulations mandating those roles, won’t even have it.

Most of the non-financial sectoral regulators and enterprises are yet to understand the seriousness of this role. Even in the currently filled-in CRO roles, very few of them have direct independent access to their board members, or even actually interact/report to them regularly.

Three eras

The evolution of CROs can be seen as three eras: the first being pre-Global Financial Crisis (GFC), where the CRO was responsible for identifying and managing risks related to compliance and regulation. Then came the era between post-GFC till pre-Covid, where the CRO’s job was to steer the organisation away from any financial risks. With some of the biggest corporate governance failures and going down of a few institutions in this period, the role of the CRO expanded to include a broader range of risks such as operational, innovation and reputational risks. The learnings post-Covid have necessitated the CROs to play an engaged role in the overall management of the organisation and contribute strategically, including working closely with the board of directors and executive leadership team.

Effective CROs have to rise above being just a cost centre, to being conscience-keepers. They are expected to not only point out issues, but to constructively and collaboratively evolve business solutions. They are not a report-generating office, but a line of confidence for their board, regulators and other external stakeholders.

Sridharan is a policy researcher, and Dang is CEO, Executive Access