If properly empowered within the right company structure, the chief risk and reputation officer is potentially a great force for added value and good, says Andrea Bonime-Blanc

When it comes to issues of risk and reputation management, we are living in a time of corporate functional “silo-isation” – of internal fiefdoms, intra-company jurisdictional disputes and even pitched battles about who has responsibility for what, when, where, how and why.

Does compliance belong to legal, does ethics belong with compliance, does risk management belong under finance, where does corporate responsibility reside, does internal audit belong within finance, another function or no function at all? And who gets to have a direct or dotted line to the board or a committee of the board and, in that case, which committee of the board?

It’s enough to make your head spin.

One thing is clear about risk and reputation management: organisations of any size have a variety of functions, roles and initiatives that deal in one way or another with risk and reputation management and not always in the most coordinated way. And, while each organisation has a somewhat different set of risk and reputation concerns, everyone knows by now that they need to deal with these issues somehow. However, few have found the right way to structure the management of these issues internally and even fewer know how to align risk and reputation management optimally with their strategic plan.

The CRRO

A critical piece of the puzzle in achieving this alignment and integration of risk and reputation management with strategy is for organisations to build a new holistic executive role – the chief risk and reputation officer (CRRO).

Let’s put this assertion in context.

At first, there were executives and managers who cared (forcibly or by choice) about such things as quality, environment, safety, financial integrity and building a better business culture. Functions such as environment, safety and quality management were created and reported into existing executive, functional and business lines. That was back in pre-history before and during the 1980s. Let’s call it “Risk & Reputation Management Version 1.0:  The Awakening”.

Age of chaos

Then a number of interesting trends began in the 1970s and 1980s culminating over the past decade. A dizzying array of roles, functions and initiatives within companies – sustainability, ethics, compliance, enterprise risk management, ISO certifications, corporate social responsibility, corporate responsibility, and more – were created. A concomitant array of chiefs also sprung up: chief sustainability officer, chief ethics officer, chief compliance officer, chief risk officer, chief corporate responsibility officer, and so on. Let’s call this development “Risk & Reputation Management Version 2.0: The Chaos”.

While many positive things have come from this time of chaos – more attention to stakeholder issues, performance metrics and reporting, greater transparency, code of conduct programmes – the time of chaos has also brought several drawbacks and complaints.

On the one hand, risk and reputation management practitioners (ie the various “chiefs”) complain that they’re not taken seriously enough by business people and don’t get the visibility and resources required to do their jobs effectively. During this time of chaos, “chiefs” have been chiefs often in name only as many have laboured under difficult constraints: small budgets, few resources, constant cuts and threats of cuts, no seat at the executive table, reporting to functions that may or may not have made sense, etc.

Business leaders, on the other hand, complain that there are too many of these functions, with little or no redeeming business value. Indeed, in the eyes of some business people – and not always incorrectly – many of these functions do not operate in a business-savvy manner, acting often as internal cops, naysayers or denizens of isolated and irrelevant silos where internecine warfare is more common than collaboration and productivity.

While there is truth on both sides of this divide, too often both parties miss the crux of the matter: properly structured, risk and reputation management can be a force for adding business and organisational value. Business people and risk and reputation practitioners have not yet fully or optimally engaged in a positive, value-added discussion about this real convergence opportunity.

Convergence dawns

But here’s the good news: while we are still in the age of chaos, we are seeing the emergence of a new period in the annals of corporate risk management – “Risk & Reputation Management Version 3.0: Convergence & Redeployment”. The kernels of what will ultimately come about – the convergence and coordination of risk and reputation management within organisations and redeployment of these internally aligned functions with the strategy and purpose of the organisation – are starting to show.

Take the example of Jack Lenzi, at ITT. When ITT recently restructured from a diverse global conglomerate into three separate but still large companies, Lenzi  was asked to head a new function: vice-president corporate responsibility and chief ethics officer (VP CR/CEO). But don’t let the title (which may sound familiar) trick you – this role, while admittedly in its early stage development, is on the cutting edge of what we are talking about.

It is a role that encompasses several inter-related but distinct functions under the general rubric of risk and reputation management including: ethics/compliance, sustainability, environment, health, safety and security, environmental affairs, global trade programmes, anti-corruption due diligence, operational business continuity planning and whistleblower/hotline issue management. Lenzi even leads the team managing ITT’s conflict mineral initiative.

The functions reporting into the VP CR/CEO don’t only co-exist but are being redeployed to improve efficiency, cross-functional coordination and efficacy on behalf of the overall company. By grouping them under one framework, it’s magnified the fact that each is a critical component of corporate governance. But that’s not all – Lenzi is striving to reinvent his role and functional structure so that they are seamlessly aligned with the company’s products, services and, ultimately, strategy.

Compliance is only the starting point; it’s also about mining the value inherent in the system. Lenzi is exploring the far reaches of how his functions can add value to ITT.

Strategic value

To achieve the objective of marrying risk and reputation management with strategy, organisations will need to create, repurpose and elevate a new role: that of CRRO – a real chief, with real standing, real resources and real strategic and business value. At ITT, Lenzi and his direct reports brief the chief executive quarterly, and Lenzi addresses the board governance committee twice a year.

A CRRO may come from a variety of backgrounds – maybe a chief ethics and compliance officer, a business unit leader, a chief risk officer, head of marketing, or maybe the general counsel or a corporate responsibility practitioner. No matter what the CRRO’s actual professional background and experience, he/she will need the following basics to fully live up to a constructive and value-added strategic role:

  • Risk and reputation management as a stand-alone executive level independent function that oversees risk and reputation functions (ideally ethics, compliance, risk,
    corporate responsibility, sustainability, and maybe even audit and investor relations).
  • Direct, unfettered access and/or reporting to the chief executive.
  • Direct, unfettered access and/or reporting to the board/committee of the board.
  • Membership of the executive team.
  • Meetings regularly and systematically with business unit heads.
  • Heading up a cross-functional risk and reputation management task force.
  • Be part of company’s strategic planning and budgeting process.
  • Embedded strategic objectives into team metrics and performance management.
  • Unfettered access/knowledge of all crisis, risk and compliance concerns.
  • Membership of the crisis management team.
  • Membership of the enterprise risk management team.

Why is the CRRO role not only necessary but also a good thing? Most organisations understand that risk and reputation management has become a necessary part of their daily activity and overall responsibility. A quick look at the front or home page of any global media outlet would confirm this – risks are everywhere and reputations can be lost overnight. And boards of directors are getting savvy about risk and reputation oversight, more than ever before. And enlightened chief executives and c-suites have also caught on.

Proper risk and reputation management is not just about downside protection but also about real opportunity. An enabled CRRO can help bridge the divide, navigating risks successfully – to where opportunity, growth and positive results can be found.

Dr Andrea Bonime-Blanc is chief executive of GEC Risk Advisory, a governance, risk, ethics, compliance and corporate responsibility management consultancy. She is chair emeritus of the Ethics and Compliance Officer Association, a member of Ethical Corporation’s editorial advisory board, and a life member of the Council on Foreign Relations. @GlobalEthicist

Andrea Bonime-Blanc  Globalethicist  reputation  risk 

comments powered by Disqus