VIEW on risk management Chief Risk Officers Time for a Seat at the Table In the wake of year one Sarbanes-Oxley compliance for U.S. public companies, there are greater challenges and increased expectations in addressing enterprise risk. Yet, compliance is not a matter of completing a one-year project and going back to business as usual. Lee Dittmar Chief risk officers are an effective organizational and procedural response to increased regulation. Rodney Kinzinger The chief risk officer should be viewed as a peer to others in the C-suite, equivalent to the chief operating officer, chief financial officer, or chief information officer. Life-sciences and healthcare organizations must develop processes and operating structures that sustain compliance with Sarbanes-Oxley. Part of this sustainability is having someone in place to make sure that risk-management programs are doing what they are designed to do. For many organizations, that person is, or will be, the chief risk officer. It’s time for the chief risk officer to take a seat at the table with other members of the C-suite. The complexity of regulatory compliance with Sarbanes-Oxley has increased to the point where it has become a full-time job to make sure that a life-sciences or healthcare organization is managing risk the way top management thinks it should be. Why do companies need chief risk officers? Sarbanes-Oxley may be the additional impetus needed for organizations to act on appointing a chief risk officer. Compliance with Sarbanes-Oxley is dynamic, and the risks associated with financial reporting and monitoring can change with an organization’s status. This makes sustained compliance a challenge. Additionally, the New York Stock Exchange now requires that public companies review their risk-management policies with their audit committee and then provide the committee with information about their most significant financial risk policies and strategies to address them. Chief risk officers are an effective organizational and procedural response to increased regulation. Financial services and trading organizations were among the first to embrace chief risk officers because of the heavily regulated nature of their industries. Now the concept is making its way into other markets, including life sciences and healthcare. To date, life-sciences companies have been the industry segment most receptive. Yet, not all life-sciences organizations are on an equal spectrum of risk. It is the more heavily regulated companies that are in greatest need of a chief risk officer. Organizations in other industry segments should also consider adding a chief risk officer function. While the regulatory compliance process is somewhat different for healthcare providers and health plans than it is for life-sciences companies — there is more Medicare and Medicaid reimbursement risk for health plans, and the operating and financial risks tend to be better known — the risks are there, nonetheless. Additionally, the Sarbanes-Oxley reporting requirements that now impact publicly traded companies may well be applied to nonprofit organizations, adding another layer of complexity to the compliance process — and another level of risk. Many private health plans and nonprofit providers will adopt requirements similar to Sarbanes-Oxley, even though they are not SEC reporting companies, in part because they realize that an organized approach to identifying and managing risk is a smart thing to do. Oversight, Not Operations Key to a chief risk officer’s effectiveness is his or her organizational placement. This executive should be viewed as a peer to others in the C-suite, equivalent to the chief operating officer, chief financial officer, or chief information officer. Risks are discussed on a day-to-day basis in executive meetings. If the chief risk officer doesn’t have a seat at the table, if he or she operates in a vacuum, he or she will not be able to effectively identify, evaluate, and manage the organization’s risks. Oftentimes, the chief risk officer reports to the CEO to assist with the task of reporting daily on risk-management activities. In other organizations, this position reports to the lead director. In either structure, the chief risk officer can help the board better understand where risks are located so the board can focus its attention on those areas. Chief risk officers do not have operational responsibilities; that would defeat the purpose of the function. Their role is to develop and oversee the processes by which enterprise-level risks are assessed, reviewed, and reported. Once these risks are agreed upon, the chief risk officer informs other senior executives, the audit committee, and the board about the risks, as well as about the prevention and mitigation strategies in place to address them. It is operations’ responsibility, in turn, to implement the risk-management programs. It is important that an organization maintains consistency between its risk profile and its business strategy. The chief risk officer’s role in this case is to shine a light on issues that might affect that profile. If, for example, the company is talking about developing a new drug or entering a new market, other executives will be processing the scenario around issues of growth, market share, and so on. The chief risk officer focuses his or her filter on what it means from a risk perspective: What regulatory issues will we face? What contingencies should we prepare for? The chief risk officer should provide balance in these discussions to make sure that others are aware of what might go wrong and what plans the company has in place to address potential problems. The chief risk officer works closely with his or her executive counterparts to develop programs to avoid or mitigate risks. For example, the chief risk officer might review leading practices in risk management in one department to assess how they could be applied to other areas. The chief risk officer also can influence the way an organization conducts strategic planning. A Small, But Growing profession While the position of chief risk officer is well established in the financial services and energy industries, the concept is relatively new in other markets. The total number of chief risk officers remains small, but is growing as executives move from one industry to another and cross-pollinate ideas and leading practices. Adoption is in the very early stages in life sciences and healthcare because organizations are just beginning to recognize that a robust risk-management function can help them better manage challenges arising from Sarbanes-Oxley and other regulatory mandates. Organizations that are reluctant to establish a chief risk officer function say they are already dealing with the risks a chief risk officer traditionally oversees: financial risk is handled by the treasurer’s office, catastrophic risk is managed by the property and casualty group, and internal audit reports up through the chief financial officer. Yet, this structure can foster individual silos and detract from the creation of a comprehensive risk profile. Additionally, if various departments are conducting independent risk assessments, they might duplicate efforts and generate unnecessary expenses. In highly regulated environments, such as the life sciences, it is important to consolidate information about an organization’s risks. Someone needs authorization and the ability at the enterprise level to address problems, make changes, or arbitrate risk if an operational group steps outside the accepted risk areas set by the corporation. The chief risk officer function, by design, does this. Even if life-sciences and healthcare organizations choose not to create a specific position called the chief risk officer, they must institutionalize the concept and function of enterprise risk management. There is an absolute need for this skill set, competency, and organizational focus because a long-term approach to sustainable compliance requires an efficient and effective infrastructure — composed of people, process, and technology components — that enables repeatable, reliable compliance actions across operational departments. Sarbanes-Oxley mandates that senior-level executives demonstrate effective internal controls and provide accurate, transparent, reliable, and timely information to stakeholders. As organizations progressed through year one of compliance, many discovered that their financial, IT, and regulatory risk processes weren’t as complete as they had thought. Now they need someone at the table to roll up their sleeves and compare what the organization has done around Sarbanes-Oxley with other risk activities to make sure everything is fully compliant in year two and beyond. Sounds like an opportune time to add a chair for the chief risk officer. For more information, visit deloitte.com/us. PharmaVOICE welcomes comments about this article. E-mail us at [email protected].
