The Business of Risk: A CFO’s View of Risk Management

By Gary Perlin and Kenneth M. Eades

Newswise — Business is risky — and getting more so. In recent years, given the increasingly complex challenges posed by the economy, regulatory oversight, technology advancement and everything in between, organizations across industries are working to incorporate enterprise risk management (ERM) into their business models.

To discuss ERM and provide insight from the chief financial officer’s point of view, Gary Perlin spoke at the Darden Institute for Business in Society (IBiS) Strategic CFO Roundtable, a select peer-to-peer forum founded in 1998 by IBiS Fellow Jane-Scott Cantus (MBA ’90) and Darden Finance area chair Kenneth M. Eades and led by them both.

Perlin served as CFO of Capital One Financial Corporation from July 2003 to May 2013, then as senior adviser to the CEO until his retirement in February 2014. Not one to actually retire, he has since been involved in a number of professional endeavors, including helping the U.S. Department of Treasury to establish the department’s ERM function. Perlin, a member from 2008 to 2013, is now an emeritus member of the Darden IBiS Strategic CFO Roundtable.

After the roundtable discussion in June 2016, Professor Eades sat down with Perlin to discuss ERM and the CFO’s approach to collaborating with the chief risk officer (CRO).

The CRO Needs Clout

Q: Why is the financial sector particularly appropriate for studying ERM and the CRO’s role at its helm?

A: It’s one of those sectors in which ERM has come to maturity faster than others. The CRO role actually developed first in the energy sector. Companies and regulators dealing with nuclear power have a keen understanding of the potential for catastrophic failure, and it was first evident to them that independent and empowered ERM teams were required to ensure that risks were not overlooked. Early on, the financial sector learned from the experience of power companies — especially given the prospect of potential market failures that’s been apparent for the past 20 years.

One critical lesson is that an effective CRO needs clout, and in the financial sector, as in energy, CROs often derive their influence from the regulatory authorities who depend on them to provide a window into companies’ risk positions. The clout’s built in when it comes to the two industries; I can tell you from personal experience that when regulators are aware of a CRO’s concerns, companies quickly learn to factor those risks into their deliberations. By the same token, CROs can play a critical role in assuring outside stakeholders that business decisions are being made by boards and executives who are appropriately mindful of the risks.

No Chicken Littles or Monday Morning Quarterbacks

Q: Did you confront unique challenges as you defined and refined the CFO/CRO relationship?

A: I am a CFO who — admittedly, over a period of time — came to appreciate the value of a CRO.

I arrived at Capital One shortly after its ERM team was established. While I personally appreciated the importance of risk management and had a high regard for the newly named CRO, we had to navigate areas with an uncertain organization of responsibility between Finance and Risk.

One was the critical area of loss estimation and the related accounting provisions. While I had direct responsibility for the loss allowance on the balance sheet and felt ownership of the area, it was based on our best estimate of future losses, which came from the expert credit team in ERM. However, that team’s inclination was to come up with a maximum loss rate, rather than the likeliest, which led to an understandably conservative view. The CRO’s job, after all, was to think about worst case scenarios, while mine was to ensure that our financial statements were sound and in accordance with accounting standards.

In the end, we developed a highly workable approach that — along with back-testing of the adequacy of loan loss allowance — ensured that our balance sheet was presented in full accordance with accounting standards. As for the downside risk, the CRO and I worked together to ensure that the company’s capital position was adequate to cover any unexpected losses, i.e., those which by definition were not captured in the loss allowance.

Another challenge was in evaluating new investments. The CRO had to actively assess all risks, while as CFO, I felt it was my obligation to make and facilitate investment decisions that were appropriate and balanced with considerations of expected returns.

Q: How did you find a balance in these overlaps of responsibility?

A: Ultimately, by understanding our different roles. Risk did not have to temper their specialist views, and Finance could own the risk-return calculus.

Finance had to learn to welcome Risk’s valuable inputs even when they made us think twice about an otherwise popular investment. We also had to learn, in looking back on decisions we regretted, that those decisions still could have been appropriate in view of then-known risks and anticipated returns.

For their part, Risk learned that before and during the process, they needed to avoid coming across as Chicken Little proclaiming the sky was falling, and when things didn’t go as planned, they had to avoid coming across as Monday Morning Quarterbacks.

Risk and Reward

Q: Once you came to an understanding about one another’s roles, were there benefits to the CFO/CRO partnership?

A: Absolutely. Over the years, I went from simply accommodating Risk’s different perspective to appreciating the distinct value they added.

As a CFO making countless risk-return tradeoffs, mostly in real time, what I needed my CRO partner to do was to step back and ensure that we were looking at the accumulated risks of the business choices that were made across the enterprise. The CRO was the best-placed executive to assess whether our risk positions remained in line with our corporate risk appetite, especially when those decisions were made by disparate parts of the company and as the overall risk environment changed appreciably.

At the same time, I relied on the CRO to ensure that the ERM team’s risk inputs to future decisions reflected both our experience and an appreciation that making no decision was often the riskiest path.

Q: At its best, what should ERM look like within a company?

A: ERM should be an enabler of forward-looking and thoughtful risk-taking in the interest of achieving business objectives. When properly utilized within the company, ERM promotes an engaging and productive environment within which management takes responsibility for identified risks and gets the best return for those risks.

To that end, ERM should:

• Serve as a trusted yet independent adviser to business leaders by performing both formal and informal risk assessments in real time, before decisions are made. ERM also helps guide the setting of risk appetites and identify when there is a serious risk of exceeding them. The goal is to ensure management is well-informed and comfortable with risk-return tradeoffs.
• Provide risk oversight to ensure that both collective and individual risks are understood and owned. To do this, ERM needs to become a trusted partner by consistently presenting and discussing risk with the owners. The goal is to create a broadly shared appreciation of risk exposures and trends, and actively prioritize key risk mitigation efforts.
• Assess various types of risk using well-grounded and consistent methodologies to consistently identify business risks. The goal is to for ERM to become a resource across the company that enables prudent risk-taking to achieve business objectives.

Much of that adds up to the importance of a sense of partnership with ERM; it should neither be treated as the final word in what specific risks should be taken, nor dismissed as simply an audit and inspection function.

It’s to be taken seriously; companies are ill-advised to treat ERM like just another initiative that gets a check in the box.

The preceding is drawn from “A CFO’s View of Risk Management: What It Should Be, What It Shouldn’t Be and How It Can Work,” the June 2016 Views from the C-Suite, a publication of the Darden School’s Strategic CFO Roundtable, one of the key initiatives of the Institute for Business in Society at Darden. The roundtable is a forum in which leading CFOs in the Washington, D.C., area discuss, debate and share best practices surrounding the strategic role of the CFO.