The global financial crisis was a painful lesson about the importance of enterprise risk management (ERM) for financial services firms. The easy growth and easier money that were rampant prior to the crisis had the effect of diminishing the role of risk managers. This created an environment in which firms made themselves—and the global economy—vulnerable.

Their ability to bring down global financial markets requires risk managers in financial services firms, including insurance companies, to lead the way toward risk management best practices. Other organizations can learn a great deal from their efforts to improve their risk management processes.

In a report to the Financial Crisis Inquiry Commission, Anil K. Kashyap explains that among the top 100 U.S. banks in 2006, a third did not employ a chief risk officer (CRO), and among those that had CROs, only 57 percent considered their CRO to be an executive officer of the company. Today, six years after the start of the worldwide recession and four years after Congress passed the Dodd-Frank Act to reduce the likelihood of another financial meltdown, risk management in the financial services industry has changed dramatically. A recent survey of bankers at firms with more than $1 billion in assets found that 97 percent of banks now have a chief risk officer or equivalent position on staff; for the biggest firms, Dodd-Frank made this a requirement. But quantity is not a synonym for quality, and there is a growing concern that the ERM programs at banks and insurance companies will not be effective when they are needed most.

The most successful risk management programs have three common characteristics: collaboration, transparency, and people who have the training and authority to make important decisions about the business's strategic direction. Today, risk departments in financial services firms may have one or two of these traits, but very few share all three. If we are to truly learn from our past experience, we cannot be satisfied by the mere expansion of risk management programs. The effectiveness of these programs will determine the health of the organizations, and of our economy, over the long term. It will also set the direction to follow for businesses in a wide range of industries, as financial services firms review the ERM processes used by their customers and offer lower insurance rates and lending costs as incentive to implement best practices.

Collaboration and Partnership

The first challenge for a risk management program is managing how it is perceived by business units within the company. Risk departments are too often viewed as in-house regulators, responsible for reviewing and approving strategic proposals as the last step before the proposals get under way. The expectation is that the CRO will give proposals a green light—or perhaps, occasionally, a stop sign—then move on to the next project. This common approach, which views risk teams entirely through the lens of constraints, fails to capitalize on the expertise and counsel that a risk team can provide.

CROs should be viewed by business leaders as partners who provide guidance to ensure that a particular business strategy does not carry inappropriate risk. Their role is not to stand behind a curtain delivering verdicts on whether business units can move forward with their plans. An evaluation needs to be a two-way conversation between business units and risk managers, with the interaction leading to improved decision-making.

This understanding of the process is crucial both for individual companies and for the risk management profession overall. There is little added value in being seen as a team capable only of stopping projects. Now is the time for risk managers, who enjoy a more prominent position following the global recession, to establish themselves as valuable partners to the business—before the memory of the crisis fades. A 2010 report from the Economist Intelligence Unit found that just four in 10 executives from around the world expect risk managers to provide analysis that helps management set corporate strategy. A risk team brings specific risk expertise to the table. More important, they spend more time than line-of-business leaders thinking about interactions between risks, and about risks that emerge over longer time horizons. A CEO can benefit from the risk team's understanding of the company's overall risk exposures and their holistic analysis as longer-term strategies are developed.

One important step for a company to properly leverage its CRO is to include him or her in decision-making throughout the strategic development and capital planning processes. When companies wait to engage CROs until after a proposal is fully developed, they give risk teams scant opportunity to do anything but produce a report evaluating the proposal's potential pitfalls. Involving CROs in the front-end planning dramatically increases the likelihood that the final product will include proper risk management measures.

For example, in today's environment, an insurance company might look to the risk team to develop scenarios surrounding longevity risk, interest rate and stock market volatility, and how the growth in a specific product line or asset class might impact the firm's rating through concentration risk. Doing so would be a win-win.

CRO Is Executive-Level

Inappropriate use of risk management teams often results when a company seeks CRO candidates with the wrong skill set or when risk managers are given too small a role in the company's leadership reporting structure.

Unfortunately, the CRO position often falls to individuals whose business expertise or experience is inadequate preparation for the role of strategic adviser. Risk teams tend to be filled with junior technocrats who are well-equipped to collect quantitative data and construct models, but not to peer-review the assumptions of the model or develop business solutions to challenges that their model reveals. A CRO candidate needs experience solving problems in one or more of the company's business units before advancing out of the realm of the quants. Another scenario in which risk managers may avoid taking on a business-leadership role is when the CRO is a member of the corporate HR or IT team and is not comfortable dispensing strategic counsel due to lack of practitioner experience. This is certainly a contributing factor in the lack of collaboration between risk teams and business units.

Another common issue is that CROs may not be in a position to challenge the board and leadership if needed. A recent Ernst & Young survey of CROs in insurance companies found that fewer than half report directly to the CEO and more than a quarter have no formal access to the board. Without a direct line to the chief executive and other key members of the leadership team, the CRO will have little ability to influence decision-making, especially in the face of intense pressure for higher revenue and profits. Leaders of successful business units have significant leverage in debates over the risks associated with their actions. A close and trusted relationship between the CRO and CEO is crucial in ensuring that no business leader becomes "too big to challenge."

Finally, an ideal risk management team would include two separate positions—a member of the leadership team who coordinates strategic planning with the CEO and a manager who is responsible for ensuring consistency between the business units. These roles, which could be combined with other responsibilities, are not common today. In truth, risk management is everyone's responsibility, and an executive-level CRO can be an effective tool for ensuring each unit is considering risk appropriately.

Firms excel by hiring employees whose background and skill set match the position. Risk management is an area in which some companies are not abiding by this key tenet of talent acquisition. The risk team should be led by someone with practical experience managing risk—including technical expertise across many risks—as well as the ability to aggregate risks across a company.

Transparency Breeds Trust

The last ingredient in an effective risk management program is transparency. For CROs to maintain the respect and trust of their colleagues, they need to use methodologies and assumptions for evaluating risks that are clear and consistent across all of their work. Developing a process with a risk glossary, consistent capital charges, and regular two-way communication with the product lines will lead to a risk strategy that nearly runs itself, as goals are clear and opportunities compete on a transparent and fair basis. Adhering to this principle will accomplish three goals that will benefit a company's risk culture and bottom line:

First, business units will develop a deeper understanding of the company's metrics for evaluating risk, removing questions of objectivity in risk managers' analyses. Establishing a companywide foundational knowledge of risk management metrics will also contribute to establishing a healthy risk culture within the firm.

Second, transparent and consistent metrics will help company leaders determine the areas in which capital allocations will be most effective. According to the Ernst & Young survey, capital allocation and optimization are the most common uses of the risk quantification that CROs produce. CEOs and other decision-makers have a better opportunity to make efficient choices when they are confident in the process and methodology that produce the information coming out of their risk management function.

Third, transparency will help internal and external stakeholders better understand how effectively the company is managing its risk. Board members historically have had a distant relationship with ERM, but that has been quickly changing as board members' role regarding risk has become more obvious in the wake of the financial crisis. Clearly articulating the CRO's process for assessing risk, and publishing reports detailing items like risk exposures and economic capital using risk dashboards and exception reports, will provide boards with an easy entry point to become more engaged in risk management. From an external view, transparency is likely to improve a company's relationship with stakeholders like the public, investors, and regulators.

Capitalizing on an Opportunity

The increased role of CROs and risk management teams in setting the strategic direction of financial services firms such as insurance companies presents a remarkable opportunity for risk experts to use their unique skill sets and demonstrate their value. As they've developed transparent and collaborative risk management, with CROs that hold real clout in the organization, they've pioneered best practices that companies in other industries would do well to emulate.

In a recent Survey of Emerging Risks I conducted, which collected feedback from more than 200 risk managers, 77 percent of respondents said they believe their roles and responsibilities will expand in the future. This is the highest level of expected growth in the seven-year history of the survey. At the same time, only half said they expect their funding to increase, revealing a potential obstacle to developing strong risk management strategies during a time of increasing regulation and compliance requirements.

Developing an effective risk process does not require large teams of "quants." An employee with the ability to review a proposed plan quantitatively and qualitatively, acting as an objective contrarian who challenges conventional wisdom, is in high demand. In fact, employers often cite a lack of high-quality talent as a central barrier to growing their risk programs.

The global financial crisis left behind an environment where risk management is recognized as a key ingredient to a successful firm. But in the rush to develop these programs, we must ensure that CROs are in a position to succeed as risk managers and business partners. If the CRO collaborates internally, conducts his or her work transparently, and has the authority of an executive-level officer, the risk management team can play a key role in helping business units realize their potential to achieve responsible and sustainable profits.

Max J. Rudolph is founder of Rudolph Financial Consulting, LLC, a fellow of the Society of Actuaries, and a Chartered Enterprise Risk Analyst. He frequently writes and presents on enterprise risk management strategies and conducts an annual "Emerging Risks" survey. His common sense approach helps companies develop their Own Risk Solvency Assessment (ORSA) reports to better understand the risks they have accepted.