Risky Business: How CROs Can Help GCs Manage Threats

18 Dec 2018

Not long ago, risk management was widely seen as a box to be checked, an exercise for back-office bean counters in highly regulated industries. But following the financial crisis of 2008 and the explosion of data and new technologies, risk has been elevated to be a board-level business issue.

This new appreciation for risk helps explain the rise of the role of the chief risk officer. While the role is not new, it used to be found mostly in the financial and insurance sectors. But with increasing complexity from globalization, technology, and increased regulation, the position has been introduced across a range of industries.

GCs v. CROs

The CRO role is quite distinct from, but complimentary, to the GC. As we’ve covered in our “GC Redefined” articles before, the GC today wears many hats. You serve as a trusted adviser to the CEO, head the legal department, partner with colleagues across functions on a range of legal and commercial issues, and interface with regulators. Your influence in an organization derives from your credibility, judgment, and ability to deliver superior advice and service. 

In contrast, the chief risk officer is a role with robust built-in authority but with a more focused mission. It involves measuring the level of risk taken across an organization and assessing whether that level falls within the organization’s risk appetite.

For many companies, having such a role is luxury, but it brings clear value. “If you have someone who has responsibility for enterprise-wide risk, it is all being looked at and considered cohesively, which is important because one risk interplays the other,” says Zoë Newman Managing Director in Kroll’s Business Intelligence and Investigations practice. “So, for example, understanding how your business data is vulnerable to theft by a competitor is very similar to understanding what data might be compromised in a cyber breach.”

As a former general counsel who now serves as the Chief Risk Officer at Monzo Bank in London, Dean Nash is intimately familiar with the differences between the two roles. He notes that “the challenge for CROs is establishing influence in an organization when the job is to find potential problems and in some cases be a thorn in the side of management.” 

“With that mandate, it can be quite hard to create a platform of influence when people are saying to you, ‘What real value are you driving here?’” he says.

Thinking in systems

To establish good relations with the GCs and other executives, Nash says it is important for the CRO to talk about “systems of risk management rather than individual risks.” So, for example, in the area of legal risk, the CRO and the GC will ideally work together to agree on the appropriate level of legal risk the company can accept to achieve its business goals. The CRO could then advise the GC on systems to contain those risks.

“What I don’t think the CRO should do is dive in and say, ‘I don’t agree with this or that piece of advice,’” says Nash.

How the role of the CRO evolves will likely depend on the level of influence companies and their boards invest in it. At Monzo, Nash reports to the board of directors and the CEO, and only the board has the authority to fire him. That kind of authority is critical for CROs, he notes.

“It stands to reason if you’re poking and prodding, and the CEO decides you’re just a trouble maker and you should move on, that is a risk in itself,” says Nash.

Is your role being redefined?

Increasing complexity facing businesses likely means more opportunity for CROs to add value. If your GC role is being redefined by the rise of the CRO, what’s the greatest value between you and your CRO, and what steps can you take to maximize this relationship?

This post is part of a thought leadership series, “The GC {Re}Defined,” which explores how technology is reshaping the role of the GC.



Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.