Why Warren Buffet is wrong on chief risk officers

The "Oracle of Omaha" believes that the buck stops with the CEO but his reticence on chief risk officers fails to recognise what it is that CROs actually do.

Warren Buffet is a very smart man, but he is leaving the wrong impression on the topic of risk management. A colleague forwarded me this interview from the Motley Fool Website titled: Buffett Says “Chief Risk Officers” Are a Terrible Mistake. That is a very sketchy statement so I had to dig in.

In a video clip from the 2013 Berkshire Hathaway shareholders meeting, Lawrence Cunningham, author of The Essays of Warren Buffett: Lessons for Corporate America says:

“A common response to the ‘08 crisis…was to have every company appoint a Chief Risk Officer… This whole new industry…within corporate governance has installed this new person to be in charge of all risk activities… Buffet just declares this an abdication of responsibility. And a terrible mistake. The CEO is the CRO… only [the CEO] can really get the whole picture. You can’t delegate risk to this manager and leave it there. It has to come to [the CEO’s] desk. [Buffet] is emphatic about that.”

This left my head spinning on right and wrong, so I purchased my own copy of the book and this is what Buffet says:

“I believe that a CEO must not delegate risk control.” “If Berkshire gets in trouble it will be my fault. It will not be because of misjudgments made by a Risk Committee or a Chief Risk Officer.”

Well Hallelujah. I don’t disagree with a word of that, so what’s my problem with Buffet? I decided to DuckDuckGo “Buffet risk management” to see if there are any clarification on his thoughts regarding the role of risk management departments and the appropriate role of a chief risk officer and I found this clip of Buffet from January 23, 2010. In it he says:

“When you have a company as large as Berkshire and all the obligations we have…I have to be the Chief Risk Officer. I should be the best person to do that because I have this overview of the whole operation and I understand risk …”

Buffet carries a lot of weight with his guidance and he is pushing back against the idea of an office that measures and reports on risk related information to executives. This is a very bad idea.

So there it is. This is where I disagree. Fundamentally, a CRO never makes decisions on behalf of executives. The role should be to facilitate a balance between the needs to protect the company and the needs to run the business.

I’m at odds here, because you have to read very carefully everything that is being said, and I agree with most of it. Here’s the breakdown of right and wrong (LC = Lawrence Cunningham commenting on Buffet’s views, WB = Warren Buffet):

WRONG: LC: “This whole new industry…within corporate governance has installed this new person to be in charge of all risk activities.” – Where this is happening, it is an inappropriate implementation of a CRO role.

RIGHT & WRONG: LC: “Buffet just declares this an abdication of responsibility. And a terrible mistake.” Where it has been inappropriately implemented he is absolutely right. He is wrong because he is stating this as the definition of a CRO. It is not.

RIGHT: LC: “You can’t delegate risk to this [CRO] and leave it there.” Of course you can’t. Anyone doing this, doesn’t have a CRO. They have a scapegoat.

RIGHT: LC: “[Risk information] has to come to [the CEO’s] desk. [Buffet] is emphatic about that.” And a good CRO does that. It is their job.

RIGHT & WRONG: WB: “I believe that a CEO must not delegate risk control.” – This is right because it is absolutely true. It is wrong, because it made in the context that a CRO is delegated to make risk decisions. They are not.

RIGHT: WB: “If Berkshire gets in trouble it will be my fault. It will not be because of misjudgements made by a Risk Committee or a Chief Risk Officer.” – Absolutely true. I don’t know anyone who would suggest otherwise.

WRONG: WB: “When you have a company as large as Berkshire and all the obligations we have…I have to be the Chief Risk Officer.” – This is just final confirmation that Buffet does not understand what a CRO does. Probably because he doesn’t have one and is offended by his own perception, so he has never interviewed a true risk professional.

WRONG. DEAD WRONG. WB: “I should be the best person to do that because I have this overview of the whole operation and I understand risk …” – This statement implies that all CEOs should be responsible for knowing every critical detail of their organisation. It minimises the idea that a risk department could gather information, weigh options, and make recommendations regarding risk.

Well, I congratulate him for having this level of oversight, but I’m willing to guess most CEOs could use a little help.

So here’s the bottom line. I’ll bet you that Warren Buffet and I agree on every single point written here. This is speculation because I didn’t run this by him before publishing. I’ll bet he has teams of people who regularly gather and report information to help him make informed risk decisions. What I truly disagree with then is the way this all reads as he puts it out there in the marketplace of ideas.

Organisations are struggling because they do not have a good view of the risks facing them. They need organisation of this information reported in a business context to support business decision making. I know organisations need this because I see it every day.

I wish he wasn’t out there giving executives a reason to say they don’t need risk departments or CROs.

Paul Proctor is a vice president, distinguished analyst, and the chief of research for security and risk management at Gartner.