Paul Proctor

A member of the Gartner Blog Network

Paul Proctor
VP Distinguished Analyst
10 years at Gartner
28 years IT Industry

Paul Proctor is a vice president, distinguished analyst, and the chief of research for security and risk management. He helps organizations build mature risk and security programs that are aligned with business need. Read Full Bio

Coverage Areas:

Warren Buffet is Wrong on Chief Risk Officers

by Paul Proctor  |  July 1, 2013  |  6 Comments

Warren Buffet is a very smart man, but he is leaving the wrong impression on the topic of risk management. A colleague forwarded me this interview from the Motley Fool Website titled: Buffett Says “Chief Risk Officers” Are a Terrible Mistake. That is a very sketchy statement so I had to dig in.

In a video clip from the 2013 Berkshire Hathaway shareholders meeting, Lawrence Cunningham, author of The Essays of Warren Buffett: Lessons for Corporate America says:

“A common response to the ‘08 crisis…was to have every company appoint a Chief Risk Officer… This whole new industry…within corporate governance has installed this new person to be in charge of all risk activities… Buffet just declares this an abdication of responsibility. And a terrible mistake. The CEO is the CRO… only [the CEO] can really get the whole picture. You can’t delegate risk to this manager and leave it there. It has to come to [the CEO’s] desk. [Buffet] is emphatic about that.”

This left my head spinning on right and wrong, so I purchased my own copy of the book and this is what Buffet says:

“I believe that a CEO must not delegate risk control.” “If Berkshire gets in trouble it will be my fault. It will not be because of misjudgments made by a Risk Committee or a Chief Risk Officer.”

Well Hallelujah. I don’t disagree with a word of that, so what’s my problem with Buffet? I decided to DuckDuckGo “Buffet risk management” to see if there are any clarification on his thoughts regarding the role of risk management departments and the appropriate role of a chief risk officer and I found this clip of Buffet from January 23, 2010. In it he says:

“When you have a company as large as Berkshire and all the obligations we have…I have to be the Chief Risk Officer. I should be the best person to do that because I have this overview of the whole operation and I understand risk …”

Buffet carries a lot of weight with his guidance and he is pushing back against the idea of an office that measures and reports on risk related information to executives. This is a very bad idea.

So there it is. This is where I disagree. Fundamentally, a CRO never makes decisions on behalf of executives. The role should be to facilitate a balance between the needs to protect the company and the needs to run the business.

I’m at odds here, because you have to read very carefully everything that is being said, and I agree with most of it. Here’s the breakdown of right and wrong (LC = Lawrence Cunningham commenting on Buffet’s views, WB = Warren Buffet):

WRONG: LC: “This whole new industry…within corporate governance has installed this new person to be in charge of all risk activities.” – Where this is happening, it is an inappropriate implementation of a CRO role.

RIGHT & WRONG: LC: “Buffet just declares this an abdication of responsibility. And a terrible mistake.” Where it has been inappropriately implemented he is absolutely right. He is wrong because he is stating this as the definition of a CRO. It is not.

RIGHT: LC: “You can’t delegate risk to this [CRO] and leave it there.” Of course you can’t. Anyone doing this, doesn’t have a CRO. They have a scapegoat.

RIGHT: LC: “[Risk information] has to come to [the CEO’s] desk. [Buffet] is emphatic about that.” And a good CRO does that. It is their job.

RIGHT & WRONG: WB: “I believe that a CEO must not delegate risk control.” – This is right because it is absolutely true. It is wrong, because it made in the context that a CRO is delegated to make risk decisions. They are not.

RIGHT: WB: “If Berkshire gets in trouble it will be my fault. It will not be because of misjudgments made by a Risk Committee or a Chief Risk Officer.” – Absolutely true. I don’t know anyone who would suggest otherwise.

WRONG: WB: “When you have a company as large as Berkshire and all the obligations we have…I have to be the Chief Risk Officer.” – This is just final confirmation that Buffet does not understand what a CRO does. Probably because he doesn’t have one and is offended by his own perception, so he has never interviewed a true risk professional.

WRONG. DEAD WRONG. WB: “I should be the best person to do that because I have this overview of the whole operation and I understand risk …” – This statement implies that all CEOs should be responsible for knowing every critical detail of their organization. It minimizes the idea that a risk department could gather information, weigh options, and make recommendations regarding risk. Well, I congratulate him for having this level of oversight, but I’m willing to guess most CEOs could use a little help.

So here’s the bottom line. I’ll bet you that Warren Buffet and I agree on every single point written here. This is speculation because I didn’t run this by him before publishing. I’ll bet he has teams of people who regularly gather and report information to help him make informed risk decisions. What I truly disagree with then is the way this all reads as he puts it out there in the marketplace of ideas.

Organizations are struggling because they do not have a good view of the risks facing them. They need organization of this information reported in a business context to support business decision making. I KNOW organizations need this because I see it every day.

I wish he wasn’t out there giving executives a reason to say they don’t need risk departments or CROs.

Follow me on Twitter (@peproctor)

6 Comments »

Category: Uncategorized     Tags:

6 responses so far ↓

  • 1 enamel wires   July 2, 2013 at 2:25 am

    Are your viewpoints
    I was you

  • 2 Arian Evans   July 2, 2013 at 1:28 pm

    Great post, and good points.

    The bottom line is – Buffet is in the business of measuring and managing risk – has been since his teens – in a very quantifiable way.

    Not all CEOs have the time, skillset, and ability to focus exclusively on the core quantifiable risk metrics of the business. Finance or Insurance? Yes. Utilities and Gas? Yes (even though they tend not to). Most ISVs? No way.

    It makes a lot of sense for a CEO to have a CRO that should dedicate themselves to data collection, and performing analytics, on both quantitative risk data, and qualitative risk projections (like brand damage). In fact – if the CEO were spending time calculating risk due to things like a chemical spill near a residential area; e.g.-brand damage, physical damage, cleanup costs, future environmental goodwill campaigns, etc. – I’d question their priorities. The CRO should have this data and these projections at their fingers for the CEO.

    Your last sentence sums it up quite well,

  • 3 Christophe Pradier   July 3, 2013 at 3:40 am

    In the Finance field where WB is, it makes perfect sense to say that the CEO should be the major risk manager of the company. Because the balance of risk is at the core of the business. Yet it’s no reason not to have a dedicated team.

  • 4 David Black   July 5, 2013 at 9:49 am

    Hey, Paul, I was doing some work on security and writing a blog post when I remembered you and your book on security, which I still have. I looked up the stuff about host-based “intrusion detection,” and was amazed — it was right on then, and still pretty much ignored in the industry. I already put out one post about it with a reference to you, and I’m working on another.

    Sounds like you’re keeping up the good work!

  • 5 David Black   July 5, 2013 at 9:50 am

    And then of course, the reference to the blog:
    http://www.blackliszt.com/2013/07/cyber-security-standards-are-ineffective-against-insiders-like-edward-snowden.html

  • 6 Paul Proctor   July 5, 2013 at 4:05 pm

    David,

    I am consistently amazed that my old book keeps popping up. I guess some things never change.

    Thanks for reaching out, I’m following you now. Social Media makes us all stalkers. :)