Companies that hire CROs are generally “larger and more internationally oriented corporations,” he noted, adding that a risk manager promoted to CRO could also be the “superstar in a small corporation. But it's not because he's a risk manager–it's because he's a star and the corporation wants him to move up the corporate ladder.”

Timothy J. Bunt, vice president and corporate risk officer of CB Richard Ellis in Stamford, Conn.–a real estate service firm headquartered in Los Angeles, with some 14,500 employees and 200 offices worldwide–said that although the titles “corporate risk officer” and “chief risk officer” are interchangeable, he uses the term corporate risk officer because he doesn't report directly to the board, but to the company's chief finance officer.

Mr. Bunt said he chairs an enterprise risk counsel group that was formed at CBRE when he started there 15 months ago. “That means I pull everyone together and I'm the glue that makes that work,” he said.

He added that he is “not an expert in audit and compliance and operations,” but rather at helping people “assess risk, identify risk, put risk mitigation strategies in place–a matrix for business performance–and then report out on those.”

Mr. Bunt said he helps the businesses within the organization assess their operational, financial and hazard risk profiles, and also “understand that risk is not a four-letter word–that risk done correctly can be a way for us to build margin, improve our brand and do a better job overall.”

The company contains a global platform, an investment banking arm, real estate management, construction management and development businesses, all of which “have somewhat different risk profiles,” he said.

Some have greater financial risk, while others are more leveraged toward operational risk, “so it's first identifying the risk, and then defining the controls to mitigate the risk or to amplify the risk if you believe you can arbitrage it, and build.”

Mr. Bunt said a chief risk officer and enterprise risk management often go hand-in-hand. CROs and ERM, he added, are most often seen in the financial services sector because of myriad regulations. “The same is true in the energy sector. It's a combination of the types of risk in those businesses and the size of risk.”

He noted that ERM is most suited to larger companies and organizations with the ability to communicate across as well as break down silos.

CBRE, with its investment advisor operation and investment bank operation, probably leans more toward financial services, he said, “but when it comes to manufacturing, they see a benefit as well.”

“Our biggest issue, our largest risk is what happens if the economy turns against us, interest rates spike and our cash flow can't support the debt of our business,” Mr. Bunt explained. “That's our biggest risk. Can ERM fix that? Not necessarily, but the fact that you understand it, are prepared for it and that you're doing something about it is all important.”

CROs, he said, understand risk management in a broad context, rather than from a traditional risk manager's random hazard risk perspective, “and that's probably the most important thing.”

At CBRE, he explained, risk is discussed daily. “It's not just my job, but what I tell people all the time is that risk is everybody's job. Everybody's a risk manager, so communication is key.”

Although most traditional insurance risk managers have been trained and are well qualified to understand random hazard risk, Mr. Bunt said they can get “out of their comfort zone when they need to communicate with the CFO or comptroller about the cost of capital, about operational risk or financial risk.”

Part of what's foreign, he said, is the language. “Just like insurance has acronyms, there are acronyms in other areas of the company. So, if you aren't familiar or comfortable with breaking out of your comfort zone, it makes it difficult to cross that bridge.”

Many risk managers, however, given receptive companies, proper life experiences and educational background, have nothing holding them back, he said. Risk managers see an organization “with a different set of eyeglasses.” While other parts of a company tend to be compartmentalized, the risk manager can “transcend across the entire organization. They just aren't necessarily plugged into the capital planning issues or the strategic issues.”

Mr. Bunt said he recently participated in a roundtable discussion on ERM. One risk manager “said he had no interest in getting involved with ERM. He said he had enough to do and didn't see the benefit of getting into a dialogue with people on the finance or operational side,” he said.

While adding that he sympathized with the risk manager's concerns, Mr. Bunt explained that being able to have a dialogue and communicate “both up and down that the company is operating in control” is what ERM is all about.

Previously risk officer at Prudential Financial, he observed that “there are all different flavors of enterprise risk out there today. I don't think there is any one road map or blueprint.” The CRO needs to first understand the organization's products, services and culture, and then bring together a cohesive group of people who speak the same language.

As CRO, he said, “I'm not the expert. I want to be able to talk to people and collaborate about risk and have the means to communicate, and have people not afraid to talk about risk.”

He added that often when an insurance risk manager walks into a room, “people want to walk out the door,” because the risk manager is viewed as the “risk guy, who will tell people what they can't do and why. We like to turn that around and talk about risk. We want to understand the risk, and if we think you're doing a good job, we may give you more capital to expand your business to take more risk.”

An important element for any organization to consider is brand, he said.

“If you have a brand, you should be doing ERM,” Mr. Bunt noted. “Because what we sell is our people–our brand is very important to us. If someone makes a bad business decision in the field because they didn't do a proper risk assessment, or didn't have the proper controls in place, that could hurt our brand and have global repercussions.”

Although ERM is not a panacea for every company, he said, “as long as people continue to attend the meetings and see value in it, we'll continue down that road.”

: