The autumn of 2008 may well go down as The Great Fall of the financial system, as the broad market indexes and three storied U.S. financial institutions collapsed and the masterminds of previously unfathomable Ponzi schemes-most notably Bernard Madoff-were exposed for lining their own pockets with billions of dollars of other people's money.

Last year issued in a new era, with the financial game reset to zero and all-previous bets off. What worked a year earlier or even ten years prior didn't ring true anymore. Faith in the system was gone and somehow even the safest-seeming things could no longer be trusted. It was time for change. The biggest issue of all for investment managers and investors became, "How do I take my risk off the table?"

Hedge funds, which traditionally were viewed by the consumer press as deep murky pools of risk to begin with, borrowed a page from the corporate culture and began hiring chief risk officers. This begs a number of questions, including what is a chief risk officer at a hedge fund and can he really take risk off the table? What can he do that a portfolio manager or chief investment officer can't? How can advisors be certain that a CRO is mitigating risk and isn't just window dressing?

In the last year, many large hedge funds, including BlueCrest in London, have hired CROs, while recruiters have sought to fill many newly created CRO positions. Many startups are coming out of the gate with a CRO on board. The job descriptions may be different, but the mandate for the chief risk officer generally can be stated in one sentence: Control risk without destroying returns.

"The role of the chief risk officer varies from fund to fund," says Leslie Rahl, founder and managing partner at Capital Markets Risk Advisors, a New York-based consultant. "At its best, a CRO wears both strategic and control hats, but in some funds it is primarily a 'cop' role, while at others it is a marketing role."

Risk is inherent in all investments, Rahl notes, but the job of a CRO is to counter unintended risks-risks that are not understood and that offer no reasonable chance of reward.

"The most effective CROs think strategically about how to allocate the firm's scare risk appetite, as well as ensure that risk is diversified within limits and well understood," he says. "A CRO also worries about what could go wrong and the least likely events and whether the fund could withstand them, leaving the portfolio manager to focus on the more likely outcomes. You need both perspectives."

Susan Mangiero, president and CEO of Investment Governance Inc., in Shelton, Conn., sees risk management as an integral part of a firm's culture and one of the keys to its success. "Instead of looking at risk management as a roadblock, it should be promoted as part of your culture and viewed as the best way to ensure the firm's longevity," Mangiero says.

She says that the role of the CRO can be broadly defined and the role may depend upon the size of the organization, but there are a few key areas of responsibility. An effective CRO must:
Ask tough questions about the risk "cost" of every expected dollar in return, which is required for setting up a risk budget;
Have an appropriate compensation and reporting line structure that rewards calculated risk-taking as opposed to incentives that perversely reward people for a short-term focus on returns but leave the risk costs to others;
Identify problems with pricing models (poor data, questionable assumptions, etc.) and then create a tolerance band for model error. How often can a model veer from expected outcomes-through back-testing or applying the model with "what-if" simulated inputs-before the model is deemed not acceptable for use? Model integrity is crucial because oftentimes hedging and asset allocation decisions are tied to model outputs;
Ensure that back-office, middle-office and front-office professionals are adequately trained and supported with a robust risk-management system;
Recognize that many risks do not exist in isolation. When times are bad, you often have a confluence or compounding of different risks. For example, with structured products, liquidity risk was arguably greater than anticipated because the quality and quantity of supporting collateral was sometimes wanting. For any financial institution that had hedged part of its structured product portfolio, it may have found itself with another risk in the form of counterparty defaults. The risks are often not additive, and a good CRO needs to truly understand the interrelationships among financial, operational and legal risks, to name a few.

The current environment requires a CRO to be particularly attentive to some additional things as well. "A CRO in the current climate must be very aware that market conditions can change so quickly that exiting a position could be difficult or impossible," Mangiero says.

A CRO must also have the ability to counter a culture that may be focused on short-term gain rather than the long-term interests of investors, she says. Short-term bonuses are just one example of the mechanisms that could work against a long-term perspective.

"A CRO must be willing and able to make tough decisions that could truncate short-term gains for an organization and instead position an organization for longer-term survival," Mangiero says.

A CRO must often solicit help from people who may be overworked and/or not interested in seeing their short-term upside capped, she says. "This requires tact and [the ability to convince] those at the top to foster an organization-wide risk culture focused on risk management and not undue risk-taking," she says.

Brian Newton, the chief risk officer at Armored Wolf, an Aliso Viejo, Calif.-based hedge fund, believes that there are a number of issues investors should look at when they examine a hedge fund's risk culture. Three of the most significant questions that need to be asked will tell the investor if the CRO really has the ability to manage risk, or if he is merely a paper tiger, he says.

The first thing to ask is, to whom does the CRO report? At Armored Wolf, the CRO reports to the chief executive officer instead of the chief investment officer because the company believes this reduces the potential for conflict and helps mitigate risk, says Newton. It depends upon the structure of the firm, but a CRO should never answer to a trader, portfolio manager or chief investment officer because that would completely undermine the CRO's position and render it meaningless, he says.

While he should remain independent of the investment team, the CRO must also recognize the critical need for an effective professional relationship with the investment team. Regardless of how comprehensive a monitoring and reporting system might be, there will always be issues that are outside the scope of these tools. In those instances, the investment team must bring such items to the CRO and agree on the best way forward, Newton says.

Next, an investor needs to know how the CRO is compensated. The CRO's compensation should be directly tied to performance, which adds another layer of risk control, Newton says.

Portfolio managers should have incentives to proactively manage the risks they take in seeking returns in their respective sectors. For example, at Armored Wolf, capital allocation to portfolio managers is affected by performance, with both drawdown and outsized return being penalized, Newton says. The thinking is that realized risk is relevant and that the magnitude of returns is positively correlated with the risk taken, he says. The penalties are asymmetric, with drawdowns more heavily penalized, but outsized upward moves also result in capital allocation reductions.

The CRO and all portfolio managers have deferred compensation invested in the fund, so to the extent the fund suffers drawdowns, all are directly affected, Newton says. In addition, a portion of the CRO's deferred compensation is subject to forfeiture in the event of large drawdowns within a calendar quarter. This incentive focuses the CRO and is intended to overcome any reticence to either close risky positions or use hedging trades to ameliorate risks attendant with risky positions that may be viewed as too expensive to close. An example of this would be an emerging market position that has ex ante risk heightened by, for example, an election after which risk should revert to a more acceptable level. Closing and then reopening the position would be costly.

The third question: Can the CRO pull a trade off the table? A risk officer who is being given proper leeway to do his job should have the ability to pull a trade off the table if he has ample reason to believe that the portfolio is at risk, Newton says. If the portfolio manager or chief investment officer can override the decision, then the CRO has no teeth and cannot be effective, he says.

Should an issue arise that, if left unchanged, exposes the fund to undue risk, the CRO must have the authority either to close the relevant positions or to execute trades that adequately mitigate the risk, he says. The CRO's compensation plays a part here, since it should be designed in such a way that it encourages him to make appropriate decisions.

Risk In All Its Parts
Understanding what the chief risk officer does is critical, but it is equally important to understand how he does his job. The following questions are designed to help advisors and investors understand what risk is and how the CRO can manage it. Newton offers a list of questions that investors should ask while performing due diligence, along with some potential answers and red flags.

How does the CRO monitor ongoing risk?
In order to address this comprehensively, let's partition risk as follows: investment risk, operational risk and regulatory risk. For all types, the approach is tailored to the setting. Smaller firms are likely to have a more focused investment process and thus a generic approach to risk management will misuse limited resources.

Investment Risk - Daily quantitative reports may be generated showing volatility at various horizons, such as Value at Risk (VaR) based on historical and Monte Carlo approaches at the fund, sector, strategy and security levels. Also, risks should be monitored relative to sector benchmarks, measured over various horizons. Portfolio managers should see this information weekly or when the composition of their portfolio changes, as should a fund's investment committee if it is a separate entity. Keeping relevant parties in the loop is an important element of risk management.

Operational Risk - In a small-team setting, operational issues should be easily recognizable and manageable. As firms grow, the reporting of exceptions/issues should be formalized and the frequency of compliance monitoring exercises should increase. Compliance and exception reports should be reviewed by the CRO. Any substantive issues should be reported to the CRO upon discovery and resolved by the CRO, with the assistance of the investment or management committees if necessary.

Regulatory Risk - The chief compliance officer is responsible for regulatory risk and issues in this area should be brought to his attention. The CRO, however, must ensure that the compliance program is sufficient. Compliance and risk officers should work together and be in agreement.

Does the CRO participate in the investment meetings and decision-making process?

The CRO should participate and offer guidance on realized risk (P&L, fund volatility and component sectors) as well as expected risk. The investment process may include a monthly meeting of all portfolio managers, the investment committee and analysts. The CRO should be included in this meeting.
What type of experience should a CRO have?

The CRO should have a broad range of experience in investments. While it is unlikely that any one person would have experience in all dimensions accessed by a fund, experience in a range of areas (equities, fixed income, currency, etc.) and instruments (cash instruments and exchange-traded and OTC derivatives, etc.) is important. A CRO should also be able to adapt to opportunities involving new sectors or instruments.

Building A Risk Management Culture
Risk management should permeate the culture of every hedge fund, but there is no one solution. The role of the CRO at each hedge fund may be as varied as the strategies of these same funds, but there is no boilerplate solution, according to experts.
"Even as firms recognize the need for risk management in some form, there's considerable diversity in their approaches," Mangiero says. "Organizations that integrate risk management with other aspects of the overall business model acknowledge its potential as a cornerstone of competitive advantage, seeking to capture market share from those firms that do just enough to comply with regulations and little else."

Managing CRO Risk Expectations
Finally, an investor must manage expectations of what a CRO may or may not do, experts say. "It's impossible to make money without taking risk," Rahl notes.

"It is reasonable to expect that a CRO take the lead in recommending a proper comprehensive risk management program," Mangiero says.

A CRO also should identify vulnerabilities that could result in a financial loss, under performance or negative headlines, she says. But investors must remember that managing risk and return is a balancing act, she adds.

"There is no free lunch," Mangiero says. "It is unfair to expect that a CRO can both mitigate risk and maximize return. In an information-efficient market, risk and return go hand in hand. It is unfair to expect that a CRO can prevent catastrophic risks-though the actions of a CRO should help to understand triggers that might lead to major catastrophes."   

Kristin M. Fox is the founder and principal of FoxInspires LLC, a firm specializing in providing unbiased investor education. She is also a board member and oversees the Chicago activities of 100 Women in Hedge Funds.