Volume 2 — Governance and ControlsGovernance and Controls © Copyright 2002, All rights reserved 7 2.3 Chief Risk Officer The CRO is a corporate officer position independent of the front office. To support independence in the risk management governance structure, the CRO reports to the company’s chief executive officer or to another top executive not aligned with the front office. The CRO also has dotted-line reporting to the board. He or she serves as chair of the ROC and leads the corporate risk management department. The CRO position should be high enough in the corporate organizational structure to facilitate independent assessment of risk on an enterprise-wide basis. This includes assessment of risk taking activities managed by the CFO (capital structure activities involving derivatives and other commitments and guarantees, marketable equity securities, investment decisions, etc.). The board should approve the reporting line for the CRO. To maintain independence, the CRO’s incentive compensation should not be tied to trading or merchant energy unit performance. CRO ― Responsibilities and Duties • Perform responsibilities delegated by the ROC. • Conduct ROC meetings. • Engage the ROC in discussions regarding events or developments that could expose the company to potential losses. • Assess risks to the company in aggregate, by business unit, and by material business activities. • Measure and report on the company’s risk profile. • Develop, recommend, and administer corporate risk management and /or middle- office processes and procedures. • Research, develop, test, and implement risk measurement methodologies and models. • Recommend to the ROC specific risk limits consistent with the company’s risk management objectives, risk tolerance, and risk management policy. • Provide direction to the internal audit group, facilitating independent audits of risk control processes and procedures. • Evaluate proposed transactions with respect to their potential impact on the company’s risk profile, consistency with risk management objectives and risk tolerance, and compliance with risk management policy. • Develop and monitor the implementation of provisions to the risk management policy, and oversee other risk management processes and procedures established by this policy or otherwise by the ROC. • Report to the board of directors and the ROC on the company’s compliance with its risk policy and risk management in accordance with the risk policy.