Chief Risk Officer

According to the 2020 State of Risk Oversight report published by the Enterprise Risk Management (ERM) Initiative at NC State, 54% of large organizations and 58% of public companies have now appointed a Chief Risk Officer (CRO) to identify, analyze, and mitigate risk.

This executive role is becoming more common as organizations perceive increasing risks related to talent acquisition, branding, innovation, technology, the economy, cybersecurity, and competition.

What is a Chief Risk Officer

Chief Risk Officers are C-level executives within an organization, meaning they’re usually the head of a risk management or corporate compliance department. In this strategic leadership role, a CRO’s primary function is to identify and anticipate risks to the organization, analyze risks in terms of their likelihood and potential severity, and recommend strategic actions for mitigating risk in order to protect shareholder value and prevent financial losses.

CROs are primarily concerned with risks that fall into four broad categories:

1. Strategic Risk – To reach their business goals, organizations must effectively execute on their strategic objectives. Strategic risks are those that limit the organization’s ability to execute its core business model successfully in the marketplace.
2. Operational Risk – Operational risks are the uncertainties that stem from the possibility of internal process failure. Business interruptions, litigation, loss of key individuals or knowledge, vendor turnover, and IT failures are all operational risks.
3. Reputational Risk – Reputational risks threaten the organization’s brand, image, and good standing within the community. Negative publicity, 
4. Compliance Risk – Regulatory compliance is paramount for all organizations but especially those who operate in highly regulated industries like finance and healthcare. Organizations who fail to meet compliance requirements can face legal penalties, costly fines, and reputational damage.

What are the Chief Risk Officer’s Responsibilities?

The CRO role comes with mission-critical responsibilities that typically include, but aren’t limited to:

• Collaborating with the C-level executive team to develop strategic goals for risk management, compliance, and other departments.
• Acting as the leader of a risk management or corporate compliance department.
• Anticipating, analyzing, and mitigating risk to protect shareholder value within the organization.
• Establishing an enterprise risk governance framework and related risk systems and policies.
• Building a robust compliance program and supporting it with cutting-edge technology
• Providing regular risk assessment reports and producing risk estimation models for a variety of purposes (depending on industry).
• Delegating risk management authority to the appropriate organizational leaders.
• Recommending an annual budget for risk management in collaboration with other members of the executive team.

Why is a Chief Risk Officer Important?

Risk and risk assessment have always been a part of business, but only recently has the CRO position become commonplace within large organizations. We identify three reasons for this shift:

1. Organizations perceive increased risks in the global marketplace, including regulatory/compliance risk, cybersecurity risks, and more.
2. Organizations are moving away from risk-avoidance and towards a more proactive form of risk management that seeks to take on limited risk if there is an opportunity to generate value.
3. Organizations are facing increased regulatory oversight, especially with respect to data privacy and security. 

Chief Risk Officers are important because they allow organizations to successfully navigate a business landscape that is increasingly fraught with risk. A skilled and experienced CRO helps their organization understand their risk exposure, mitigate the greatest risks, and leverage opportunities to generate value through strategic risk-taking.

Who Does a Chief Risk Officer Report To?

In most firms that employ a Chief Risk Officer, that person reports directly to the Corporate Executive Officer (CEO) or President of the company. They may also report to a Corporate Financial Officer (CFO), the board of directors, or one of its committees—an audit committee, for example, or an executive risk oversight committee.