As companies emerged from the financial crisis over the last five to 10 years, a new executive-level position began to rise in prominence across diverse industries. Once a position specific to the banking industry, chief risk officers (“CROs”) are now considered to be a vital member of any c-suite. CROs must prepare companies to successfully operate through an ever-changing regulatory environment, and quickly adapt to emerging risks such as cybersecurity, and must do so with a lens that enables a company to not only survive, but grow.
Given the critical nature of a CRO’s responsibilities, he or she will generally report directly to the CEO or a board of directors risk committee to ensure independence. The CRO is responsible for identifying, analyzing, treating and monitoring all risks his/her organization may face, including financial, technological, physical, operational and legal risks. The CRO is not only a preventative function, but importantly, must also enable the company to take strategic risks that can lead to long-term growth opportunities and create value.
One of the most critical roles of the CRO is to institute an enterprise risk management (ERM) approach, defined as “a holistic approach to identifying, defining, quantifying, and treating all of the risks facing an organization, whether insurable or not” by the International Risk Management Institute. As the overall risk owner, the CRO must provide established processes that can be used enterprise-wide to evaluate potential risks both quantitatively and qualitatively to ultimately determine what treatment plan, if any, is needed. The ERM approach ultimately makes risk everyone’s business, across all functions and operations within a company. As such, an effective CRO must be able to communicate well with all levels of employees, from the board to entry-level employees.
Failure to adequately manage for risks can lead to the failure of their organization. Conversely, CROs need to enable their organizations to exploit positive risks as opportunities to bring value to the company. In today’s business environment, the CRO role will only become increasingly important as risks evolve and emerge, and those who are most successful will take a proactive approach to risk management.