CEB Blogs


Risk & Audit

Does Your Company Need a Chief Risk Officer?

Most firms do; a simple seven question checklist will help determine your firm's need for a CRO

Senior Executive in Corner OfficeInvestopedia defines a chief risk officer (CRO) as:

“The executive responsible for identifying, analyzing and mitigating internal and external events that could threaten a company. The chief risk officer works to ensure that the company is compliant with government regulations, such as Sarbanes-Oxley, and reviews factors that could negatively affect investments or a company’s business units. CROs typically have post graduate education with over 20 years of experience in accounting, economics, legal or actuarial backgrounds.” 

Although this may sound like an executive role worth investing in, surprisingly few firms outside of the financial sector employ a CRO as part of their leadership team.

In fact, CEB Risk Management’s recent “State of the ERM Function” benchmarking shows that only 16% of companies have an enterprise risk management (ERM) executive who reports to a CRO. Of 102 companies with annual revenues more than $1 billion, the manager responsible for the firm’s ERM often reports to the CFO (29%), general counsel (7%), or head of internal audit (7%).

Where CROs Are Most Commonly Found

Comparing our benchmarking survey results to the Avention (formerly OneSource) iSell research database, we find the following ranking of industry sectors and geographies using CROs (see table 1).

CRO Concentration by Industry and Region

Table 1: CRO concentration by industry and region  Source: CEB Risk Management “State of the ERM Function” report; iSell research database

This data backs up what we have learned over the past five years: that there is varying demand for this role based on industry and geography.

Regulatory requirements are a major consideration. More than half of the CEB Risk Management network of CROs and heads of ERM operate in regulated industries. For example, 18% of our network is made up of energy & utility companies. Financial services is the next most populated industry in terms of CRO representation (13%). Insurance, health care, and business services companies follow, making up 9%, 8% and 7% of the group respectively.

Asset-intensive organizations tend to have relatively larger ERM budgets and more ERM resources. For this reason and a list of others, they benefit from having a CRO in the leadership structure.

We also see demand in qualitative, human capital-related business cases, when organizations have a senior leader who can coach younger operational leaders. Often, the CRO is a former divisional CFO, Treasurer, or organizational COO. This executive has an extensive operational understanding and can help leaders identify, assess, and mitigate risks. They can challenge other executives.

The CRO’s coaching abilities and independent view of the business are extremely valuable. For example, one member of our network – an experienced leader now serving as CRO – helps the CEO understand the “risk IQ” of direct reports. “Risk IQ” is the extent to which leaders are capable of understanding the risks in their operations and including these risk considerations in their decisions. Having an employee like this helping the CEO, board, and business units is invaluable.

Necessary Skills and Background for a CRO

CROs make significant and material contributions to their organizations. They make their organizations safer, they reduce costs, and they help improve the probability of achieving business goals.

In the CEB Risk Management network, 20% of the CROs have a finance background, and 16% of them are former auditors. Many successful CROs also come from the risk management, compliance, and accounting functions.

CROs must be able to communicate with multiple stakeholder groups to provide a firm’s senior team with insight that is not apparent from operational reviews.

CROs must internalize a third-party perspective on the business and set the table for key decisions. For example, one CRO in our network helped identify a capacity constraint in operations through the risk assessment process. He helped operational leadership build a business case for a new production facility. This billion-dollar investment decision prevented competitive and market share degradation risks from materializing.

It’s hard to say if this would have happened with or without the CRO, but it made the investment discussion easier for the board to consider, discuss, and approve.

Seven Questions That Will Tell You If You Need a CRO

Below is a checklist to understand if your company needs a CRO.

  • Is your industry heavily regulated (yes / no)?
  • Do other companies in your industry have a CRO (yes / no)?
  • Is your ERM function mature (yes / no)?
  • Do your major investment decisions require a careful evaluation of risks (yes / no)?
  • Are your business lines diversified, rather than homogeneous (yes / no)?
  • Is your ERM budget greater than $500,000 annually (yes / no)?
  • Is ERM a priority for your board of directors (yes / no)?

If you answered “yes” to at least three of the seven checklist questions, your firms is a good candidate for employing a chief risk officer.

One Response

  • Paige says:

    I’m quite taken with the geographical table given above. While it’s no surprise that the financial hubs of the USA and UK may be leading the CRO employment field I’m surprised at the low levels of uptake in other major players in the financial world such as Japan.

    I wonder, in these circumstances, whether such a role is then integrated into another or whether there is some other reason?

Leave a Reply



Recommended For You

Simple Risk Assessment: Just 4 Questions and Audit’s Help

The risk assessment process doesn’t need to be complex, for Enterprise Risk Management (ERM) or...