Insight Archive  | Subscribe to our insights >>

Aon  |  Professional Services Practice
Leadership in a Complex Risk Environment – 6 Skills for the Chief Risk Officer (CRO)

Release Date: August 2023
pdf download Implications for D&O Litigation From Climate-Related Risk

Our previous article discussed the skills required of a Chief Risk Officer (CRO) at a professional service firm. Much of the broader discussion of the role’s required qualities focuses on the commonly attributed qualities of leadership.*

Beyond risk management expertise, and a pure downside focus, the CRO should participate in strategic decision making around risk tolerability and desirability. This legitimate balanced viewpoint may be missing.

Thus, the role brings together sector and firm knowledge alongside the disciplines of finance, strategy, and risk management.

What are the building blocks for success?

Key questions on identifying suitable candidates:

  • Promoting from within has clear advantages but some argue that it may present risks of bias and a lack of skepticism. An outsider will have different challenges particularly perhaps in a professional service firm? Persuasion and influencing skills are high on the agenda.
  • Is knowledge of the organization, or of risk management more important?
  • An increasingly complex risk environment now includes emerging threats such as cybercrime, climate change, and pandemics. The required skill set becomes very diverse.

The Institute of Risk Management (IRM) view

The IRM (a UK trade body) recently published an article, “Top 6 risk management skills and why you need them”. This offers helpful insights. Their six traits are highlighted below, with comments.

  • Technical Expertise: Familiarity with risk management principles, methodologies, and tools. Understanding the current operational, financial, strategic, and compliance risks, and the mitigation responses.
  • Data Analysis and Modelling: Use data to identify patterns, trends, and risks. Use data analysis to make informed decisions.
  • Communication and Stakeholder Management: Communicate risk exposures and complexities internally and externally, including with regulators. Risk management is devolved through the organization. Negotiation and relationship building skills would come with a client facing background.
  • Business Acumen: Current on industry trends and regulatory frameworks. Understanding the relationships between organizational strategies and risk exposures.
  • Leadership and Collaboration: Classic skill sets for any manager: teamwork, problem-solving, and building consensus for necessary action.
  • Adaptability and Continuous Learning: The risk landscape is dynamic, and risks are increasingly interdependent.

Does an almost impossible list of skills emerge? A firefighter and a diplomat, capable of understanding current risks and identifying emerging threats, while avoiding bias with the ability to influence key people internally and externally.

Today’s risk environment challenges traditional frameworks and presents multiple challenges to the risk management function. Here are some concluding thoughts around a CRO’s contribution:

  • With the continuing adoption of new technology and multiplying cyber threats, increasingly everything will revolve around technology. Being up to date with technology application in the firm and awareness of the risks are vital competencies. This is possibly the biggest single source of reputation risk?
  • Finance and risk are close relatives but, in the professions, legal and regulatory risks are very prominent.
  • A multidisciplinary skill set allows the CRO to be the “go to” person for problems, able to give direction, if not the answer. Taking steps to build a risk aware culture and communicating the firm’s risk appetite could build the internal collaboration and trust required to fulfil that role.

To quote somebody very much in the news, “We know that the only way to avoid error is to detect it and that the only way to detect it is to be free to inquire.” J. Robert Oppenheimer

* Geary, Jennifer, How to be a Chief Risk Officer, Kindle Direct Publishing 2022 provides a comprehensive explanation of the role and the management of organizational risk.


The Professional Services Practice at Aon values your feedback. If you have any comments or questions, please contact Keith Tracey.

Keith Tracey
Managing Director