Aon | Professional Services Practice
Release Date: July 2023
The Chief Risk Officer (CRO) Role: A New Approach to Risk Management
Our Enterprise Risk Management (ERM) series has emphasized the connection between resilience and risk management. The recent evolution in the risk landscape has suggested that the Chief Risk Officer (CRO) role is a valuable tool for professional service firms.
Categories of risk have historically been well defined; these include strategic, legal and compliance, financial, human capital and operational. Each has an assigned ownership in the organization. All of this comes together at the management level. In the past, risk management in these areas may have been seen as a narrow function, but that has been undergoing change.
So, what is new? Arguably 3 factors:
- The nature of risk has changed in the last decade and moved up the agenda. Its management requires a specific “board” level type position.
- Risks are interconnected and interrelated, and that should be recognised in a single risk role that oversees all risk issues, cutting across lines of responsibility.
- External risks and unexpected shocks have manifested themselves recently, suggesting the need for oversight and preparation for these unexpected events. The situation has been labelled a Polycrisis.
These factors create the need for a management role bringing together all risk and compliance responsibilities, sitting across the three lines of defense: operations, internal audit and risk management. The role implies an ERM function, but perhaps it goes even further, elevating risk to the strategic level.
The Chief Risk Officer
Hence, we are seeing the growth in popularity of the Chief Risk Officer. The role has its origins in the 1990s in the banking sector. The key role was to design and facilitate a risk management program that built strategic advantage across the key risk exposures in the sector. This has now evolved fueled by rapid change, not least including digital disruption.
Cyber exposure is probably a good illustration of such evolution. There is a need for the risk management of behavior, technology and security, data privacy, regulatory risk, and incident management, to name but a few. These are overlapping and require coordination and cooperation. Furthermore, the threat landscape is dynamic, requiring monitoring of the threat landscape, adapting to the changes in law and regulation, and managing third party risks.
The CRO’s Skills
The role therefore demands a range of skills and expertise. There is a dual capability, knowledge of the sector and the firm, but also the ability to apply the technical skills of a risk manager. These skills include how to construct the components of a risk framework, applying the tools available and using scenario analysis to detect trends and threats.
It also requires communication, facilitation, and persuasion skills. Indeed, these soft skills are key to building the culture to support the risk objectives as the CRO engages with different functions and levels within the firm.
A Risk Appetite – Setting an Agenda
The CRO sits across functions and is not just managing the downside elements of risk. By participating in the firm’s strategic discussions, a risk appetite can be developed that balances risks and rewards.
Reporting to senior management and informing them about the current risk profile and future threats is key to facilitating such discussions. The reporting headings might include:
- New events
- Follow up on past events
- Emerging risks
- Results of risk reviews
- Progress towards risk improvement objectives
The Practical Experience?
This description might represent the ideal and actual experience varies by sector and indeed firm. This might be an ambitious list of experience and skills and in essence the ability to build collaboration, and if necessary to import expertise, may be the foundation for success.
We will discuss in future articles some success factors from real experience and delve into the practical issues of constructing an effective CRO role.