While many organizations understand the need for a security executive, organizations that have taken a holistic approach, have added the chief risk officer (CRO) position to evaluate all organizational risk. After speaking with academics, experts and executives in the risk and security field, I have found an increasing interest toward risk identification and mitigation and identified key factors in developing the ideal role and finding the perfect candidate for any enterprise.
The CRO takes a higher-level approach than the chief security officer (CSO), who is tasked with overseeing the physical and/or cybersecurity of an organization. The CRO looks at all aspects of risk and how it may affect an organization. This includes physical security and cybersecurity, but also may include financial, insurance, reputational and other risks.
Currently, only about 2,000 CROs exist in the U.S., according to Bloomberg, but as of this summer, “their ranks already have grown by 5% since last year.” Additionally, many companies do not have someone specifically titled a CRO, but instead have a vice president of risk management, a risk committee, or another executive, such as a CSO, pulling double duty.
“As an organization becomes larger, the complexity of having a view of risk becomes more difficult for any one department to see,” Ben Trowbridge, a cybersecurity expert and managing partner for Acelros explains. “You need someone who’s thinking about it globally or at least by major region.”
Traditionally, the CRO position sat most often in the financial world; however other organizations are seeing the need for an executive solely focused on risk identification and management. “Financial services and healthcare have led the way” with prioritizing risk management, Trowbridge shares. “It depends on the size and complexity of other industries whether you see the chief risk officer really becoming a real role.”
Having an executive overseeing and preparing to mitigate risk is an obvious benefit. But, there are concrete statistics that support the creation and support of risk management. According to Deloitte’s 2019 survey of risk management, which advocates for the creation of a CRO, companies that view risk management as among the most important factors for achieving strategic goals tend to achieve higher growth. The survey says that among surveyed organizations, companies with a compound annual growth rate (CAGR) of 5% or more were twice as likely to view risk management as key to achieving strategic goals than those with a CAGR under 5% (40% versus 2%).
North Carolina State University’s Enterprise Risk Management Initiative’s annual survey found 59% of respondents sharing that the volume and complexity of risks increased “extensively” or “mostly” in the past five years. Add in the COVID-19 pandemic, which prompted new risks financially, operationally, safety-wise and cybersecurity-wise. With the number of business risks continuing to grow, appointing a senior figure to tackle risk seems like a no-brainer.
The reasons to establish a CRO are numerous, so why are organizations slow to create the position? Two likely culprits are the cost and the false belief that an organization does not need a risk manager. “People hear the term risk management, chief risk officer, they immediately dismiss it. They think: cost, overhead,” Dr. Mark Beasley, head of the NC State ERM program says. “I think that is changing; people are realizing it is more complex.”
After the Enron scandal, many energy companies added in a risk management leader to build trust within the industry. The CCRO, a voluntary membership organization, was established to create and uphold best practices in the industry and is still going strong nearly two decades later. Bob Anderson, a former CRO himself who has led the CCRO since its inception, explained that prior to Enron, much of the risk management function was performed by consultants.
Enron was the “impetus that forced these companies to come together and solve these problems,” he says. “That situation was so dramatic, companies were in a death spiral; it was really all about each company’s ability or inability to understand the risks underlying their business.”
In contrast with the financial sector, CROs in the energy field may face more instability, Anderson says, because energy companies can shift their business model so quickly. “Energy companies can completely disassemble their risk function and start over again. Their products and services can completely change in a year. It’s not as homogenous as in banking,” Anderson says.
Once an organization realizes it needs a CRO, the work is just starting. An organization must identify the right person for the role and create the position within its organization. “It can be a tough position to fill with the right person,” Beasley says. NC State ERM’s annual survey found that identifying and retaining leadership and talent are two weak points for organizations.
Often, CROs have a financial background or come from the organization’s industry. Non-negotiable are communication skills. “Most cases, successful CROs have communication skills, charisma, buy-in of senior management and a small staff to provide for detailed skills around modeling, programming, quantitative analysis,” Anderson says. Like a CSO, an effective CRO relies upon strong communication skills not only to engage employees from the bottom up, but also to protect the risk department and prove the function’s value.
Because the CRO is pinpointing problems, the CRO must also know the business and have the support from the organization and its leadership. “The ideal person is someone who has two skill sets — one that really, really knows our business, how we work, how we make money, and what makes us tick,” Beasley says. “The second skill is how good are their diplomacy skills? How well are they respected by other executives in the business?”
Also important is what stage the CRO is in his or her career. “The CRO has to feel robust enough in their career and company to make lots of good recommendations,” Trowbridge says. “They’re often small, but add up. Most companies don’t make one big decision that causes all their risks, it’s a series of small decisions.”
Organizations should take care to finesse the relationship between the CRO and the CFO. Given the risk and financial issues often overlap, delineating responsibilities is vital. The CRO could, for example, offer oversight and serve as a partner with the CFO, leaving the CFO ultimate authority.
In an ideal world, the chief risk officer would report to the CEO and have a dotted line to the board or a board committee. In reality, most CROs report to the CEO or the CFO, depending on the industry. Best practices call for the CRO to have at least a dotted line to the board or a board committee.
What is important, however, is not just who the CRO reports to but executive support for the CRO. “If they don't have a champion at the board or a CEO who understands risk management, it’s easy for a CRO to fade into the background and become an overhead line item,” Anderson says.
If an organization has a chief security officer/chief cybersecurity officer and a chief risk officer, then the CRO serves as oversight for those functions, whereas the CSO/CISO manages their specific security areas. If the organization only has a CRO, then the responsibilities for cybersecurity and security fall to the CRO.
The COVID-19 pandemic has highlighted the importance of being able to analyze known risks and react to the unexpected. Companies with the following characteristics would be remiss if they did not consider having a full-time executive focused on risk:
• Revenue greater than $1 billion;
• Publicly traded;
• Operating in regulated industries;
• Diverse geographic footprint.
In these instances, the benefits of a capable executive providing a measured approach and preparing for risk comprehensively across the organization far outweigh the costs.