Finding the Right Chief Risk Officer
My good friend, Jim DeLoach of Protiviti, has a post on the BoardMember site. It provides some guidance for directors and others who influence the board on the selection of a chief risk officer (CRO).
I think the post is OK as far as it goes, but what is missing is guidance on what the board should look to the CRO for. The critical discussion is in his first “key consideration”, where he discusses Role and expectations, as defined by management and the board.
Perhaps Jim was limited by the site on the length of the piece. But I would have much preferred to have seen mention of the critical role of the CRO in taking ownership for ensuring the framework (including policy) and processes for risk management across the organization are adequate, and providing the executive leadership and the board with a holistic view of risk across the organization.
I would have also preferred to see an argument against limiting the CRO to a specific compliance role. Many of the failures in risk management have been because risk management, if it existed, was conducted within silos. There was no enterprise-wide coordination, and strategic risks were often not included.
What do you think?