Home > Risk > How good is your chief risk officer?

How good is your chief risk officer?

September 2, 2017 Leave a comment Go to comments

My best-selling book, World-Class Risk Management, describes how risk management can enable better decision-making, from strategy-setting to execution, and make a significant contribution to the success of any organization.

But how do you assess the leader of risk management within your organization?

Here are some attributes I consider critical. They tend to overlap but offer different ways of thinking about the individual and their team. They are not necessarily in order of importance; I leave the prioritization to you.

  1. Dedicated to helping the organization to succeed rather than simply avoid failures. (This should be the perception of others, not just the risk officer.)
  2. Has a deep understanding of the business, how it delivers value, is organized, makes decisions, and is run
  3. Seen as a trusted and valuable partner (not police) by the management team at all levels
  4. Listens, especially before speaking
  5. Looks to enable management to identify, assess, and evaluate risk rather than being the authority themselves
  6. Constructive and has good ideas
  7. Willing to recommend taking more ‘risk’ where appropriate for the business
  8. Helps everybody consider all the things that might happen, the multiple effects (positive and negative) that might flow from an event or situation, so they can make the best decisions for the organization
  9. Communicates effectively and is persuasive when appropriate and necessary
  10. Speaks well with and to authority
  11. An effective facilitator of discussions, especially across multiple groups
  12. Helps everybody understand how to identify, assess, evaluate, and respond to what might happen (risk)
  13. Seen as helping each executive, manager, and team succeed through informed and intelligent decision-making
  14. Enables an effective discussion around strategy, the setting of objectives, the management of major projects, and other key matters – either in person or by ensuring effective processes and methods are in place for managing the effects of uncertainty: what might happen (risk)
  15. Avoids enterprise list management and provides actionable, useful information to leaders of the organization that helps them understand the likelihood of achieving each of their objectives – in other words, not simply managing the so-called ‘top risks’ out of context
  16. Ensures that decision-makers have useful guidance on which risks to take
  17. A leader
  18. Works effectively with internal audit
  19. A potential leader of a business operation
  20. Objective and able to speak out as an independent voice when necessary and appropriate

Technical risk management expertise is not one of my top 20 attributes. Certainly it is valuable, but should it rate higher than any of the above?

What have I missed?

With which items do you disagree?

I welcome your comments.


PS – This is a review of my book from an experienced CRO:

Norman Marks’ latest book “World-Class Risk Management” (2015) is a must read for anyone interested in this evolving topic. It will appeal to the beginner as it leads one from the basics through the various concepts and techniques, while it challenges the most serious practitioner to re-evaluate what they do and why. The academic will also benefit from using this book because of the exhaustive references to some of the best source material on this topic. Norman challenges many stereotypical and clichéd views on risk management, but keeps coming back to simple, easy to understand concepts. He captures the essence of his thinking in “The management of risk is an essential element in successful management.” (page 13). This book makes you think, yet it is written in a lucid and friendly style. His thinking on ‘risk appetite’ challenges some ‘sacred cows’ held by many, but will help those who have struggled with this concept to find better ways of approaching this controversial subject. I wish he had written more on risk workshops but that may be another book someday. Well done, Norman, and thank you for sharing your experience, research and thinking.


  1. Paul O'Farrell
    September 2, 2017 at 6:21 PM

    Hi Norman – great attributes and ones that fully agree with. As a slight amendment to point 20., I would be a little more explicit in saying a CRO should not be afraid to ask the hard question. This can sometimes be the “dumb” question in circumstances when the business is charging ahead on a particular course without thinking it through (executive management “vanity projects” spring to mind). Regards, Paul

  2. September 4, 2017 at 5:42 AM

    Great list. Related to number three, but distinctly different than necessary, is that the CRO needs to have the confidence and respect of both management and the board. Without support of the board team responsible for overseeing strategy and risk, the CRO will be ineffective and struggle with achieving some of the other key factors you mention.

  3. Anne-Lize de Beer
    September 6, 2017 at 2:36 PM

    An excellent list. I would consider to include ability to influence and negotiate and also good networking at all levels of the organisation. I also believe that almost all items listed point to an individual who are not only intelligent and experienced but also very high emotional intelligence.

  4. September 7, 2017 at 10:34 AM


    2017 ERM Framework Update​
    In keeping with its overall mission, the COSO Board commissioned and published in 2004 the Enterprise Risk Management—Integrated Framework. Over the past decade, that publication has gained broad acceptance by organizations in their efforts to manage risk. However, also through that period, the complexity of risk has changed, new risks have emerged, and both boards and executives have enhanced their awareness and oversight of enterprise risk management while asking for improved risk reporting. This update to the 2004 publication addresses the evolution of enterprise risk management and the need for organizations to improve their approach to managing risk to meet the demands of an evolving business environment. The updated document, titled Enterprise Risk Management—Integrating with Strategy and Performance, highlights the importance of considering risk in both the strategy-setting process and in driving performance.

    dowland pdf


  1. September 7, 2017 at 7:15 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: