Home > Risk > Revitalizing risk management

Revitalizing risk management

One of the problems with many risk management functions, as I see it, is their reporting structure.

Many (including regulators) see the ideal as reporting directly to the board or a committee of the board. That sets them up as separate and independent of the management team, creating the perception if not the reality that they have a different agenda: preventing management from taking too much risk (whatever that means) rather than helping them take the right risks for success.

If risk officers are seen as standing in the way of innovation and performance, let alone agility in decision-making, why should we expect executives to welcome them into their house?


The second preferred option for many is to report directly to the CEO.

Does the CEO understand how risk management can help him or her and their team succeed? Or are they under pressure from the board and others to, again, see risk management as helping to avoid failure?

Focusing on avoiding failure inevitably leads to failure.

In addition, the CEO is probably the busiest person in the organisation, and it is not easy to get their time let alone their attention.

In fact, even when the CRO does report to the CEO, he or she is usually not seen as a member of the top executive team and is rarely included in meetings of the elite group that runs the organization.


Most will agree that the CRO should not report to the CFO, as this may:

  • Unduly influence the CRO towards financial issues, and
  • Create the perception that the CRO is a finance and compliance rather than a business person.


I don’t have any problem with the CRO reporting to (or being the same person as) the CAE. But that all depends on the CAE. Does he or she have the right attitude about taking risk? Does he or she have the respect of the rest of the organization – as a business rather than police person? Truly?

Even then, when the CAE is also the CRO, where should he or she report? When I wore more than one hat like this, I made sure it was clear where I reported for each responsibility.


I believe there are two better options. Options that could revitalize a risk function mired in risk avoidance and mitigation.


The first is to report to the Chief Operating Officer.

This is how the responsibilities of a typical COO have been described:

  1. Provide management to staff and leadership to the organization that aligns with the company’s business plan and overall strategic vision.
  2. Assist executive team members in creating, growing and building a world class, industry leading organization.
  3. Drive company results from both an operational and financial perspective working closely with the CFO, CEO and other key executive team members.
  4. Partner with the CFO to achieve favorable financial results with respect to sales, profitability, cash flow, mergers and acquisitions, systems, reporting and controls.
  5. Set challenging and realistic goals for growth, performance and profitability.
  6. Create effective measurement tools to gauge the efficiency and effectiveness of internal and external processes.
  7. Provide accurate and timely reports outlining the operational condition of the company.
  8. Spearhead the development, communication and implementation of effective growth strategies and processes.
  9. Works with other c-level executives on budgeting, forecasting and resource allocation programs.
  10. Work closely with senior management team to create, implement and roll out plans for operational processes, internal infrastructures, reporting systems and company policies all designed to foster growth, profitably and efficiencies within the company.
  11. Motivate and encourage employees at all levels as one of the key leaders in the company including but not limited to professional staff, management level employees and executive leadership team members.
  12. Forge strategic partnerships and relationships with clients, vendors, banks, investors and all other professional business relationships.
  13. Work with the CEO and CFO in the capital raise process, participate in the company’s road shows.  Meet, interact and present information effectively to potential investors and private equity firms.
  14. Foster a growth oriented, positive and encouraging environment while keeping employees and management accountable to company policies, procedures and guidelines.

If the CRO’s primary purpose is to help management make the informed and intelligent decisions necessary for success (as I have argued here and in my books), then it seems to me that the COO is a primary customer.


Why not report to your primary customer?

That will help ensure that your interests are aligned, and you get his or her valuable support, including time and resources.

The COO will have an incentive to make risk management as effective as possible when it comes to both strategic and tactical decisions.

Just like the CAE, the CRO can have matrix reporting. For example, some organizations might want him or her to report to the board (or a committee of the board) and the COO. I could see some variations on this theme, for example reporting to the COO who is the chair of the management risk, strategy, and performance committee. Note how I integrated all three rather than having a siloed risk management committee.


The other option may be a new idea to some.

Have the CRO report to the Chief Strategy Officer.

This is how Wikipedia describes the role:

The CSO is an advisory and deal making role; both leader and doer, with the responsibility for formulating corporate strategy as well as ensuring that execution of the strategy supports the strategy elements. The CSO at times functions as a sort of “mini CEO,” someone who must see the issues confronting the company from as broad a perspective as the chief executive does.

Typical CSO responsibilities include:

    • Develop a comprehensive, inclusive strategic plan and growth strategy by collaborating with the CEO, senior leadership and the board of directors.
    • Analyze market dynamics, market share changes and product line performance.
    • Identify and often execute important capital projects, joint ventures, potential M&A targets and other strategic partnership opportunities.
    • Identify and convey strategic risks.
    • Communicating and implementing a company’s strategy internally and externally so that all employees, partners, suppliers, and contractors understand the company-wide strategic plan and how it carries out the company’s overall goals.
    • Driving decision-making that creates medium- and long-term improvement.
    • Establishing and reviewing key strategic priorities and translating them into a comprehensive strategic plan.
    • Monitoring the execution of the strategic plan
    • Facilitating and driving key strategic initiatives through inception phase.
    • Ensuring departmental/unit strategic planning projects reflect organizational strategic priorities.
    • Partnering with institutional leadership, special committees, and consultants to support execution of key initiatives.
    • Developing inclusive planning processes.
    • Translating strategies into actionable and quantitative plans
    • Mobilizing and managing teams of individuals charged with executing strategies.
    • Acting as a resource across an organization to increase broad cohesion for strategic plans.
    • Execute divestments and divestiture.
    • Collaborate with the CFO to develop a capital plan in line with the organization’s strategy.

Again, the objectives and responsibilities of the CSO seem to me to be aligned with those of the CRO.


What do you think?

Would a change in reporting structure revitalize and give new energy to a risk management function and practice?

  1. June 7, 2021 at 8:07 AM

    Hi Norman – an interesting question and one with which the Risk Coalition had to wrestle when writing ‘Raising the Bar’ (https://riskcoalition.org.uk/the-guidance). We landed on a dual reporting line model to the CEO and Chair of the Board Risk Committee, partly to meet the expectations of regulators but also to ensure the CRO is of equivalent seniority as other ExCo members. Your proposed solutions place the CRO below ExCo level, a position from which it would not be possible – even for a tenacious CRO – to constructively challenge executive risk taking effectively.

    In relation to your Chief Strategy Officer suggestion, I would take a different tack. Might it make more sense for the CRO to become the Chief Strategy and Risk Officer, since the two roles are inextricably linked?

  2. Norman Marks
    June 7, 2021 at 9:11 AM

    Chris, the CRO is not a decision-maker but supports it. I do not see the position as ExCo – however much practitioners would like that to happen.

    Frankly, their job is NOT to challenge executive decision-makers, but to enable it.

    Thanks for the comment, and let’s see what others have to say.

    • June 7, 2021 at 9:28 AM

      I agree, Norman – the CRO should not be a decision-maker. Their role is to facilitate effective management decisions through advice, challenge and opinion. In providing an opinion, the CRO should challenge whether first line management has adequately considered all pertinent risks, how they may positively or negatively impact the organisation, and whether appropriate risk responses have been adopted to keep within risk appetite. This can’t be done effectively unless sat at the top table.

      • Norman Marks
        June 7, 2021 at 9:45 AM

        Chris, we have to be careful to make sure the CRO is not focused on downside and blind to upsides. I do not want the CRO to provide a separate opinion on a decision. But I do want them to have a voice when the CEO or others take risk recklessly. That does not require a ExCo position, same as with the CAE. The CRO needs access to the CEO and the board, if necessary.

  3. June 8, 2021 at 3:01 AM

    As executives in (good) organisations work together rather than operate in silo’s, I do not think it is very important who the CRO report to as direct boss. The role of the CRO is cross company and he/she must have good liaison with executives and manager throughout the organisation to be even remote effective.

    The real issue is the focus and aspiration of the CRO and risk management team which I think should be:
    – Serve as an advisory competence centre for the organisation on intelligent risk taking, i.e. how to enhance performance rather than minimize risk exposure
    – Develop and roll-out effective risk management templates and processes to be embedded in all kinds of decision making, i.e. ensure risks, levers and uncertainties are effectively addressed
    – Develop reporting on likelihood of meeting targets to be seamlessly embedded in whatever performance reporting the organisation is using already
    – Be the alert advisor if/when something happens and/or business conditions change. This includes issues related to e.g. competitive landscape, legislation/regulation, disruptions, customer preferences, technology, …

    Risk management is NOT standalone, and hence I actually prefer having a small and trusted “risk advisory team” rather than a leadership area and a CRO who many will think “is responsible for risk issues”.

    • Norman Marks
      June 8, 2021 at 6:26 AM

      Thanks, Hans. This makes sense, as always

  4. GSosbee
    June 14, 2021 at 8:22 AM

    A good discussion Norman. My only suggestion is that when you write about risk management you need to differentiate between financial services risk management and all other risk management.

    If risk management is universal why the notation? Risk management in the financial services industry is actually a capital allocation process – an important sub-process but only a portion of the enterprise risk management program. The CRO should report to the Chief Risk Executive (CRE). The CRE in turn should report to the CEO for administrative issues and the Board Chairman (or his Board designee) on operational and strategic issues, as you have suggested.

  1. June 10, 2021 at 1:07 AM
  2. July 19, 2021 at 7:45 AM
  3. July 19, 2021 at 8:36 AM
  4. August 3, 2021 at 1:38 PM
  5. August 3, 2021 at 1:41 PM
  6. August 3, 2021 at 1:56 PM
  7. August 3, 2021 at 2:03 PM
  8. August 3, 2021 at 2:18 PM
  9. August 3, 2021 at 2:18 PM
  10. August 3, 2021 at 2:33 PM
  11. August 3, 2021 at 3:26 PM
  12. August 3, 2021 at 7:10 PM
  13. August 3, 2021 at 7:54 PM
  14. August 3, 2021 at 8:09 PM
  15. August 3, 2021 at 10:46 PM
  16. August 4, 2021 at 7:49 AM
  17. August 4, 2021 at 8:32 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: