you're reading...
Governance, Management, Roles and Responsibilities

The Evolving Role of the Chief Risk Officer

In working with different sized institutions to develop an enterprise risk management program, some of the questions that tend to come up relate in particular to the Chief Risk Officer’s (CRO) role, including:

  • To whom should the CRO report?
  • Does the CRO only work on the risk framework or can (or should) he participate in risk assessments?
  • Does the CRO own any of the risks?

In truth, these are actually not simple questions, so it is not surprising that organizations are wrestling with them.  The fact is that the industry has been given little guidance into the design the CRO position, and asking 10 people will usually yield at least 10 different opinions (sometimes even more.)  However, some patterns are starting to emerge that I believe represent industry best practices.

The fact is that the CRO’s role will very likely be different in a smaller organization than it will in large ones, and that is ok. When an organization is small, the CRO’s role is much more hands-on. As the organization grows, the role becomes more formalized and farther removed from day to day program management. This “evolution” is perfectly fine, but it tends to confuse people if they are looking for one universal job description. Even industry literature tries to take a position on the structure of the CRO’s role, when in practice it is not that simple. The purpose of this article is to outline two different models for risk managers and describe how this evolution should occur naturally over time.

Risk Governance

For the benefit of context, when we talk about the risk management program, there are basically three key roles that need to be identified.

  • The design of the risk management (RM) framework
  • Implementation of the framework (identifying, monitoring and managing risk)
  • Testing of the program (ensuring compliance with the framework and its effectiveness)

Who participates in each of these will largely depend on the size and complexity of the organization. To give us a starting place, we can generally say that the CRO will drive the first point and that Internal Audit (via control validation) will largely drive the last point, but everything else in the middle embodies multiple shades of gray.

This point becomes the most treacherous when we ask the question, who should assess the risk?  While we know that the CRO will always act as a type of subject matter expert, this becomes profoundly dangerous if the CRO’s opinion begins to carry more weight than the actually business or process owners.  Ultimately, the business needs to own the risk, so how does the CRO provide input without inheriting the risk itself? This is the real trick for the organization.  We have to remember that the CRO may understand risk but may not understand every business process.  Conversely, process owners may know the process but may not appreciate all of the potential risks. Enterprise risk management is about making sure that these two roles work closely together to bring the best of all knowledge together in a cohesive way.

With that foundation, there are basically two models of risk governance, the single line and the dual line. The following outlines these two different models for a typical financial institution.

The Singular Model

The singular model is the most common for smaller organizations. In this model the bank typically has a Chief Risk Officer that is responsible for both the design of the program and is also expected to participate in the risk assessment process. Characteristics of this role include:

  • Responsible for the development of the ERM framework
  • Chairs the bank risk committee (a management committee)
  • Will act as a subject matter expert (SME) to business areas on assessing risk, including change management
  • May serve as one of the liaisons with regulators (or may even help coordinate bank exams)
  • Will typically report to the CEO (any other reporting point is not senior enough)
  • Best not to have operational units reporting to him, he needs to remain independent of operations

Where organizations need to be very careful with this type of CRO role is that they will be expected to participate in the risk assessment process (which is fine), but ultimately management needs to own the risk assessments. Management must make sure that the CRO doesn’t become the automatic “go-to” person for assessing risk. However, their role as both program designer and subject matter expert is invaluable to the organization.

A simplified organization chart showing the inclusion of this role is as follows:

Natural Evolution

Then, as organizations begin to grow more complex, a natural evolution takes place to a more mature risk framework. These changes include:

  • The risk committee will shift from a management committee to a Board Committee
  • The CRO will move into more of a corporate role with risk managers then embedded within business units
  • The CRO will be much less involved in risk assessments, instead focusing more on program governance and oversight
  • Embedded risk managers are responsible for assessing risk within their respective business units
  • Risk frameworks become more formalized and corporate standards emerge

This shift naturally leads to a dual line model, which is much more common in larger organizations.

The Dual Line Model

In the dual line model, the risk management program is split between a corporate risk officer and embedded risk managers.  This model is not unlike that of the Chief Credit Officer (a corporate role) that sets lending policy which is then implemented by the Chief Lending Officer overseeing individual loan officers.

These roles can be described as follows:

Chief Risk Officer

  • Oversees the development of the ERM framework (and developing RM policies)
  • Act as SME primarily to the embedded risk managers (but could also consult to business areas as needed)
  • One of many liaisons with regulators
  • Reports to the Board Risk Committee (now chaired by a Director)
  • The significance of the independence at this point is important because once he’s independent of management, not only can he drive program design, but he can now be part of program testing as well
  • As with the singular model, he should not have operational areas reporting to him

Embedded risk managers

  • Responsible for functional risk assessments within those business units where risk assessment and management has grown into a fulltime responsibility
  • If there is a head of all of the individual risk managers throughout the business, considering calling this person “Enterprise Risk Manager” or “Senior Risk Manager” or ”Chief Risk Manager.”  But the “manager” (or similar) designation makes a clear distinction between the CRO and the one implementing the framework and actually assessing risk (i.e., managing it).  The individual risk managers will likely report to the heads of the business units with a dotted line to the Enterprise Risk Manager

An example of this type of framework is shown below. Between these two models there is an almost infinite number of permutations and each organization will need to decide how best to design their risk governance structure. But regardless of which structure is chosen, a central, critical point to remember is that while the CRO may serve as SME and provide input on assessing risk he should never, under any circumstances, own the risk. This must remain with business owners.

The ERM Advantage

By committing to employing a chief risk officer, the organization creates one central, highly qualified individual that can develop a solid risk framework and assist management in ensuring that it is consistently utilized. This has a profound impact on reducing losses and preserving capital and shareholder equity.

For assistance in evaluating how to structure the Chief risk Officer’s role within your organization contact Eric Holmquist at Accume Partners at (856) 793-1581 or eholmquist@accumepartners.com. Visit accumepartners.com

About ericholmquist

Consultant, speaker and author on banking, enterprise risk management, technology and information security.


15 thoughts on “The Evolving Role of the Chief Risk Officer

  1. Interesting article. I have a few questions:
    1) What structures are typically applied in “non-financial” institutions?
    2) What ERM structures do you see in groups with independent legal entities operting over a number of countries and how does the ultimate holding company ERM structure operate at the subsidiary level?
    3) I agree with your comment on not including “operational areas”, however what is typically included in the CRO and/or Enterprise risk manager department structure? Considering the following:
    3.1) SHEQ (Safety, Health, Environment and Quality)
    3.2) Legal and Regulatory Compliance
    3.3) Insurance
    3.4) Quality assurance programs

    Posted by MP Rossouw | November 2, 2011, 9:49 am
    • Good questions.
      1) I only advise for financial institutions, so I would invite others to comment.
      2) In home/host situations I have seen models where the home country establishes the risk framework which is implement in the host country and I have seen where each entity had it’s own risk structure. I believe the regulators will often weigh in on their preference, but I would not propose that either is better. Personally I prefer the latter.
      3) I am fine with the compliance officer reporting to the CRO (in either model) because that is also an oversight role and has no operational responsibilities. SHEQ I would put in an administrative or shared services division, Insurance and QA are negotiable, but I could see them under the ERM, but could also be in other areas as well.
      Ultimately I think there are many ways to structure organizations, so these can be debated many ways. As long as the central truth remains that no operational unit reports to the CRO.

      Posted by ericholmquist | November 2, 2011, 7:13 pm
  2. Another great article with very practical and insightful advice for both large and small organizations. The bottom line is that the risk management function must be tailored to the business, but in all instances the business owners, not the CRO, must own the risk.

    Posted by Bridget Gaughan | November 2, 2011, 12:51 pm
  3. EBA Guidelines on Internal Governance (GL44) issued 27 September 2011 clarifies much of the topics discussed.

    Posted by Ovidiu Bordeut | November 2, 2011, 12:58 pm
  4. Interesting article I hope it generates greater discussion.
    As respect the singular model – I would suggest that while the CRO should indeed report (hard line) to the CEO as indicated, the CRO should also have a dotted line report to the risk committee of the board. I suggest a risk committee vs. audit committee because they have two very different functions.
    Board level risk committees should have risk oversight responsibilities not risk management responsibilities. I would suggest the CRO chair the executive risk management committee.

    Posted by John Bugalla | November 3, 2011, 11:56 am
    • John, I agree with you. In the singular model as I presented it, this would assume that the risk committee is not yet a board level committee. I see this a lot in community banks. Once the committee is elevated to a Board level I definitely agree that the CRO should be accountable to the committee. And, yes, the CRO should absolutely chair the management level risk committee. Thanks for the your thoughts.

      Posted by ericholmquist | November 3, 2011, 3:03 pm
  5. Agree with the article in full. The community bank CRO should understand credit to safeguard asset quality, banking operations to safeguard info sec, privacy, vendor, and transaction risks, compliance to remove the possibility of civil money penalties, controls to work effectively with internal audit, and finance to measue and improve the cost of risk managment. What is necessary for a community bank to bring all of this together in the Office of Risk Management? Theory and good models are important. Isn’t the biggest challenge simply the “M” in ERM?

    Posted by Mike Cohn | November 3, 2011, 10:46 pm
  6. Many thanks for this excellent article, Eric.
    Looking at the 2 types of models which you describe, I strongly believe and have experienced myself that only the dual line model enables efficient risk management. The reason is that a CRO who reports to the CEO (singular model) is highly depending on the CEO’s support in terms of risk management measures – which usually often limits a CEO’s bonus targets. A CEO is not paid for the company’s survival (or risks he has avoided to take last year) but for generating cash and also taking business risks.
    I see the problem in most companies getting into trouble these days that they have kept the singular model for too long including the BoD having focussed basically too long on cash generation instead of keeping a healthy risk/ chance balance with a CRO acting as a sparring partner for the CEO.

    Posted by Malte Rahnenfuehrer | November 15, 2011, 9:30 am
  7. Excellent Article Eric.

    On studying the dual line structure, I wonder how the board level risk committee and its management representative, the CRO, get information on the risk measures. At one level, I would like the CRO providing independent evaluation to the committee/board, but on the other hand, why bother with it as long as the risk management framework of the CRO is robust. Any thoughts on this?

    Posted by Praveen Mohanty | January 5, 2012, 12:42 am
    • Praveen, thank you for your kind words. From my experience, the risk committee will be getting information from multiple sources, including the CRO and executive management. Together they will develop risk reports with high level information from across the organization. While the CRO may in some form assist in the gathering of this information, this does not preclude him or her from evaluating or offering an opinion it. Ultimately, it remains senior management that owns the risk profiles, the CRO serves as an advisor. I hope that addresses your question.

      Posted by ericholmquist | January 5, 2012, 8:07 pm
  8. I like and agree with the advice that the CRO cannot own any specific risk – the only adjustment I would suggest is that the CRO owns the reasonableness of the process and the components of the process. That ensures that if a new source of risk evolves – like currency instability, or securitization lunacy or signs of fraud by appraisers or they can make sure it gets on the table and an owner assigned. Sources of risk and the weights between different risk factors are never static.

    Posted by Kathryn M Tominey | February 1, 2012, 2:01 pm


  1. Pingback: Who Should CRO Report to? « Bootstrap Consulting - January 25, 2012

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Enter your email address to follow this blog and receive notifications of new posts by email.

%d bloggers like this: