you're reading...
Governance, Management, Roles and Responsibilities

Promoting a CRO From Within

Once a decision has been made to establish a fulltime Chief Risk Officer (CRO) the next logical question is whether a suitable candidate exists internally or whether one should be hired externally.  There are some definite pros and cons to both strategies, as is the case with any C-level position. An internal candidate already has institutional knowledge of the company and its structure, culture, philosophy, strategy, etc. He will already have relationships established with staff and management and hopefully the respect of his peers. However, he may not have sufficient training and experience to serve as the CRO, and sometimes being too close to part of the organization can be a liability.  Alternatively, an external candidate may bring with them related experience from prior companies and in leveraging that experience will probably be able to move much faster in building and applying an enterprise risk management framework and program.  However, it will still take time to build collaborative relationship since he starts in the position with very little political currency.

For this article we’re going to look specifically at several scenarios where an internal candidate is promoted into the CRO position, including some of the issues that tend to arise.  We are assuming that the candidate does not have prior experience as a CRO and is instead shifting from somewhere else on the organization chart. The positions we will consider include:

  • Internal Audit
  • Credit Administration or Chief Credit Officer
  • Risk Manager

Professionals in each of these areas have unique and valuable expertise and perspective, but they also tend to overlook certain aspects of the CRO role. Hopefully the information presented here will help individuals to understand their role more fully and consider ways to further develop their skill sets.

Internal Audit

Assets: Solid understanding of the criticality of sound internal controls, comfortable with a risk assessment process, typically have a good understanding of the company structure and its culture.

Liabilities: Tendency to over-focus on internal controls (creating Internal Audit II) rather than the broader spectrum of risk. Trouble migrating from an “independent validation” role to a more collaborative role. May have difficultly establishing trust with some staff and managers.

One of most common areas that I see for harvesting new risk officers is from Internal Audit (IA). The thought processes are similar in that both areas are focused on risk to the organization and how best to mitigate that risk. But the challenge for ex-auditors is whether they can make the transition from a focus on the testing and validation of internal controls to a broader focus on risk profiles and risk alignment. The CRO needs to be the architect of the risk framework and then guide the organization in adopting and actively utilizing that framework. Practically speaking, the process is usually more persuasive than authoritative, and this is often a difficult adjustment for ex-auditors.

Suggestions: One of the best things that an ex-auditor in a CRO role can do is to study heavily the ideas of risk profiles and risk alignment.  Carefully examine not just the list of internal controls, but explore the inherent risks that drove the creation of those controls. Understand the residual risk that still exists despite those controls and how those relate to the corporate tolerance for risk. Remember, the presence of a risk does not mean the lack of a control, it means the acceptance of a risk. As a CRO they can work much more closely with business areas in helping them understand their risk profiles, but still need to ensure that the risk is owned by the business unit. Finally, they should never, ever be in the business of testing controls. They may want to, but that is IA’s job. Let them do it.

Credit Administration or Chief Credit Officer

Assets: A firm understanding of the need for sound governance. Policies, procedures, controls, analytics, accountability, etc. They are used to talking about big, scary risks and, when necessary, reigning them in.

Liabilities: To put it bluntly, they often have trouble seeing beyond credit risk. To use the old saying “When you’re a hammer everything starts to look like a nail” is very applicable in this case.

In organizations like financial institutions, such a large percentage of risk centers around credit that often the CCO is given the dual role of CCO & CRO. This is a very bad idea. No one can serve two masters, and when push comes to shove the CCO is going to focus on credit policy and credit risk. The CRO needs to be focusing on all areas of risk at all times: Credit, market, liquidity, operational, strategic, reputation, etc.  And for a CRO that has moved from the CCO position, she will need to learn that while credit risk is very important, there are many other ways to knock a hole in a ship.

Suggestions: Probably the best place to start for the CCO come CRO is to pick up any one of a number of very good books on Enterprise Risk Management and study it cover to cover. (See the “Additional Resources” section below.)  This certainly isn’t a case of forgetting what the CCO knows, it’s building on that knowledge. Also, like the ex-Internal Auditor, the new CRO will need to get used to the idea of working much more collaboratively with staff and managers. They are no longer just enforcing credit policy. They are now tasked with helping the organization discover the millions of ways that things can go wrong, how to assess those risks and how to build suitable mitigating controls. The world of credit risk is fairly defined and is entirely permission based. Other risk areas (particularly operational risk) are much less so, so risk management becomes much more subjective.

Risk Managers

Assets: For someone already functioning in a risk manager role, they probably already have good interactions with staff and management and understand the existing risk management framework and methodology.

Liabilities: They often have trouble transitioning from completing risk assessments and/or risk reports to becoming the overall program architect. They may also need to develop their executive skills since they will now be interfacing directly with the Board and the senior team.

Someone that is already participating in the risk management process, perhaps as an embedded risk manager within a part of the organization, is a definite candidate for promoting into the CRO position. They are already familiar with the forms, processes, methods, etc. of the risk framework and they should have a firm understanding of the goals of the program. However, as with all employees who are promoted into their boss’s position, they suddenly need to learn how to wear much more expensive shoes.

Suggestions: If an existing risk manager is a potential candidate for the CRO spot at some point, he should be groomed for this position. This means participating in the strategy meetings around the design of the risk framework. Being responsible for part of the combining of individual risk reports into aggregate reports for the company so that he sees “the big picture.”  Periodically sitting in on Board presentations to see how they want material presented, how discussions take place and how decisions are made. Once he is promoted into the position, the company needs to make sure that someone is tasked with his old responsibilities as quickly as possible. Unfortunately, many times an individual is very suited at the manager level but doesn’t necessarily possess the executive level skills to be able to move into the C-level position. This needs to be very carefully evaluated before making the move.

Finally, regardless of which internal candidate is promoted, the CRO should involve themselves in industry risk associations and forums. In my experience, risk managers are more than willing to learn from each other and sometimes the best way to learn is to be connected with other practitioners. Some of these associations are listed below.


The ERM Advantage

For organizations that promote a CRO from within, understanding the unique functional and cultural differences will help in smoothing the transition and ensure that the candidate is successful in their new role. Acting as the CRO is difficult enough, bringing the wrong thought process can complicate things and possibly sabotage the CRO’s attempts to direct the enterprise risk management program.

For assistance in evaluating potential internal candidates for a CRO position, or to provide training and support to an existing one, contact Eric Holmquist at Accume Partners at (856) 793-1581 or eholmquist@accumepartners.com. Visit accumepartners.com

Additional Resources

Enterprise Risk Management by James Lam

Enterprise Risk Management – Robert W. Kolb Series

The Risk Management Association

The Professional Risk Managers’ International Association (PRMIA)

The Global Association of Risk Professionals (GARP)

Various risk management forums in LinkedIn

About ericholmquist

Consultant, speaker and author on banking, enterprise risk management, technology and information security.


8 thoughts on “Promoting a CRO From Within

  1. I am horrified at these sweeping generalisations about people based on their job title. And what about people in strategy, operations, finance etc? Could there not be worthwhile candidates there?

    If you want a more balanced perspective on what risk managers look like nowadays, seehttp://www.riskmagazine.com.au/article/what-makes-a-great-risk-manager–part-one-120482.aspx

    The narrow view of the world your present here hardly commends you to help organisations recruit CROs.

    Posted by Grant Purdy | November 29, 2011, 9:50 pm
    • Grant, thank you for your observations. Based on your comments, let me clarify a few points. While these may in fact be generalizations, they are all taken from real-world experience working with CRO’s coming from these disciplines. The strengths and challenges I have noted are based on personal experience and observation in the industry and manifest very consistently. As far as potential candidates from other areas of the organizations, absolutely a CRO could in fact emerge from the areas you mentioned, as well as Legal, Compliance, etc. In fact, people coming out of operational roles can make very strong CRO’s. However, the overwhelming number of CROs that are promoted internally do tend to come from the roles that I described. These were also the disciplines that tend to be most heavily influenced by their “former” role. Finally, please understand that this piece was not designed to describe what a risk manager should look like. It is describing real-life examples of challenges that people may need to overcome if they find themselves moving from one discipline to another. I hope that is helpful in reading the piece.

      Posted by ericholmquist | November 29, 2011, 10:21 pm
    • Interesting article. However, in my experience, predominently within the banking sector, CRO’s are often selected from finance or trading and they are too often “insiders” of the organisation. One of the biggest factors which make a superior CRO, in my opinion, is an outsiders healthy scepticism of management assurances/processes/structures. A Financial background seldom gives this and a trading background, whilst useful, seldom gives enough distance or perspective, if too recent.

      In a perfect world, I believe, you would want candidates with experience of risk taking, aligned with best practice from other organisations and knowledge of regulatory practice/conventions/perspectives. Topped up by first class communication skills. Risk frameworks are ultimately fruitless without executive and organisational buy-in.

      Posted by Des Smith | December 8, 2011, 9:38 am
      • Yes, very good points. Yes, these are also areas where CRO’s are often drawn from, sometime with mixed success. Space permitting I tried to address roles that seem to have the most difficulty in making the transition, but at some point I may expand the scope of the piece to include some of these other areas that have been mentioned. You highlight an important dilemma in that you want people that are experienced in the business, but not so close that they turn a blind eye to key risks. Simply put, the mindset of a CRO is really unique from any other role, but really needs to understand those roles. Thanks for your thoughts.

        Posted by ericholmquist | December 10, 2011, 3:54 pm
  2. Your article presents a very concise straightforward way to view internal candidates for the Chief Risk Officer position. I think there are other internal positions that may also be a source for very qualified candidates. Compliance officers understand risk and are comfortable with the risk assessment process, have experience developing a framework for meeting regulatory requirements and establishing policies and procedures. A chief compliance officer also has C level experience and a big picture view of the organization. The general counsel or other senior level in house attorneys are used to not only talking about, but dealing with the mess created by the big scary risks. Attorneys are detailed but also intuitive. They see the big picture and also the root causes of the problems, work with people from all departments in the organization and have good communication skills.

    P.S. Of course, these are generalizations of people in chief compliance officer and general counsel roles.

    Posted by Bridget Gaughan | December 1, 2011, 1:54 pm
    • Bridget, I absolutely agree that those are two other areas that may provide excellent candidates for a CRO position. I also find that they tend to transition a bit easier. Obviously the former Compliance Officer will have to be careful to not over focus on the compliance issues, and legal issues for the former corporate lawyer. (I have seen both of these in real life examples as well). I would have liked to cover these as well, but unfortunately needed to keep the piece to a manageable length. 🙂 Thank for the good observations.

      Posted by ericholmquist | December 1, 2011, 2:21 pm
  3. It is really very interesting and in my opinion it is not a straight forward approach, however, I have been in this situation three times and I see as follows:
    External Candidates: their focuses will be on the enterprise level and in most cases they will be able to adopt suitable approaches that can accommodate their new responsibilities in their new position / organization.
    Internal Candidates: their focuses will be building on current approaches and in my opinion, they will need consultancy that brings new approaches / methodologies to their consideration to implement.
    In all cases if potential CRO’s whether external or internal has finance and or operation background, this will absolutely with no doubt be a grat help to perform their responsibilities.

    Posted by Hatem Ibrahim | December 15, 2011, 3:19 pm
    • Hatem, I agree with your observations. You are absolutely right that even the distinction between a candidate being external versus internal will tend to emphasize certain biases that should be recognized and monitored. Unless someone has been serving in this role previously there is going to be a learning curve and the challenges that each individual will have can often be estimated based on their former roles. I also agree that having some finance and/or operations background is almost critical to being successful in this role. Thanks for your thoughts.

      Posted by ericholmquist | December 18, 2011, 7:33 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Enter your email address to follow this blog and receive notifications of new posts by email.

%d bloggers like this: