​​What Makes an Effective Chief Risk Officer

Comments Views

​Last week, I wrote a blog about the qualifications for a director who is relied on by the board as a risk expert.

One of the comments I received is that the same or similar list could be used to define the necessary attributes of an effective chief risk officer (CRO).

I think that is right, with special emphasis added in three areas:

  1. The CRO has to have an excellent understanding of the business, the organization structure and key players, how it delivers value to its stakeholders, and where the opportunities as well as the potential hazards lie. It is simply not enough to be a technical expert. The CRO has to get out and be among those in the front lines if he is to understand how the enterprise really works.
  2. The CRO must be able to communicate and influence at all levels of the business. He must be fluent in the language of ths business and not try to express himself using the techno-babble of risk management. The CRO must not only be able to gain the attention of key decision-makers, but be able to engage them so that they listen, pay attention, and accept him as a valuable adviser.
  3. The CRO must step out of the shadows of the consultants who propose quarterly risk reviews of the top 10 or 20 risks, and seek to help the organizations understand and manage all the more significant risks to the success of the organization — including helping the people in the front lines make better decisions every day because they have and are considering risk information. The CRO must help the organization manage the risks that matter at the speed of the business.

To illustrate my second point, let me share a story. A couple of years ago, I made a presentation at a meeting of a professional risk management organization. Afterwards, we adjourned to lunch where I was asked by their president to sit with him. He had a problem and asked for my advice.

This individual was the CRO at a major organization. While he was able to get periodical meetings with the CEO, he felt that he had little influence and was not invited to key strategy and other meetings. He said that the CEO didn't really listen and always cut their meetings short.

As I listened, I realized I didn't want to spend time with him either! He was boring. He used the technical language and presented himself as a technical risk manager, not as somebody who understood and sought to improve business performance. He was a brake on the organization without constructive ideas.

This type of CRO will not be a credible partner to the CEO and top executives. He needs to learn executive presence and presentation skills. But, more to the point, he needs to rethink himself as a business executive rather than a technocrat.

But going back to the list of attributes in the guidance referenced in the earlier post. I wonder how many CROs have the majority of those skills?

I welcome your views.

​The opinions expressed by Internal Auditor's bloggers may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers' employers or the editors of Internal Auditor. The magazine is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this article

comments powered by Disqus
  • IIA Quality_July 2020_Blog 1
  • IIA Online Testing_July 2020_Blog 2
  • IIA Training_July 2020_Blog 3