Qualifying a Director as a Risk Expert

Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.


Boards have generally identified experience and insight into risk management as an area where they need to improve. As risk management is integral to any organization’s success, helping it to identify and address risks to the achievement of its objectives, regulators and others expect boards to beef up their ability to provide effective oversight.

I congratulate the Directors and Chief Risk Officers group and The Governance Fund who have published Qualified Risk Director Guidelines (PDF). The team involved in developing the guidelines includes notable risk and governance experts, a number of whom I know and respect.

This is an excellent basis for discussion by the board and its advisors in management about how it will assess whether the directors they add to strengthen risk oversight have sufficient experience, training, and ability.

I like that these guidelines are divided into groupings of attributes:

  • Risk management acumen.
  • Personal attributes.
  • Business acumen.
  • Education.

The guidelines suggest how a director may obtain the required majority of these attributes.

I only have a few quibbles:

  • I believe it is essential for a qualified risk director to understand the relationships between strategy, risk, and performance — and that the consideration of risk is an integral part of every-day decision-making.
  • The risk director should understand the need for every decision-maker within the organization to understand what the right risks are to take. It is insufficient to have broad risk management policies and standards that cannot be translated into guidance for everyday decision-making.
  • The qualified risk director should also have an appreciation for the need to manage risk at the speed of the business (or, as a commenter on one of my blogs said, run the business at the speed of risk).
  • An excellent source of qualified risk directors is experienced (including retired) chief internal audit directors.

I welcome your comments.

Posted on Jun 21, 2013 by Norman Marks

Share This Article:    

  1. Norman, you blogs are a great source of learning. Thanks for sharing your knowledge, experience and values with the world on regular basis.

    I particularly like you point re understanding the relationship between strategy, performance and risk. This is exactly the brand name of my framework - The SPR Framework.

    Will share the skeleton of SPR Framework with you sometime for you review and insights.



  1. It is vital that a Qualified Risk Director (QRD) have intimate understanding of how risk appears currently out in the field, in operations, and research and development.  That understanding cannot be stale but must also be historical, bringing forward past known risks and pivotal events in the industry, for, as we all have learned, history is doomed too often to repeat iself.  It is vital that the QRD not be above understanding hands on risk and the people on the front lines, but be willing to get dirty hands in understanding risk.

    Build too complex a list of qualifications for the QRD, and the universe of candidates can shrink to extinction or self-perpetuation among a small club of 'experts' filling multiple slots.  Raise the demands too high, and no one will want to go there.  Witness the relative scarcity of CFO's willing to fill audit and other slots on boards.

  1. One of the suprising things for me in developing this document was some pushback on domain-only-experts ie. there was a view that people with only a background in risk or internal audit can be too narrow and get focused on the mechanics and maturity of risk processes, instead of using the output to steer the organisation and contribute to the board / audit & risk committee in a strategic, commercial way.

    Having spent most of my professional life in the audit/risk domain, I initially found this confronting.  On further reflection, it's a good point and something I'm seeing quite a bit of on my various boards and audit and risk committees in their composition and operation.

    I liken it a bit to a new CEO who is taking the transition to being an independent director for the first time - they find it very hard to let go, and operate as one voice within a board instead of the decision maker or expert.  Not a bad bit of insight for those of us who are charting a course from audit/risk practitioner to board member, and has been a good prompt for me as I make my own transition in mindset from risk practitioner to professional director.

    The other thing which continues to surprise me is that practice is not uniform and is highly variable across different countries.  In the US there's still the debate about whether the CEO should also Chair the board, and I was suprised to hear that the term "risk register" doesn't appear there much.  For my mind, international meetings of minds such as those facilitated by the DRCO and the IIA can only be a good thing for cross-pollinating ideas from different countries and helping us all to be better at what we do and how we do it.

    I'd also be interested in people's perspectives. 

    Todd Davies

Leave a Reply