What Makes an Effective Chief Risk Officer

Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.


Last week, I wrote a blog about the qualifications for a director who is relied on by the board as a risk expert.

One of the comments I received is that the same or similar list could be used to define the necessary attributes of an effective chief risk officer (CRO).

I think that is right, with special emphasis added in three areas:

  1. The CRO has to have an excellent understanding of the business, the organization structure and key players, how it delivers value to its stakeholders, and where the opportunities as well as the potential hazards lie. It is simply not enough to be a technical expert. The CRO has to get out and be among those in the front lines if he is to understand how the enterprise really works.
  2. The CRO must be able to communicate and influence at all levels of the business. He must be fluent in the language of ths business and not try to express himself using the techno-babble of risk management. The CRO must not only be able to gain the attention of key decision-makers, but be able to engage them so that they listen, pay attention, and accept him as a valuable advisor.
  3. The CRO must step out of the shadows of the consultants who propose quarterly risk reviews of the top ten or twenty risks, and seek to help the organizations understand and manage all the more significant risks to the success of the organization — including helping the people in the front lines make better decisions every day because they have and are considering risk information. The CRO must help the organization manage the risks that matter at the speed of tyhe business.

To illustrate my second point, let me share a story. A couple of years ago, I made a presentation at a meeting of a professional risk management organization. Afterwards, we adjourned to lunch where I was asked by their president to sit with him. He had a problem and asked for my advice.

This individual was the CRO at a major organization. While he was able to get periodical meetings with the CEO, he felt that he had little influence and was not invited to key strategy and other meetings. He said that the CEO didn't really listen and always cut their meetings short.

As I listened, I realized I didn't want to spend time with him either! He was boring. He used the technical language and presented himself as a technical risk manager, not as somebody who understood and sought to improve business performance. He was a brake on the organization without constructive ideas.

This type of CRO will not be a credible partner to the CEO and top executives. He needs to learn executive presence and presentation skills. But, more to the point, he needs to rethink himself as a business executive rather than a technocrat.

But going back to the list of attributes in the guidance referenced in the earlier post. I wonder how many CROs have the majority of those skills?

I welcome your views. 

Posted on Jun 25, 2013 by Norman Marks

Share This Article:    

  1. This is an outstanding blog! 

    May a time I noticed technocrat using lots of technical terms without any context and explanation. And in doing so, either by habit or by choice, they ignore the fact that much of their techno-babble went over the head of the asker/audience.

    Those nerds learn to relate their domain knowledge with the interrelationship between Strategy, Performance and Risk, that is, SPR!

  1. The observations are really very pertinent, we also have similar experiences.

    When we talk the business language the acceptance of risks and mitigation plans becomes easy and there accept ownership for the same.

  1. I share the view even though the third area mentioned in the article is very frequently different with some of the companies, which prefer to manage risks at the relevant levels and focus only on key ones. Both approaches have PROs and Contras. For example: overcontrolled business might expose to a risk of failure to achieve growth objectives, failure to involve relevant stakeholders in considering business risks might result in neglecting some of them, etc.

  1. Totally agree Norman.  The successful Chief Risk Executive is one who is accepted as a member of the senior management team due to his/her's ability to assimilated into the organization; not because he/she is appointed Chief Risk Executive.

  1. Since you were so kind as to ask for readers' opinions, I shall feel free to be candid. Bullet points one and three are valid, important, widely applicable.

    • Regarding bullet one: Technical (risk) expertise has minimal relevance without fundamental knowledge of the business!
    • As for bullet point three, a Chief Risk Officer should not be dependent on consultants. That is a risk exposure in its own right! Consultants can be useful and worthwhile for specific tasks, specialized knowledge that may be needed on a one-time basis, for example. Anyone hired as a CRO should already know more about risk management than management consultants though!

    The CRO needs to present himself as a member of the executive team. I balked at the suggestion that the CRO's job is to help improve business performance. It is true, that IS his job, but the means by which he does so is more often through mitigation of risks that result in higher costs, or losses. I don't think the CRO should need to be a salesman. Persuasiveness and good communication skills are important, but beyond that, company attitude needs to be receptive toward their CRO. They will suffer the consequences if they are not. The CEO and upper management must communicate that, otherwise the CRO can't be effective.

    P.S. The is a delightful commenting interface! I really like your color scheme, ivory and navy, too.

  1.  "The CRO must step out of the shadows of the consultants who propose quarterly risk reviews of the top ten or twenty risks, and seek to help the organizations understand and manage all the more significant risks to the success of the organization" so very true.  Whilst risk reviews have a place, risk management is day to day decision management and should be part of the build up of any business, a CRO therefore must encourage this behaviour support it, contribute to its development and execution and not just see their role as a quarterly cycle of reviews.  In fact rather spend that money on educating yourself and your teams to ensure thinking your thinking is current, and use the time to get "closer to the business"

  1.  Good post overall but please try to proof read prior to submitting potentially outstanding (as opposed to "just" good) work. We are afterall professionals!

  1.  Michael, with what do you take exception?

  1. Norman, you are right about the CRO, particularly about getting out and communicating. This is also an essential quality for the Chief Audit Executive. Internal auditors can only be truly effective if everyone in the organisation has confidence in them and this can only happen if they are approachable and their purpose is understood. It's difficult to be approachable and independent but if we can achieve this, it will make us more effective internal auditors. We cannot rely on throwing our reports over a high brick wall separating us from the rest of the organisation.
  1. This is a great post about global information security . Thanks for sharing with us .

Leave a Reply