Can the CAE Be the Chief Risk Officer (CRO), or Report to the CRO?

What about Chief Compliance Officer or head of the Governance, Risk Management, and Compliance (GRC) function?

An apparent trend is for the chief audit executive (CAE) to be asked to lead or manage the organization’s risk management function. I know several major companies where the CAE either is also the chief risk officer (CRO), or has risk management reporting to him or her. Several are also responsible for compliance, and at least one company has the CAE as head of the governance, risk, and compliance (GRC) function.

This is different from the situations where the CAE reports administratively to the CRO and functionally to the audit committee. While awkward — the CAE may be auditing the risk management processes owned by his manager, and may disagree with the CRO on risk levels — as long as the CAE has free access to the audit committee the situation is generally manageable.

Can the internal audit function be sufficiently objective and provide assurance on the effectiveness of risk management and related controls when the CAE is also the CRO, head of GRC, or manages the risk function? Can the CAE provide assurance on controls to ensure compliance when he or she is the chief compliance officer?

In 2004, The IIA published a position paper, The Role of Internal Auditing in Enterprise-wide Risk Management (PDF). The paper made a number of assertions regarding what activities internal auditing may or may not perform.

Legitimate internal auditing roles with safeguards.
  • Facilitating identification and evaluation of risks.
  • Coaching management in responding to risks.
  • Coordinating ERM activities.
  • Consolidating the reporting on risks.
  • Maintaining and developing the ERM framework.
  • Championing establishment of ERM.
  • Developing risk management strategy for board approval.

Roles internal auditing should NOT undertake.

  • Setting the risk appetite.
  • Imposing risk management processes.
  • Management assurance on risks.
  • Taking decisions on risk responses.
  • Implementing risk responses on management's behalf.
  • Accountability for risk management.

It seems to me that when the CAE directs the risk management or GRC functions, he or she is “imposing risk management processes” and has “accountability for risk management.”

So what is the CAE to do if he or she is asked by management and the audit committee to take on responsibility for GRC, compliance, or risk management — even when both have seen the IIA position paper? Is it reasonable to expect the CAE to resign?

What should candidates do when offered a position as both CAE and CRO?

Finally, what more should we expect from The IIA in this area? Is it reasonable to expect The IIA to allocate its limited resources to advocacy and education efforts, when perhaps they may be better employed in advocating for internal auditing’s greater role in providing objective assurance on governance and risk management practices?

I welcome your comments and suggestions in each of these situations.

Posted on Oct 11, 2009 by Norman Marks

Share This Article:    

  1. As I have said elsewhere, I believe that we need to strengthen the balance in corporate organisations (especially where there is a major societal impact) to ensure that there is a stronger risk management and assurance framework. That requires an organisational structure that enables the head of that area to stand toe-to-toe with the CEO. This is with a view to long term sustainable growth, rather than short term unsustainable growth, and would facilitate the discharge of the board's legal or moral corporate governance fiduciary duties - such as they are.

    Does it therefore matter whether the CAE is on top, or the CRO or a new Chief Assurance Officer? I am not sure it does, unless you are wholeheartedly wedded to the concept of three lines of defence. I was at a European Commission hearing yesterday where one participant argued that three lines of defence (TLD) is the foundation for recovery in RM terms in banking. I beg to differ - it didn't work before the financial crisis (from a UK perspective look at HBOS or RBS, both of whom would have argued that TLD was a vital element in their control structure). I think we need a "paradigm shift" (apologies - but this time I think the word is warranted) that allows us to rethink the model, including reviewing the importance of pure independence, when actually the IA bit is only part of the assurance equation.



  1. In my organization, a bank, I serve as the CAE and CRO.  In fact, as an EVP I have responsibility for enterprise risk management (ERM), internal audit, compliance, loan review, and security.  We follow the IIA's guidance for ERM and have a committee of risk champions that make risk decisions.  I do not make risk decisions, I simply coordinate the process.  The key in having multiple functions report to the CAE is how they are set up and what governance processes are in place to monitor activities. 

    We have board level Audit & Asset Quality and Risk & Compliance Committees composed of independent directors to oversee the functions that report to me.  I have managers over each of the functions, except for ERM which operates with an officer committee of risk champions.  We have outside, independent audits of ERM to validate our process as well as a periodic external QAR of internal audit.  We also have annual regulatory examinations where my independence is reviewed.  The examiners have concurred with our governance structure.  Annually the Board of Directors reviews a report on my independence and the safeguards that are in place.

  1. Norman and Richard, 

    You have both raised some very interesting and relevant issues here which in my view deserve further consideration.
    Firstly I would like to address the concept of 3 lines of defense which Booz & Co. recently identified as being 1) Top Management and the Front Office 2) The Risk Management Function 3) Audit. I would have to agree with Richard that this approach to defending the organization has been in place for some time and unfortunately has proved to have its flaws.
    I have outlined the paradigm shift which I believe is required in my submission to the Walker Review of Governance in UK Banks which is entitled “The Requirement for a Director of Corporate Defence in UK Banking Institutions” (see link below). What I believe is now required is a comprehensive and integrated corporate defense program which aligns the management of the critical components which constitute an organization’s program for self defense, namely management of the following components: governance, risk, compliance, intelligence, security, resilience, controls and assurance.  
  1. .......continued

    In this scenario the role of the CAE and indeed the IA function is critical, however as Richard mentions it is only part of the assurance equation. I have just recently outlined my views on IA’s role in a corporate defense program in my piece in the October issue of the Internal Auditor magazine entitled “In Defense of the Corporation”. In my view the critical role IA has to play involves being aligned with the organization’s corporate defense program, while still providing an independent assessment, and in reality this can only be provided once IA is independent. As Norman points out when the CAE reports to the CRO or elsewhere (i.e. CFO or COO etc) difficulties can arise in relation to independence, objectivity and impartiality. Similar issues also arise when the CAE also holds the title of CRO or Head of GRC, or indeed when either the risk management or the compliance function report to the CAE. Very often the IA function itself can become compromised from within.       
    I understand that in smaller firms in the short term there is often pressure on the CAE, as it may be convenient for the organization if the CAE were to champion the introduction of a risk management or compliance function. Such a prospect can also be of great personal interest to the CAE. This however should only occur on a short term basis and a clear separation of accountabilities must occur in the short to medium term in order to avoid the potential pitfalls noted above. To be truly objective and impartial the CAE cannot retain accountability for functions outside of the IA function.   

  1. Norman,

    How many domestic/US or global organizations (esp. those engaged in banking and/or other financial serices) have elevated the CAE to be an Officer of the coporation?!?  

    Thomas Heller


  1. To All:

    Great discussion and a very important topic.

    I believe the issue of reporting lines is secondary to a more fundamental issue: Is anyone accountable for presenting a consolidated report on retained risk to senior management and the board? 

     In a utopia world primary responsibility for creating and presenting a consolidated report on residual risk status would rest with the CRO.  The CAE should then opine on the reliability of that consolidated report just as the external auditor opines on the reliability of an entity's consolidated financial statements.  In cases where there is no CRO or the CRO does not create and present a consolidated report on retained risk I think the CAE needs to take on the task.  In a purist world this would at least partially impair the ability of the CAE to report on the organization's risk management processes but I think this could be easily overcome by an external review by an independent undertaken at the request of the board.

    I think the simple concept of a reliable consolidated report on retained risk helps simplify the end result sought.  The issue is then how to create such a document that the board can rely on. 

    Hope this adds to the discussion.


    With respect to the question posed above, the bank where CAE & CRO Jameson works has posted its Corporate Governance Guidelines ( and its Charters of The Nominating & Corporate Governance Committee and The Audit & Asset Quality Committee (  And I, as an individual quite familiar with the Senior Supervisors Report of March 2008, find those documents and their reports to their federal regulator and others very interesting.
  1. I think this viewpoint brings out a common misconception that our profession has on "accountability" in general. The actual mitigating controls or lack thereof are embedded into the process. Process owners or "management" is accountable for the design and execution and therefore accountability for management of risk through such design and execution.

    Compliance groups are not the control. They cannot be accountable for risk management unless they have the power to "perform" or "affect" the actual business process that either creates and or mitigates the risk.  "Management of risk" is at that level.  

    I feel that the author and others may be confusing the approved areas of "Maintaining and developing the ERM framework. Championing establishment of ERM. and Developing risk management strategy for board approval." as "management".  Such oversight of GRC or ERM is not the process of managing risk.  It is the process of monitoring or guiding the oversight of risk management.

  1. Thomas, I have seen few CAEs elevated to 16b officer status.

    Tim, the CRO should be responsible for providing risk reports to the board and top mangement, and the CAE for providing assurance that  the underlying processes are adequate. When they are the same person, careful measures have to be put in place to ensure the objectivity of the assurance provided. Many do not believe that is possible.

  1. The longer I hold the role of CAE the more I see the key value of my position is being independent, able to read situations accurately, focused on risk, unafraid to speak the truth and to take on the "political" areas, and unafraid to lose my job if doing the right thing causes it. 

    Can the CAE also also hold the position of CRO?  I would look at priorities.  Can these two roles be carefully crafted so IA independence is maintained? Probably, as we see Steve is able to do.  Is it difficult? Probably. Would I be willing to to take the chance of reducing the effectiveness of my CAE role to also be the CRO? No.  IA is unique in its reporting directly to the Audit Committee.  I am not willing to "waste" this position.  My priority is maintaining my effectieness as CAE.  This is what the Audit Committee expects from my role and something only I can deliver. 

Leave a Reply