The chief risk officer (CRO) or chief risk management officer (CRMO) or chief risk and compliance officer (CRCO) of a firm or corporation is the executive accountable for enabling the efficient and effective governance of significant risks, and related opportunities, to a business and its various segments. Risks are commonly categorized as strategic, reputational, operational, financial, or compliance-related. CROs are accountable to the Executive Committee and The Board for enabling the business to balance risk and reward. In more complex organizations, they are generally responsible for coordinating the organization's Enterprise Risk Management (ERM) approach. The CRO is responsible for assessing and mitigating significant competitive, regulatory, and technological threats to a firm's capital and earnings. The CRO roles and responsibilities vary depending on the size of the organization and industry. The CRO works to ensure that the firm is compliant with government regulations, such as Sarbanes-Oxley, and reviews factors that could negatively affect investments. Typically, the CRO is responsible for the firm's risk management operations, including managing, identifying, evaluating, reporting and overseeing the firm's risks externally and internally to the organization and works diligently with senior management such as Chief Executive officer and Chief Financial Officer.
The role of the Chief Risk Officer (CRO) is becoming increasing important in financial, investment, and insurance sectors. According to Watson, the majority of CROs agreed that having only exceptional analytical skill is not sufficient. The most successful CROs are able to combine these skills with highly developed commercial, strategic, leadership and communication skill to be able to drive change and make a difference in an organization. CROs typically have post graduate education with over 20 years of experience in accounting, economics, legal or actuarial backgrounds. A business may find a risk acceptable; however, the company as a whole may not. CROs need to balance risks with financial, investment, insurance, personnel and inventory decisions to obtain an optimum level for stakeholders. According to a study by Morgan McKinley, a successful CRO must be able to deal with complexity and ambiguity, and understand the bigger picture.
James Lam, a noted risk professional, is credited as the first person to coin the term. Lam is the first person to hold that position at GE Capital in 1993. The position became more common after the Basel Accord, the Sarbanes-Oxley Act, the Turnbull Report.
A main priority for the CRO is to ensure that the organization is in full compliance with applicable regulations and to analyze all risk related issues. They may also be required to work alongside other senior executives such as with a chief compliance officer. They may deal with topics regarding insurance, internal auditing, corporate investigations, fraud, and information security. The responsibilities and requirements to become a chief risk officer vary depending on the size of the organization and the industry, however most CRO's typically have a masters-degree level of education and 10 to 20 years of business-related experience, with actuarial, accounting, economics, and legal backgrounds common. There are many different pathways to become a CRO but most organizations prefer to promote their own employees to the position internally.
A chief risk officer (CRO) is relatively considered a newer position in the board of directors. When comparing the function of a CRO to the rest of the officers, we find that there is a relationship with every other role. In other words, for a process in any department in a firm to be completed it has to be discussed with a CRO to clear it of potential risks. In general, the CRO has many crucial tasks to look for in any organization to better serve its needs and mitigate its risk. According to the Enterprise Risk Management Initiative, CROs need to find a way to balance risks and inventory decisions to obtain an optimum level for stakeholders and maintain a positive reputation regarding the firm. However, the job description of CRO there is more in depth, there are some general tasks which every CRO has to be familiar with, such as, understanding the concept of Enterprise Risk Management (ERM).
A Chief risk officer must identify, assess, measure, manage, monitor and report every aspect of the risk function of new implementations of the firm. This task is important when translating business requirements of the firm into business/reporting and system specifications. Also, the CRO's assistance is necessary when it comes to new developments. Risk Chiefs must be leaders in developing and improving management reporting as well as providing user training for in-house developed systems. In addition to developing policies and frameworks, the CRO is responsible for training and supervision of employees. Another important task is managing the development of new risk policies and procedures and participating in local and global discussions to enhance security processes and standards.
The role of the CRO is still evolving as the scope of task is constantly changing. The increasing regulatory and legislative requirements of organizational compliance makes the CRO to one of the most important member of the management team. To be able to view risk in the context of the whole company and to organize different risk functions and task through the different entities of the organization, is inevitable to the success of any structural planning.
The title of a CRO is a fairly new position in a company that is continually evolving. The responsibility of a CRO can be supported by the CEO or CFO. However, having an independent position to mitigate risks close to the executive board is a real asset for the company. Although the title of CRO is fairly new, job titles such as CFOs and CEOs also have functions of a CRO. Related positions of a CRO include CEO, CFO, Chief Risk Management Officer, Risk Manager and Capital Manager. Although these related positions don't necessarily replace a CRO, they do hold job functions that are similar to those of a CRO.
Some names can be cited as examples of Chief Risk Officer. This new position is found in many different industries. The major one is in the financial sector. For instance, Craig Broderick is the CRO of Goldman Sachs in the United States with nine years of experience, Joachim Oechslin works for Credit Suisse in Switzerland as CRO and Thomas Wilson ensures to mitigate risk at Allianz in Germany. Companies in other industries have hired CROs in order to become more competitive. For example, Stefano Rettore is the CRO of Archer Daniels Midland while being a member of the executive board. Vijay Patil has more than ten years of experience in this function and is the CRO of Yamaha.
On August 1993, James Lam became the first worldwide CRO at GE Capital. He is called the inventor of the ERM model. As a CRO, Lam's responsibilities were to mitigate the risks of the company. He managed the credit risks, market risk, risk transfer and hedge risk. In 1995, a few company executives started to hire CROs in their organizations. But the demand was still low in the CRO position. In 2002, the US government released a new law which influenced the CRO industry significantly. The Sarbanes Oxley Act which gets popular with 2004 says that directors or executive are more severe against counterfeit of financial corporate information. By hiring CROs, companies have started to protect the executives more. Ten years later, 2005, almost all big companies that were making sales over a billion dollar hired a CRO in their enterprise. These companies were almost in a difficult environment and that's why they began to recognize the importance of a CRO. Another boost for the CRO role was the financial crisis in 2008. Many companies became bankruptcy and many jobs were destroyed. After these events, more and more CROs were hired. With the increase in regulation in the economy, the position of the CRO is gaining more importance. The worldwide globalization is also increasing the importance of CROs. As of 2017,[vague] there are more than 1000 CROs worldwide. Most of them come from the financial service, energy or commodity industry. In the future, the importance of the CRO will be measured by the complexity of the compliance risk.
The characteristics and qualifications of a Chief Risk Officer are dependent on the industry and the type of the business they are working in. For example, if the CRO were involved in the finance industry, a postgraduate education along with at least ten years of experience in accounting, economics, internal audit, risk management, strategic planning, or actuarial backgrounds would typically be a common characteristic along with many years in the banking sector. 
Along with their extensive knowledge of the rules and regulations in finance, they usually would have held a position in the first/mid-level management up to senior executive for their past qualification in the industry. Having to understand the compliance with government regulations such as Sarbanes Oxley of 2002, it is common for CRO's to have also held a Chief Financial Officer position prior to becoming a Chief Risk Officer. With their quantitative background in math, finance, and accounting - making the change to risk management would be a familiar experience. Whether in the technology, retail, healthcare, or finance industry - the qualities of a typical Chief Risk Officer are very similar throughout the industries. Their financial expertise will aid in creating reporting procedures that will monitoring any critical risks an organization may encounter.
Chief Risk Officer salaries vary widely, and depend on the company and status the specific CRO achieved.
The average pay for a Chief Risk Officer (CRO) with Regulatory Compliance skills in the US is about $162,274 per year[when?]. Risk Officers who work for banks earn slightly more at $180,970. Those managing risks for private corporations are paid a higher average salary of $216,000 annually.
Chief Risk Officers are in the bottom tenth percentile with a salary of $72,750. However, CROs with years of effectiveness and successful developments often pass the quarter million mark annually, so there is no earnings limit.
In the following some examples are given:
|Company||Chief Risk Officer||Salary|
Enterprise Risk Management, ERM, is a fairly new process of managing risk within a company. Although ERM has yet to be widely accepted as an industry standard since there are various definitions as to what ERM exactly is, more recognition and acceptance of ERM has been shown. There are seminars dedicated to ERM explaining the process and providing examples of applications while also discussing advances in the field. Papers on ERM are also beginning to appear in journals and books which are starting to be published. Some universities are even starting to offer courses regarding ERM and the process.
A definition provided by the committee of Sponsoring Organization of the Treadway Commission (COSO) in 2004 defines ERM as a process, effected by an entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be with its appetite, to provide reasonable assurance regarding the achievement of entity objectives.
Another definition provided by the International Organization of Standardization (ISO 3100) defines ERM as coordinated activities to direct and control an organization with regard to risk.
According to James Lam, the definition of ERM is a value added function can be described as the inclusive and cohesive framework for managing key risks in order to achieve business goals, mitigate unexpected earnings unpredictability, and increase firm value to reduce risk which is a variable that can cause deviation from an expected outcome.
According to James Lam, author of the book “Enterprise Risk Management,” there are several primary benefits of using ERM: 1) enhanced organizational effectiveness, 2) increased efficiency in terms of risk reporting, 3) improved business performance.
Organizational effectiveness helps address special and specific risks by creating the top-down coordination needed to form an integrated team suited to handle both independent risks and interdependencies between risks. Moreover, ERM has been said to increased risk management awareness allowing for more efficient operational and strategic decision making. This is done through the appointment of a chief risk officer and the establishment of an enterprise risk function.
Risk reporting assists both the chief risk officer of an organization and the board of governors in identifying key risk factors that may prove detrimental to the company in both the present and the future. Thus, ERM enables senior management to identify, measure, and limit to acceptable levels the net exposures faced by the firm. Being able to create risk transparency allows a firm to better hedge against those particular risks or avoid them all together.
Better business performance is yet another benefit of using ERM. Companies that adopt an ERM approach have seen improvements in areas requiring key management decisions from capitol allocations to product development and pricing to mergers and acquisitions. As a result, this leads to the benefits and improvements gained from utilizing an ERM approach can be seen in the form of loss reduction, improved shareholder value, decreased earning volatility, and an increase in the firms’ earnings.
The ERM model implies the leadership by an individual who is responsible for the development and implication of an ERM strategy and assists the senior management in terms of risk management. In order to do this a CRO sets up a risk management framework and policies based on the ERM strategy. Furthermore, the CRO implement reports and risk indicators to communicate the risk culture throughout the firm. These reports assist the CRO in creating a risk profile. The CRO communicateS the firm's risk profile to the key stakeholders such as the CEO, the board of directors and business partners. The optimizing of the risk portfolio is another assigned task by the ERM. The CRO advises for firm projects from a risk management point of view and uses regulations and risk transfer strategies in order to mitigate the risk.
ERM vs Silo
ERM: An ERM requires an integrated risk organization what normally means, that a centralized risk management unit has to report to the CEO and the board of directors. The Chief risk officer in an ERM is responsible for knowing and gathering information over all the different aspects within an organization. He takes a portfolio view of all types of risks within the company. In an ERM approach the use of insurance and alternative risk transfer products is only considered if the risk seemed undesirable or unwanted to the management. Integration of risk management in the whole company's business process becomes necessary. The ERM optimizes business performance by influencing different aspects like pricing and resource allocation. There are three major benefits connected to the use of the ERM approach and the CRO as liaison: Due to the fact that a CRO and an integrated team can better manage individual risks and interdependencies between these risks, the use of an ERM leads to an increased organizational effectiveness. Apart from this fact, a better risk reporting can be reached by prioritizing the content of risk reporting that should go to the different instances like the senior management or the board of directors. A side effect of this information prioritizing is a much better transparency throughout the whole organization. Last but not least you can also reach a better overall business performance in the company. This is only possible if the risk management team uses an ERM approach and supports key management decisions like pricing, product development or Mergers and Acquisition. Given the support, there will be several benefits like increased earnings and improved shareholder value. An ERM can combine and integrate several risk silos into a firm-wide risk portfolio and can consider aspects as volatility and correlation of all risk exposures. This can lead to a maximization of the diversification's benefits.
SILO: Under a Silo approach, risk transfer strategies are executed under a transactional or individual risk level. As an example insurance can be mentioned, which transfers out operational risk. Risk assessment and quantification processes are not integrated. Value-at-risk models are used to quantify the market risk and credit default models are used to estimate credit risk. Both specific models could be used independently, still: that it is not the case in the Silo approach. There are different effects that can be caused by this less integrative model: Over-hedging and far too much insurance cover can be a result of not incorporating all the different kinds of risk and their wide diversification. Another characteristic of the Silo approach is the continuous fighting of one crisis after another without having an integrative concept or a specific individual that can be held responsible. No one specifically takes responsibility for aspects like the overall risk reporting or other risk-related unit supplies. Further more there is another aspect that shows a weakness of this model: Having different organizational units to address every specific risk that then first has to be segmented in the company definitely speaks for a less effective technique. In the Silo approach the different business units use various methodologies to track counterparty risks. This can become a problem, if you look at the total counterparty exposure: it can get too great to be managed by all the different business units.
After a near miss or an actual crisis managers are often alarmed and focus more on all aspect of risk during the ongoing inspection. They are looking at aspects like the compliance risk and they are reinforcing important roles for the board. All these actions often lead to the naming of a risk champion who is then responsible for developing and establishing an ERM approach. In many companies the risk champion is becoming more and more a formal senior management position: the CRO. One of the important function of a risk champion that should be mentioned is his/her support to legitimize the implementation of the risk management itself. Apart from this fact he also helps the institution follow its objectives and better site it for the future. Further more he is also responsible for communicating its benefits. Normally a risk champion should have the different characteristics like skills, knowledge and leadership qualities, necessary to handle all the different specific aspects that can occur in the process of risk management. Other aspects that should be mentioned considering the responsibilities of a risk champion is his duty to intervene in instances where risk management efforts are actually disabled. This can be caused by the management itself or a lack of institutional skills. Additional he also provides support to the whole risk management process if a problematic, complicated risk occurs. In this case he can use the multiple participant approach. Assisting the risk owner, but not assuming his or her role to help find a solution for his/her problem is also one of the many duties a risk champion has to face. In some studies the risk champion is described as some kind of troubleshooter who alleviates risk related problems. After all you can summarize that the risk champion hast to be integrated into the company's ERM approach and by this contribute to the institution's goals and objectives.
The Sarbanes-Oxley Act
The Sarbanes-Oxley Act is a US act of 2002. In response to various financial scandals, the U.S. Congress passed the Sarbanes-Oxley Act. This act also can be called Sarbox or Sox. First of all, Sarbanes-Oxley sought to enhance the integrity of corporate financial reporting and better regulate the accounting profession. The Sarbanes-Oxley Act applies for every company which is registered by SEC; therefore, international companies are included as well.
Furthermore, it regulates and set standards for companies to protect shareholders and the public from accounting errors as well as generates more transparency between reporting and the markets.
Thus, the Sarbanes-Oxley Act enhanced corporate financial reports and made several reforms in the accounting profession. Enhancements occurred in the financial statements; therefore, the Sarbanes-Oxley Act requires a company's executive chief officer and chief financial officer to clarify the precision of its financial reports. Moreover, to ensure the mentioned accuracy of financial reports, internal controls are required. Accordingly, each financial report required an internal control report to prevent fraud. Furthermore, the CRO has to be aware of everything occurring in his company on a daily basis, but he must also be current on all of the requirements from the SEC. In addition, the CRO restrains corporate risk by managing compliance.
Why is a CRO so important in financial institutions?
There is a report of having a CRO from 93% of all financial institutions that have more complex operations. A few institutions also established a chief compliance officer position. Integrating risk and finance can lead to getting more successful results and achieving strategic goals. Due to the fact that by using both: CRO and CFO, both skill sets are brought together. This can lead to the fact that the CFO's pressure is relieved and he can focus more on helping organizations direct their activities and find new opportunities to growth. The CEO of Zions Bancorporation, Harris Simmons once wrote that there would be an „uncontested need for an independent risk management in large banking organizations“. But in his opinion “covered companies should be allowed a measure of flexibility in determining how such an organization should be structured”. According to Thomas Stanton, author of „Why Some Firms Thrive and Others Fail“, one of the differences between a company that was successful and another one that was not successful during the financial crisis, was their „application of a constructive dialogue“. On the one hand there were the employees who were responsible for making money by selling products and financial services and on the other hand there were the ones responsible for limiting risks. Due to the fact that bank regulators have actually encouraged banks now for a longer time to adopt an enterprise risk management approach, the need of a CRO to manage risk across the whole organization has increased. You can see a close coordination between Finance and Risk Management if you take a look at how a risk model is developed. Data of the risk model are often “created by finance” and their outcomes exert influence on the financial reporting. Here you can clearly see the interdependencies. Its no longer the case that risk and finance can be seen independent. The integration between finance and risk platforms may also relax different aspects like calculation or the integration of Data. After all it can be said, that the banking industry would rarely need this systematic approach today if it would have employed more chief risk officers before the financial crisis began.
COSO, a Committee of Sponsoring Organizations of the Treadway Commission, uses the concept of Enterprise Risk Management for the first time. In this context, they published in 2004 the Enterprise Risk Management—Integrated Framework. In the past years the complexity of risk has changed, and new risks have emerged why COSO published in 2017 the updated framework of ERM. This framework includes five interrelated components which are found in the most ERM frameworks.
Governance and Culture establishes organizational processes and defines desired cultures to measure and manage risk across the company. The result is a top-down risk management.
Strategy and Objective-Setting formulates business objectives which put strategy into practice. The business objectives are a basis for identifying, assessing, and responding to risk. Also, Strategy and Objective-Setting analyzes business context, defines risk appetite and evaluates alternative strategies.
Performance identifies, assesses severity, and prioritizes risks which may impact the achievement of strategy and business objectives. Later, the company selects risk responses and develops a portfolio view. In the last step, the results are reported to key risk stakeholders.
Review and Revision consider how well the enterprise risk management components are functioning over time. Also, it reviews risk and performance, and, if necessary, improves the company and their risk management.
Information, Communication, and Reporting. To communicate risk information and create reports on risk, culture, and performance to the company's key stakeholders.
The Sarbanes Oxley Act, which was created in 2002 to prevent corporate fraud, was the reason for the rise of the importance of corporate governance. Hence the ERM requires that the following management responsibilities be assigned: to define a firm's “risk profile”; this means it is required to evaluate the firm's willingness to take risks and threats and the possible outcomes. This is important to determine proper investment asset allocation. Also, to ensure firm has necessary risk management skills. Risk management skills involves the risk management process which consists of 5 steps: risk assessment, risk analysis, risk treatment, risk acceptance, and risk communication. Thirdly, to establish the organization's structure with all roles and responsibilities. This involves assigning different enterprise risk management roles throughout the organization, and establishing a clear hierarchy structure.
Risk management integration also plays an important role in corporate governance. This means identifying the degree of harm derived from a certain threat or risk and balancing the costs and benefits of the possible methods to eliminate or reduce the risk. It is crucial to establish risk assessment and audit processes to avoid corruption within a corporation's risk management process. There must be auditor's who authorize the decisions of the risk managers before they are implemented.
Setting the risk culture of the firm starting at the top: The CEO is an important step in corporate governance. Establishing a hierarchy chart for the company's risk management roles is a critical step to ensure clear communication of the tasks and duties in the ERM process. It is also important to create an ongoing employee training program; a strong employee training program means there is less employee mistakes therefore less money wasted within the corporation, and this could also avoid big issues such as bankruptcy or bad company reputation.
Using the concept of Line vs Staff Positions in the Firm ERM means that in certain situations the line managers should seek advice from the staff beneath them. Using the Line Vs Staff concept does the following: aligns the production process with the corporate risk policy, incorporates expected losses and cost of risk capital into production pricing and the hurdle rate, and creates an efficient and transparent risk review process to give production managers better understanding of acceptable risks.
This should help reduce the volatility of the company's earnings, thus enhancing shareholder value. With an organized approach to risk, a firm can better manage its risks and returns to make more informed decisions about capital and investments.
ERM requires that management act as a portfolio fund manager who identifies the firm's risk profile which is essentially a representation at a given point of time of an organization's overall exposure to risks. ERM also requires that management set risk limits within a range of risks. When risk taking is authorized, risk limits are bounds placed on that risk-taking decision.
ERM produces diversification benefits for the company. Diversification benefit arises when two processes are not completely dependent on each other, and a bad (good) outcome for one process does not necessarily mean a bad (good) outcome for the other. Dependency and diversification are opposite sides of the same coin; when the strength of a dependency is increased, the level of diversification benefit is reduced.
One part of the ERM Model is risk transfer. Per the terms and conditions the CRO must decide to spread the risk to an external party or to retain the risks. If he spreads the risk then it moves to an external party, but it can also go to a subsidiary. In general, the companies transfer risk by purchasing different kinds of insurance. The three favorite types of insurance are workers' compensation, general liability, and property / casualty insurance.
Stakeholders are all individuals or groups of people who are in contact with the company. As the need for information grows in importance, management must respond to better risk visibility for the stakeholder groups. These include employees, customers, supporters, offerers, business partners, creditors and other stakeholders. Stakeholder managers provide useful information about the risk situation and financial position to stakeholders so that they can make the right investment decisions.
The chief risk officer (CRO) is a senior executive officer that reports to the CEO and/or the board of directors. The CRO manages the risk management department and provides information to help mitigate internal and external risk factors of the company and ensures that the company is in compliance with government regulations.  Even though the CRO is a senior executive officer in the company, there are several limitation in what the CRO is able to control. While heading the risk management department the CRO is allowed freedom to control and mitigate risk when it does not require a large demand. When the potential for risk is large, the CRO must report to the CEO and/or the board of directors for future action. Although the CRO's job is to minimize the potential risk in the company, risk as a factor cannot not be eliminated fully from a company.
The introduction of the Sarbanes-Oxley act (SOX) has promoted the need and adaptation of the CRO role. A main priority of the CRO is to ensure that the company complies with SOX to ensure they are following government regulations. SOX introduced new legal regulations that becomes legal and compliance risk(s) for companies. With the introduction of SOX, the corporate officers could be held liable for failure to produce accurate financial reports and standings in the company. The CRO's job is to help the company become compliant with government regulations, transparent, and help mitigate risk for the company.