Chief Risk Officer: What is a CRO? (and Why You Need One)
Learn about the Chief Risk Officer role in Data Protection 101, our series on the fundamentals of information security.
What is a CRO (Chief Risk Officer)?
The Chief Risk Officer is a C-suite executive who is tasked with the identification, analysis, and mitigation of events that could threaten a company. These risks could be internal or external in nature.
The CRO helps ensure that their organization is compliant with regulations set forth by the government, including the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 and the Sarbanes-Oxley Act. The CRO also reviews different factors that could adversely impact the company’s investors or the performance of its business units.
Another name for the CRO is the Chief Risk Management Officer.
What Does a Chief Risk Officer Do?
A Chief Risk Officer is tasked with looking out for a variety of risks that can be categorized into three groups: technical, regulatory, and competitive. A CRO must also monitor procedures that might give rise to risk exposure. For instance, if a company collects data from their customers, suppliers, or other third parties, they will need to make sure that all that data is safe and kept confidential. If there is a security lapse, the CRO would need to address the issue to ensure that it does not happen again.
There are also physical risks involved. For instance, if a company sends employees to somewhat dangerous areas, then the CRO will need to create procedures and policies that will address these added threats. In a warehouse facility, the CRO will be tasked with ensuring that the staff is kept out of harm's way.
Because a company’s operating environment is always changing, the CRO must always have a plan of action to proactively and reactively manage these risks. Sometimes, that can even mean modifying established policies and procedures on the fly in order to address vulnerabilities and risks.
Chief Risk Officer Responsibilities
A CRO leads efforts to reduce business risks that can put an organization's profitability and productivity at risk. They also spearhead efforts related to enterprise risk management.
A Chief Risk Officer is responsible for implementing policies and procedures to minimize or manage operational risks. They are also tasked with coming up with mitigating processes to help minimize or avoid losses that may arise when the systems, procedures, or policies in place are found to be inadequate – or if they fail entirely.
A CRO must manage compliance with regulatory requirements on a federal, state, and local level. They are also concerned with other security-related issues, including IT security, internal auditing, financial auditing, insurance, fraud prevention, global business climate changes, and similar corporate internal investigations. They may also become involved with disaster recovery and business continuity planning.
As one would guess, the responsibilities of a Chief Risk Officer largely depend on an organization’s size as well as its industry. The CRO is responsible for all risk management strategies and operations, as well as supervising the organization's risk mitigation and identification procedures.
In recent years, IT has become a big part of every business and naturally, the CRO needs to address the risks associated with data breaches and hackers. As such, the CRO is also concerned with risk assurance and data protection and has a hand in stamping out system vulnerabilities and other threats.
Aside from these, the responsibilities of a CRO include:
- Developing risk maps and formulating strategic action plans to help minimize, manage, and mitigate primary risks and then monitor the progress of these efforts.
- Creating and disseminating risk analysis reports and progress reports to different stakeholders, including employees, board members, and C-suite executives.
- Ensuring that risk management priorities are reflected in the company's strategic plans.
- Formulating and implementing risk assurance strategies that are related to the transmission, storage, and use of information and data systems.
- Evaluating possible operational risks that may arise from human error or system failures, which might disrupt or affect business processes. The CRO also develops different strategies to minimize risk exposure and designates appropriate responses for when human errors or system failures occur.
- Measuring the organization's risk appetite, and setting the amount of risk that the organization is able – and willing – to take on.
- Developing budgets for risk-related projects and supervising their funding
- Conducting risk assurance and due diligence on behalf of the organization in the events of mergers, acquisitions, and business deals.
The Incident Responder's Field Guide: Lessons from a Fortune 100 Incident Responder
Choosing Between a Chief Risk Officer and a Risk Committee
Most companies decide between having a Chief Risk Officer or having a committee that oversees risks. There are advantages to each.
Having a Chief Risk Officer communicates that the company is serious about risk management. Having an executive level professional working as a CRO illustrates to the rest of the employees how important risk management is.
Meanwhile, creating a risk committee means that a number of executives from different departments will be working to reduce and manage risk. It provides an opportunity for executives from sales, finance, HR, operations, and other departments to work together. Some organizations might opt to have a mix of both, with a Chief Risk Officer heading up the efforts of the committee.
Chief Risk Officer Qualifications
The CRO is responsible for identifying and assessing risks, and then developing modules and treatments to combat or minimize these risks. A successful risk manager has the analytical skills, quantification skills, and requisite expertise to do all these.
A Chief Risk Officer must also have outstanding people skills in order to properly educate employees and key personnel about risk while also facilitating dialogue and communication among different departments or groups of people.
Paul Zavolta, a former Director of Enterprise Risk Management at Alpha Natural Resources and a former Financial Risk Analyst at Eastman Chemical Company, says that you need to learn finance and accounting skills, and focus on event tree analysis.
Chief Risk Officers often have a postgraduate degree, preferably in business administration. Most CROs also have at least two decades of experience in economics, actuarial science, law, or accountancy.
Furthermore, risk mitigation has gone online, with Internet risks becoming more and more prevalent in digitized organizations. This is the reason why CROs should also have adequate knowledge of the organization’s technology, networks, and systems.
Chief Risk Officers are becoming increasingly commonplace among modern enterprises as the risk landscape grows ever-more complex. Having a single, highly qualified risk management professional to oversee efforts to reduce and mitigate risks is invaluable to a company’s overall security posture.