What is a chief risk officer (CRO)?
The chief risk officer (CRO) is the corporate executive tasked with assessing and mitigating significant competitive, regulatory and technological threats to an enterprise's capital and earnings. The position is sometimes called chief risk management officer or simply risk management officer.
Organizations have long been concerned with business risks that can threaten productivity and profitability. However, in recent decades the formalization of those efforts in the form of enterprise risk management (ERM) led by a dedicated CRO gained momentum in the wake of regulatory requirements such as the Sarbanes-Oxley Act of 2002. Concerns fueled by legislation such as the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 have made the CRO position even more important in the C-level hierarchy.
Most large businesses and organizations that are classified as "critical infrastructure," such as financial institutions and energy providers, now have mature ERM programs led by a CRO or equivalent-level executive.
In addition to compliance risks, CROs are typically concerned with issues such as insurance, IT security, financial auditing, internal auditing, global business variables, fraud prevention and other internal corporate investigations.
The CRO is responsible for implementing operational risk management and mitigation processes to avoid losses stemming from inadequate or failed procedures, systems or policies. Operational risk management includes business continuity and disaster recovery planning, developing information security processes and managing the governance of regulatory compliance data.
The CRO is typically focused on the following four broad categories of risk that face any organization:
- compliance risk, which involves the organization's mechanisms for identifying and meeting its responsibilities under the laws, rules and regulations that apply to it;
- operational risk, which includes elements such as business interruption, labor issues, technology problems and vendor turnover that could impact its ability to transact business;
- reputational risk, or any element that could harm the organization's brand image, recognition, standing and value among its employees, shareholders, customers and the public at large; and
- strategic risk, which encompasses anything that could impact the organization's ability to execute its strategy.
CRO roles and responsibilities
Generally, the CRO is responsible for the company's risk management operations, including oversight of its risk identification and mitigation activities.
A typical CRO must consider a broad scope of potential risks.
There are risks from physical dangers that could impact workers. For example, the CRO of a company that has warehouses typically must analyze and mitigate the risks posed to employees who operate or work alongside heavy machinery.
There are geopolitical and environmental risks. CROs in global companies must consider how political instability and natural disasters could disrupt operations and harm workers, and develop strategies to protect against such events.
And there are risks associated with information technology, which has become integral to business processes. The CRO is increasingly involved with analyzing and mitigating the risks posed by hackers and data breaches. Information protection strategies and risk assurance efforts have become a key part of the CRO's job, as has the ability to identify vulnerabilities and threats to the company's data networks.
The CRO also ensures that the organization complies with regulations, such as Sarbanes-Oxley, and any other rules and laws that govern its internal processes, external engagements and sales.
Because the possible risks to an organization stem from different business functions and often cut across divisions, CROs must collaborate with the other senior executives to identify areas of concern, devise mitigation processes and monitor changes in the risk landscape.
Other CRO responsibilities include the following:
- developing risk maps and strategic action plans to mitigate the company's primary threats;
- monitoring the progress of risk mitigation efforts;
- developing and disseminating risk analysis and progress reports to company executives, board members and employees;
- integrating strategic risk management priorities into the company's overall strategic planning;
- developing and implementing information assurance strategies to protect against and manage risks related to the use, storage and transmission of data and information systems;
- evaluating potential operational risk stemming from employee errors or system failures that could disrupt business processes, then developing strategies to reduce exposure to these risks and respond effectively;
- determining the company's risk appetite and quantifying the amount of risk it should take on;
- overseeing funding and budgeting of risk management and mitigation projects; and
- communicating with company stakeholders and board members about the business's risk profile and assessments.
Additionally, they might conduct due diligence and risk assurance on behalf of the company during business deals, mergers and acquisitions. For example, the CRO might investigate the risks surrounding a company that is being targeted for acquisition and assess the reliability of its risk management frameworks and processes.
Required skills and qualifications
The chief risk officer's job description and qualifications will vary depending on the industry and size of the organization. For example, the CRO of a banking firm will require familiarity with financial compliance requirements, fraud prevention and potential threats to monetary transactions.
Nevertheless, the CRO job is a high-level executive position that requires an advanced education, extensive experience and proven business, managerial and interpersonal skills.
CROs typically have a post-graduate education, with a master's degree in business administration often preferred. They usually have more than 20 years of experience in accounting, economics, legal or actuarial work, and many have specialized training in risk management.
Some CROs also have experience working in or with the information technology or cybersecurity teams, as online risk mitigation has become so vital to corporate success, particularly for digitized companies.
Many CROs worked as auditors, accountants, financial analysts, loss prevention officers, operations managers, risk managers and security analysts. Some were IT managers, chief information officers or chief information security officers.
Additionally, the ideal CRO candidate has experience working with executive teams, conducting internal audits and reporting to a board of directors.
To successfully identify and assess risks and develop mitigation strategies to reduce those risks to acceptable levels, a CRO must have the following skills:
- strong quantitative and analytical skills to run the necessary calculations;
- finance and accounting skills, to understand the impact of various risks on the company's budget and revenue;
- people or "soft" skills for collaborating with, influencing and educating employees and fellow executives about risk-related issues;
- an understanding of digital and corporate technology systems, networks, IT infrastructure and cyber threats;
- presentation skills, which are critical for conveying complex risk concepts in a manner that audiences with varying degrees of expertise can understand; and
- communication skills, for advocating effectively for strategic efforts to reduce the organization's risk exposure.
Salary and job outlook
The 2020 State of Risk Oversight from the Enterprise Risk Management Initiative at North Carolina State University reported that 54% of large organizations and 58% of public companies said they have a CRO.
Risk experts predict the CRO position will become even more commonplace as organizations face more threats and an increasingly complex risk landscape.
The U.S. Bureau of Labor Statistics groups the CRO position with other positions in its top executive category, with median annual pay of $107,680. Overall employment for top executives is projected to grow 8% from 2020 to 2030, which is on par with the average for all occupations.
The BLS outlook for financial managers (a category that also includes risk managers) is rosier, with a median annual pay of $134,180 and projected job growth of 17% between 2020 and 2030.
Meanwhile, the online career site Indeed puts the average annual base salary for a CRO at $132,008. Payscale puts the median pay at $159,000.
CRO courses and certifications
CROs don't need a license like certified public accountants do. Nor do CROs need specific college degrees or certifications.
However, there are numerous programs aimed at training people to become CROs and offering existing CROs advanced education. Here's a sampling:
- the chief risk officer certificate from Carnegie Mellon University's Heinz College;
- the master's degree in risk management from New York University's Stern School of Business;
- the master's program in business analytics and risk management from Johns Hopkins Carey Business School;
- Loyola University's master of jurisprudence (MJ) program in compliance and enterprise risk management;
- the enterprise risk management graduate certificate from Boston University’s Metropolitan College; and
- various training programs from ISACA, an IT governance association.
FAQs about the CRO role
Why is a CRO needed in an organization?
Every organization faces a host of threats and risks that could negatively impact its operations and stakeholders (shareholders, employees, customers and the broader community). Some risks could even threaten the organization's very existence. Moreover, these risks are evolving fast and getting more complicated. They can be particularly complex at large, global or publicly held companies. Having a CRO with the education and experience to identify, assess and mitigate such risks is critical for these organizations.
What is the CRO's role in ERM?
The CRO oversees the enterprise risk management function and sets its strategic direction and tactical implementation. As such, the CRO has responsibility for securing the necessary resources -- funding, talent and tools -- to carry out the ERM mission and line up support from the other executives and key employees.
Who does the chief risk officer report to?
The chief risk officer typically reports to the CEO or board of directors.
How will the CRO role evolve in the future?
The CRO position is becoming more critical for organizations of all sizes as the number and severity of risks continue to rise.
These evolving risks, including new ones that come with emerging technologies, are putting more pressure on CROs and their risk teams to advance their organizations' enterprise risk management functions.
Consequently, the CRO must work toward continuous improvement of the ERM function, perfecting its processes, adopting best practices and implementing new tools. These steps help to ensure that the organization is continually identifying all possible risks, analyzing them for potential impacts, devising appropriate mitigation tactics and monitoring their execution.