Skip to Content
Enterprise Risk Management

Implementing Enterprise Risk Management: The Emerging Role of the Chief Risk Officer

Jerry Miccolis | January 1, 2002

On This Page
A white cartoon man running from the words risk falling on him

Jerry Miccolis and Chuck Lee discuss the CRO approach, profile, where to find one, and how this individual should fit into the structure of the organization to make ERM a living reality.

Throughout this series of articles, we've argued that while executives see the value in the principle of managing risks holistically, they have been relatively slow to adopt and implement actual enterprise risk management (ERM). One reason for their hesitation has been their dissatisfaction with the tools and processes they believe they have available to manage risk at the enterprise level.

We think that concern is being addressed by the development of the kinds of tools and approaches we've described in this series, including sophisticated risk modeling that can account for both financial risks and operational risks. But there is another reason that executives have been slow to implement ERM. They have not been certain about how to make it fit into the structure of their organizations: where it should fit, who should be responsible for it, and what exactly the organizational role should be.

The Organizational Challenge

From an organizational standpoint, the traditional approach to managing the various risks to which the organization is exposed was to treat them separately, appointing someone to manage each risk. Managing a particular kind of risk became the job of individual specialists. Doing that job well meant focusing exclusively on "their" particular kind of risk.

Executives have long tolerated this segmented approach to risk management, but they have never been really satisfied with it. From their perspective, it ignores the interdependence of many risks. It erects barriers to exploiting natural hedges among the risks and sub-optimizes the treatment of total risk.

They've known that if it were possible to address all risks on a consistent basis, they would improve the efficient use of their capital. They would also make better strategic decisions, and be better informed about taking on risks to create value.

What's been missing for many organizations—and perhaps the reason ERM has yet to truly take off—is the appropriate organizational structure to implement an ERM system. At a minimum, that means getting all the disparate risk managers to work together closely. This often has taken the form of a multi-disciplined ERM Committee. For other organizations, the organizational solution has meant appointing a Chief Risk Officer (CRO).

The CRO Approach

In recent ERM surveys we have undertaken, 1 including one for the Institute of Internal Auditors, we have found that, worldwide, less than one-third of companies practicing some form of ERM have a CRO (the proportion is smaller in the United States than in Europe), and almost half of these CROs have been in place for a year or less.

The relatively small number of organizations that have taken the step of appointing a CRO suggests that it is not a trivial matter. The problem has been determining just what this new creature should look like. That is, what's the right role, the right responsibilities, and the right competencies for a CRO?

Moreover, there is a wide variety of disciplines from which CROs come. According to our surveys, they are auditors, actuaries, financial engineers, strategic planners, lawyers, investor relation specialists, line operation managers, hazard risk managers, even HR specialists.

The CRO Profile

As the survey results on the "sources" of CROs suggest, at first look, it seems the CRO should be a master technician, one who commands the technical expertise of every subdiscipline of risk management in the organization, from credit risk, to market risk, to operational risk.

But that is not the case. In the first place, that model of universal expertise exists in very few, if any, individuals. In the second place, the sheer accumulation of analytic detail for all the company's risks—even if that came in one head—is not really what the organization needs.

Also, conceiving of the CRO as the "analyst's analyst" can actually create organizational resistance to the goal of managing risks holistically. Individual risk managers may view the position as a threat to them—either a direct threat as a position that would replace theirs, or an indirect threat as a position that would diminish their importance to the organization—even if this concern were unfounded. In hedging the perceived risk to their own jobs, individual risk managers may—consciously or unconsciously—create barriers to ERM.

What is required is someone to coordinate the company's risks and risk management efforts, someone who can bring senior managers consistent, reliable analysis and make recommendations that have a good fit with the organization's business strategies. It is more of a synthetic, than an analytic, task. Where the CRO position has succeeded in both meeting senior management's needs and overcoming organizational resistance, it has been defined, not as a master technician, but as a leader and facilitator and integrator. In this role, the CRO serves as a coordinator, more than a manager, of risks. He or she is a communicator who can facilitate dialog among the individual risk managers, both reassuring them of their individual value to the organization and maximizing that value.

As a key member of the senior management team, the CRO is a peer and adviser to the rest of senior management who can translate risk management into the terms that matter to their key stakeholders (i.e., stockholders, employees, customers), such as the effect of risks and risk management on capital, growth, return and consistency.

The goals of the CRO are equally holistic and integrative:

  • To create a risk aware culture
  • To formally bring consideration of risk into strategic decision-making
  • To develop a center of excellence for managing risk, drawing on the expertise of highly skilled individual risk managers
  • To communicate to stakeholders and be an adviser to other executives and managers

The competency profile of the CRO matches the role and goals. The CRO needs to be a comprehensive, integrative thinker, with a thorough knowledge of the business and the ability to build strong partnerships with business and corporate staffs. And, perhaps most importantly, the CRO is someone who is able to clearly communicate in understandable language, and facilitates and coordinates rather than functions as a technical manager of risk.

Where To Find a CRO

So, where do companies find this model CRO? As suggested in the survey results cited earlier, CROs come from a variety of disciplines. There are two disciplines in particular, however, that have made educating their members in ERM a priority of professional development. Both the Institute of Internal Auditors (IIA) and the Casualty Actuary Society (CAS) have made the commitment to such education.

The IIA has conducted studies of ERM best practices and begun to define what those practices imply about the future roles of their members. And the CAS, through investigations such as its own ERM survey, has identified the gaps between the current and desired ERM knowledge of its membership, and gone on to determine the methods, priorities, and timetable to implement a research and education agenda for its members—so they will be prepared to take on this role.

Within a short time, then, companies will not only have available to them the right tools to make ERM a living reality—they will have the right people to use those tools and to manage ERM professionally. ERM, then, will no longer be a promising idea. It will simply be the way to do business.

Charles R. Lee is a consultant with Tillinghast-Towers Perrin. He is a principal of Towers Perrin and a member of Tillinghast-Towers Perrin's North American Management Team, managing its Dallas office. He graduated from the University of Iowa in finance/insurance and industrial relations and holds the Chartered Property and Casualty Underwriter (CPCU) and Associate in Risk Management (ARM) professional designations. At the time of the Tillinghast and Towers Perrin merger in 1986, Mr. Lee managed Tillinghast's Dallas risk management practice. Prior to entering the consulting business in 1975, he was an account executive with a brokerage firm and an underwriter and district manager for the Kemper Insurance Group. He is the author of numerous articles for finance and insurance-related publications, and conducts speaking engagements throughout the country.

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.


1 See the following:
  • Trends and Emerging Practices in Enterprise Risk Management, Tillinghast-Towers Perrin for the Institute of Internal Auditors
  • Enterprise Risk Management in the Insurance Industry: 2000 Benchmarking Survey Report, Tillinghast-Towers Perrin