Not appointing a CRO? Might be risky business

New report makes the case for welcoming chief risk officers to the C-suite.
Written by Bob Violino, Contributor

Organizations already have a lot of C-level executives, do they really need another one? A new report from consulting form Deloitte makes the case for appointing a chief risk officer (CRO) to oversee risk management.

Also: Cyber security: Your boss doesn't care and that's not OK

As part of its research, the firm surveyed 500 senior executives in the US, including 100 with the title of CRO or equivalent, 100 not primarily responsible for risk, and 300 in risk-related functions such as IT and operational risk.

More than 90% of the survey respondents think risk management is becoming more important to achieving their organization's strategic goals. Given its importance, the study said, it makes sense to have risk management present in key C-suite and board meetings. Risk management functions include such areas as regulatory compliance and cyber security.

Only 38% of the responding CROs and risk managers said they have a great deal of input to C-suite or board decisions, however. Appointing a true CRO to the C-suite recognizes that risk is a senior-level concern, the report said.

The survey results led to four key findings, according to Deloitte. One is that organizations that invest in risk man­agement -- and specifically link risk management to the attainment of the most important strategic and financial goals -- typically achieve higher relative growth.

Organi­zations with highly integrated risk programs integrated across the enterprise are seeing value from risk management, the report said. Such organiza­tions typically exceed profitability targets more often and achieve higher growth than those companies with less integrated programs, which might struggle to realize value and achieve desired outcomes.

A second key finding is that risk management has become elevated and more strategic in most orga­nizations. Most executive teams grasp the importance of risk management in the attainment of corporate goals and the value of more strategic approaches, the study noted. In addition, CROs are pursuing more strategic roles in the organization.

Another main finding is that the case for appointing a CRO or equiva­lent executive who reports to the C-suite or board is strong. Those organizations that give risk management a seat at the table at C-suite and board meetings are more likely to have high-performing programs.

And a fourth major finding is that organizations have clear opportunities to cost-effectively enhance risk man­agement through technology. Although technology can enable risk modeling, tracking, and sensing, many risk management func­tions are not these technologies enough.

Also: Forgot password? Five reasons why you need a password manager

In particular, the CROs who were surveyed rate risk identification and risk assessment, activities that technology can readily support, as among the most time-consuming risk management activities.

About three quarters (73%) of high-performing risk programs that have risk management represented in executive management meetings most or all the time are more likely to exceed performance goals and achieve higher growth.

"Many organizations have, to varying degrees, upgraded and restructured their risk management functions, yet there is ample opportunity for continued improvement," said Chris Ruggeri, risk intelligence practice leader for Deloitte Risk and Financial Advisory and principal in Deloitte Transactions and Business Analytics LLP.

"We found that the lack of awareness of risks, particularly strategic risks, and leaders not using the tools available to manage them, can greatly undermine the achievement of strategic goals."

Data leaks: The most common sources

Editorial standards