Chief Risk Officers and Management-Level Risk Committees

Effective risk management requires strong internal leadership and a well-organized process to engage key stakeholders across the organization. Without these elements, even the best-designed enterprise risk management (ERM) programs are unlikely to achieve their full potential.

The appointment of Chief Risk Officers (CROs) and the establishment of management-level risk committees are becoming increasingly common practices among organizations aiming to enhance their oversight of enterprise-wide risks. These structures provide the leadership and collaboration needed to monitor risks and implement proactive management strategies.

Insights from Data

Our findings from the 15th edition of The State of Risk Oversight Report, which we publish annually in collaboration with AICPA, highlights a steady increase in the percentage of organizations appointing individuals to lead the risk and management process and forming management-level risk committees:

• Rise of the Chief Risk Officer (CRO):
  More organizations are appointing individuals to serve as CROs (or senior executive equivalents). Financial services organizations lead the way, with over half of large organizations and public companies following suit.
  • Most CROs report directly to the CEO or CFO, providing them with access to critical leadership and decision-making channels.
• Growth of Management-Level Risk Committees:
  An even higher percentage of organizations have established management-level risk committees.
  • Over three-fourths of large organizations and public companies now have these committees in place.
  • Most committees meet quarterly, with about one-fourth meeting monthly to discuss top risks and responses.
  • Committees typically consist of senior executives representing diverse leadership roles, ensuring a cross-functional perspective on the organization’s risk profile.

These findings underscore the growing recognition of the importance of both CROs and risk committees in strengthening enterprise risk management.

Discussion Items for Management and Boards

Organizations should consider the following questions to evaluate the effectiveness of their risk and management processes:

1. Leadership Ownership:
   • Who “owns” the design and implementation of our organization’s risk management process? Is this person the most effective choice for this critical leadership role?
2. Access and Visibility:
   • Does the individual responsible for leading risk management have direct access to the CEO and the board?
3. Committee Structure:
   • If we don’t have a management-level risk committee, could an existing executive committee assume this responsibility with dedicated agenda time to discuss risks?
4. Improving Risk Committees:
   • For organizations with management-level risk committees, what changes could be made to enhance the substance of meetings? How can we foster more meaningful dialogue about top risks?
5. Engagement of Key Leaders:
   • Are the right senior leaders involved in overseeing the enterprise’s risk profile? Do we have the right mix of expertise and perspectives to ensure robust risk oversight?

These discussion points are intended to help leadership teams assess the effectiveness of their current approach to risk management and identify opportunities for improvement..

Enhance Your Risk Committees with a Free ERM Tool

To help organizations strengthen their management-level risk committees and improve dialogue about risks, we’re offering a free resource:

ERM Tool: Organizing Management-Level Risk Committees & Risk Owner Discussions

This tool provides:

• A sample agenda template for risk committee meetings, including topics for deep dives into specific risks and trends.
• Guidance for Risk Owners to lead effective discussions about their assigned risks.
• Best practices for risk committee members to evaluate risk reports and foster collaborative dialogue.
• Principles for creating a transparent and constructive tone during committee meetings.

This tool is designed to improve communication, accountability, and collaboration among key leaders, ensuring your organization’s ERM program achieves its full potential.

Conclusion

The growing prevalence of Chief Risk Officers and management-level risk committees demonstrates the importance of strong leadership and structured processes in effective risk management. By establishing these roles and enhancing their effectiveness, organizations can better monitor their risk profiles, improve risk communication, and ensure alignment with strategic objectives.

Equip your organization with the tools and strategies needed to succeed. Download the ERM Tool: Organizing Management-Level Risk Committees & Risk Owner Discussions to take the next step in elevating your risk committee’s impact.