Risk Management Roles

Larger organizations with mature ERM programs tend to have evolved a short list of major risk management specific roles; many of which are part-time additions to already full time positions, while some are full time risk management only roles.  Smaller organizations tend to need an ERM operation with all part-timers.  We will call the former “Group ERM” programs and the latter “Company ERM”.

The organizing process always begins with two roles – the senior sponsor and the risk officer.  During the developmental phase, these two roles are very similar to those of Executive Sponsor and Project Manager as defined for normal project management[1].  The Executive Sponsor initiates a project and gets appropriate resources and budget for the project.  The Project Manager runs the project on a day-to-day basis.  During implementation, the Project Manager will keep the Executive Sponsor informed of progress and setbacks.  When problems are outside of the Project Manager’s authority, the Executive Sponsor will help by bringing in assistance or removing blockages from outside of the project team. 

Chief Risk Officer

The risk officer role that was the project manager for the initial development of a new ERM function will usually grow into a senior management role with the title of Chief Risk Officer (CRO). 

The CRO differs from organization to organization, but generally have some or all of these responsibilities:

  • Head the Risk Management Function
  • Chair the Risk Committee
  • Report to the Board on ERM
  • Report to shareholders on risk and capital management
  • Communicate risk and risk management matters to other stakeholders including rating agencies, employees, regulators

Each of these will be discussed in following sections of this chapter. 

The Chief Risk Officer may report directly to the CEO or, more often to the Chief Financial Officer.  Or else, the CRO role is handled by another senior officer such as the Internal Auditor, or, in an insurer, the Chief Underwriting Officer or Chief Actuary. 

The CRO has a wide variety of roles.  First and foremost, the CRO provides leadership and vision for the organization’s ERM program.  They must have a clear idea of the ERM objectives and the ability to direct a diverse group of employees throughout the organization, most of whom do not officially report to the CRO, to follow that vision.  The CRO is the point person in establishing and updating the ERM Framework, the ERM Policies and the Risk Appetite/Tolerance/Limit system.  This requires the CRO to understand the degree to which formal documents and processes fit with the organization’s culture.  The CRO is always the champion of intelligent risk management – risk management that fits the objectives, needs and budget of the organization.  The CRO may be the owner of the Enterprise Risk Model or that model may be owned by the Chief Actuary. 

The CRO will lead the discussion that leads to the formation and updating of the Risk Appetite and Tolerance.  This discussion will be based upon a single risk metric that is common to all risks; in countries that have adopted Solvency II, that single metric for insurers is almost always related to capital.  This is a source of conflict between the regulatory process and the management culture, especially in for-profit insurers, because otherwise, the preference for risk metric would likely be tied to earnings shortfalls rather than capital. 

The CRO is the leader of value added risk management.  That means using the information from the ERM system to help the growth of the firm’s risk adjusted value.  That requires some version of risk-adjusted financial results for various business units, territories and/or products.  The risk-adjustment is most often made based on Economic Capital either via a cost-of-capital adjustment to earnings, or through the reliance on a return on risk capital ratio.

The CRO  is the champion for the Value Added ERM, a major part of the implementation, as well as in explaining the idea and the results to stakeholders.  A major step in that process is the development and implementation of the analytic platform for Economic Capital Allocation.  The CRO may be responsible to perform analysis of risk-adjusted plan proposals and act as a resource to business units for developing risk-adjusted proposals.  As time progresses, the CRO will also work with the CFO to provide monitoring of plan vs. actual performance. 

The CRO’s wide range of responsibilities means that there is no single route to the position.  A Canadian survey[2] of twenty-one CROs found that, in their opinion, CROs needed to be skilled in Math, Finance, Communication and Accounting. 

Management Risk Committee

Most organizations form one or more risk management committees with a major role in the ERM framework.  There are three main reasons:  To provide support and assistance for the CRO, to help  keep the ERM process realistic (i.e. Intelligent ERM above); and, to direct the application of resources for ERM activities that are outside of the risk management department. 

Most often, the Risk Committee will focus first on the ERM reports to the board, reviewing the draft reports prepared by the risk management department for quality assurance, to make sure that the CRO will be able to tell the story that goes with the report, and that both the CRO and the risk committee members can answer any questions raised by the ERM report.  The Risk Committee is the nexus of Risk Culture for the organization – each area of the organization that has a major role in risk taking and risk management is usually represented on the risk committee. 

The exact responsibilities of the Risk Committee will vary by organization.  The four most common and most important responsibilities are:

  1. Setting Risk Appetite and Tolerance
  2. Approving Risk framework and policies
  3. Allocating Risk Appetite & Setting Risk Limits
  4. Setting standards for risk assessment and economic capital

The Risk Committee is usually responsible for setting (or recommending for approval by the board) the Risk Appetite and Tolerance for the organization.  This is a difficult and often tentative process the first time; mainly because the Risk Committee, like most of the management team, has little experience with the concepts behind Risk Appetite and Tolerance, and is wary about possibly making a mistake that will end up damaging the organization.  Once an initial Risk Appetite and Tolerance are set, making adjustments for early imperfections and updates for changing plans and circumstances become much more routine exercises. 

The Risk committee usually approves the Risk Framework and Risk Policies – in some cases, they are recommended for approval to the Board.  These will lay out the responsibilities of the CRO, Risk Committee, Risk Owners and ERM Department.  The Risk Committee should review these documents to make sure that they agree with the suggested range of responsibilities and authorities of the CRO.  The new responsibilities and authorities of the CRO are often completely new activities for an organization, or, they may include carving some responsibilities and authorities out of existing positions.  The Risk Committee members are usually top managers within the organization who will need to work with the CRO, not just in the Risk Committee context, but also in the ways that the CRO’s new duties overlap with their business functions.  The committee members will also be concerned with the amount of time and effort that will be required of the Risk Owners, who for the most part will either be the Risk Committee members or their  senior lieutenants. 

In some organizations, the allocation of Risk Appetite and setting of risk limits is done in the planning process; but most often, only broad conclusions are reached and the task of making the detailed decisions is left to the Risk Committee.  For this, the Risk Committee usually relies upon detailed work performed by the Risk Department or the Risk Owners.  The process is usually to update projections of risk capital requirements to reflect the final planning decisions and then to adjust Risk Appetite for each business unit or risk area and recommend limits that are consistent with the Risk Appetite. 

Many ERM programs have legacy risk assessment and economic capital calculation standards that may or may not be fully documented.  As regulatory processes have intruded into risk assessment, documentation and eventually consistency are required.  In addition, calls for consistency of risk assessment often arise when new products or new risks are being considered.  These discussions can end up being as much political as they are analytical, since the decision of what processes and assumptions make a risk assessment consistent with existing products and risks often determines whether the new activity is viable.  And since the Risk Committee members are usually selected for their position within the organization’s hierarchy, rather than their technical expertise, they are the right group to resolve the political aspects of this topic. 

Other topics that may be of concern to the Risk Committee include:

  • Monitoring compliance with limits and policies
  • Reviewing risk decisions
  • Monitoring risk profile
  • Proposing risk mitigation actions
  • Coordinate the risk control processes
  • Identify emerging risks
  • Discussing the above with the Board of Directors as agreed

Larger organizations often have two or more risk committees – most common is to have an executive risk committee made up of most or all of the senior officers and a working risk committee whose members are the people responsible for implementing the risk framework and policies.  In other cases, there are separate risk committees for major risk categories, which sometimes predate the ERM program. 

Risk Owners

Many organizations assign a single person the responsibility for each major risk.  Going beyond an organizational chart, a clear organizational structure includes documented responsibilities and clear decision making and escalation procedures. Clarity on roles and responsibilities—with regard to oversight and decision-making—contributes to improvement capability and expertise to meet the changing needs of the business[3].

Specifically, the Risk Owner is the person who organizationally resides in the business and is responsible for making sure that the risk management is actually taking place as risks are taken, which most of ten should the most effective way to manage a risk. 

The Risk Owner’s role varies considerably depending upon the characteristics of the risk.

Insurance and Investment risks are almost always consciously accepted by organizations, and the process of selecting the accepted risks is usually the most important part of risk management.  That is why insurance risk owners are often Chief Underwriting Officers, and Chief Investment officers  are often the owners of Investment risks.  However, risk structuring, in the form of setting the terms and conditions of the insurance contract is a key risk mitigation effort, and may not be part of the Chief Underwriter role.  On the other hand, structuring of investments, in situations where investments are made through a privately structured arrangement, is usually done within the Investment area.  Other risk mitigations, through reinsurance and hedging could also be within or outside of these areas.  Because of the dispersion of responsibilities for different parts of the risk management process, exercise of the Risk Owner responsibilities for Insurance Risks are collaborative among several company officers.  In some firms, there is a position of Product Manager who is the natural Risk Owner of a product’s risks.  The specialization of various investment types means that in many firms, a different lieutenant of the Chief Investment Officer is the risk owner for Equity risk, Credit Risk, Interest Rate Risk and risks from Alternative investments. 

Operational risks are usually accepted as a consequence of other decisions; the opportunities for risk selection are infrequent as processes are updated.  Often the risk owners for Operational risks are managers in various parts of the organization. 

Strategic risks are usually accepted through a firm’s planning process.  Usually the risk owners are the members of the top management team (management board) who are closest to each strategic risk, with the CEO taking the Risk Owner position for the risk of failure of the primary strategy of the firm. 

The Risk Owner may be responsible to make a periodic Report on the status of their risk and Risk Management to the governing Board.  This report may include:

  1. Plans for Exposure to risk and Risk Strategy
  2. Plans to exploit and mitigate
  3. Changes to Exposures taken and Remaining after mitigation
  4. Adequacy of resources to achieve plans

Risk Management Department

In all but the smallest organizations, the CRO’s responsibilities require more work and attention than can be provided by a single person.  The CRO will gain an assistant and eventually an entire department.  The risk management department serves primarily as support staff for the CRO and Risk Committee.  In addition, they may also be subject matter experts on risk management to assist Risk Owners.  Usually, the risk management department also compiles the risk reports for the risk committees and Board.  They are also usually tasked to maintain the risk register as well as the risk management framework and risk policies.

Internal Audit

Internal Audit often has an assurance role in ERM.  They will look to see that there is effective and continual compliance with Policies and Standards, and tracking and handling of risk limit breaches. 

If there is no Internal Audit involvement, this compliance assurance responsibility falls to the risk management department; that may create a conflict between compliance role and advisory role of the risk management department.  Compliance is the natural role of Internal Audit and giving this role to Internal Audit allows risk management to have more of a consultative and management information role. 

In many firms, the roles for risk owners, the risk management department, along with internal audit, have been formalized under the title “Three Levels of Defense.”

This approach is often coupled with a compliance role for the board audit committee. 

When internal audit is involved in this manner, there is sometimes a question about the role’s scope.  That question is: whether internal audit should limit its role to assurance of compliance with the ERM Framework and policies, or should it also have a role reviewing the ERM Framework itself?  To answer that question, the organization must assess the experience and capabilities of internal audit in enterprise risk management against the cost of engaging external experts to perform a review[4]

CEO Role in ERM

It is fairly common for a description of ERM roles at a bank or insurer to talk about roles for the board,CRO, and front line management, but not to mention any specific part for the CEO. 

“No one has any business running a huge financial institution unless they regard themselves as the Chief Risk Officer” – Warren Buffett, speaking at the New School (2013)

Warren Buffett, the CEO of Berkshire Hathaway, has said many times that he is the Chief Risk Officer of his firm and that he does not believe that it would be a good idea to delegate that responsibility to another individual.  While his position is an extreme that is not accepted by most CEO’s of financial institutions, there is an important role for the CEO that is very close to Buffett’s idea. 

For the CRO and the ERM program to be effective, the organization needs clarity on the aspects of risk management which the CEO is directly delegating his or her authority to the CRO, which are being delegated to the Risk Committee, and which risk management decisions are being delegated to the Risk Owners.  Leading up to the financial crisis of 2008, the authority for some risk decisions were not clearly delegated to either the CRO or the Risk Owners in some banks, and CEO’s remained aloof from resolving the issue[5].


[1] Executive Engagement: The Role of the Sponsor, Project Management Institute,

[2] “A Composite Sketch of a Chief Risk Officer”, Conference Board of Canada, 2001

[3] CRO Forum, Sound Risk Culture in the Insurance Industry, (2015)

[4] Institute of Internal Auditors, The Three Lines of Defense In Effective Risk Management And Control, (2013)

[5] Senior Supervisors Group, Risk Management Lessons from the Global Banking Crisis of 2008 (2009)

Explore posts in the same categories: Chief Risk Officer, Enterprise Risk Management, Risk Management, Risk Management System

Tags: ,

You can comment below, or link to this permanent URL from your own site.

One Comment on “Risk Management Roles”

  1. GSosbee Says:

    With the two exceptions noted below, another outstanding effort.

    The Financial Services Sector has to be careful with terms and goals. In that Sector the CRO’s function is to manage the capital allocation risk. An important function, but hardly the sum total of risks facing an institution. In fact, it is not larger than the cyber and fraud risks facing the organization.

    Internal Audit does not possess the knowledge base to be involved in any phase of an Enterprise Risk Program other than their normal Compliance function.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


%d bloggers like this: