The Ideal Reporting Line for Chief Risk Officers: Insights from a Recent Poll

Written By Susan Daniel

A Big Thank You to My Friends and Colleagues

I want to extend a heartfelt thank you to all my friends and colleagues who participated in my recent poll about CRO reporting lines. The outcome of the survey shows that many risk professionals believe CROs should either report to the Audit and Risk Committee (ARC) (65%) or to the CEO (28%). Notably, the poll confirmed that CROs should not report to any CxO (0%), and only 7% voted for reporting to the Management Committee (MC).THIS IS A QUOTE

“Risk management is not just about avoiding losses; it’s about creating opportunities.”

Ideal Reporting Position for CROs

As CROs, if we were asked to advise on our ideal reporting position, we should consider several factors, including:

  • Functional objectives

  • Organizational culture (which I refer to as politics)

  • Risk maturity of the entire organization

  • Quality of support for the function

Here are a few questions to ponder, along with my thoughts stemming from vast experiences and networking with others in similar positions:

1. Does the Reporting Line Understand Risk Management?

The reporting line (CEO or ARC) should have a reasonable understanding of what risk management entails. It’s crucial that they don’t leave the CRO to navigate through the organization alone. While risk-educated CEOs or ARCs are often in the minority, they should at least grasp the basics of risk management and have a clear idea of organizational expectations for the role. The CEO should be able to define the objectives of the risk management function, its operating model, and aspired risk maturity levels. They must be prepared to discuss, explore, and challenge the CRO.There is no one-size-fits-all model, and as CROs, we are responsible for ensuring that our objectives make sense and add value to the business—provided we attain adequate buy-in.

2. Will the Preferred Reporting Line Provide Sufficient Authority and Support?

If the CEO or ARC simply allows things to flow without engagement, disappointment is likely, and the function may struggle to succeed. Due to its oversight role, direct reporting to ARC could result in limited support for the CRO. In such cases, CROs should opt to report directly to the CEO.A strong statement of authority and support is when the CEO announces the arrival of the CRO to all stakeholders, including board members and management. A formal introductory meeting with senior staff is also essential. Publicly praising and recognizing the achievements of the risk management function demonstrates support from leadership. Without strong backing from the CEO, it becomes challenging for CROs to promote risk management effectively.

3. Does the Reporting Line Engage and Consult with the CRO?

How much time does the reporting line allocate for engagement with the CRO? Is it half an hour? One hour? Or no time at all? Often, risk management fails to deliver effectively due to shallow engagement from leadership or being sidelined during important discussions.We can all recall instances where we wished we had been consulted before decisions were made—decisions that later had negative impacts on our organizations. Poor governance reflects poorly on management when they ignore these critical engagements.A newly appointed CRO needs to assess their prospective organization carefully before joining. Organizations with strong transparency tend to foster an ideal environment for risk management.

Conclusion

The choice of reporting structure is often predetermined well before a CRO arrives, leaving little room for input from them. Collectively, as CROs, we play an essential role in encouraging best practices. In my view:

  • Organizations with low-risk maturity should have CROs report directly to the CEO.

  • Risk-mature companies with competent management should set CRO reporting lines to ARC.

Management should never hesitate to engage in open discussions with ARC members when presenting risk reports.Stay tuned for my next article covering the roles of risk management versus internal audit and why these two functions should never be merged.Feel free to reach out; I am happy to provide advisory services. As the founder of Aquilae Consulting, I aim to help shape this profession and encourage companies to seriously consider risk management as one of the pillars of good governance.

Continue Reading

Next

Susan Daniel Shares Her Journey and Expertise as a CRO