The Evolving Role of The Chief Risk Officer

Lucas Fitzsimmons August 25, 2021

62% of organizations experienced a critical risk event in the past three years

89% of companies experienced a supplier risk event in the past five years.

6% of directors believe their organization’s board is effective at risk management.

With faster broadband, inexpensive hardware, AI and data-driven intelligence, the pace of innovation is speeding up. Yet as the rest of the world embraces digital transformation, we are taking on more risk than ever before. The problem isn’t the risk, it’s the lack of investment in risk management to meet the demands of today’s environment (evidenced above) and to predict the catastrophic impact of potential risks (evidenced below).

US manufacturing giant reports losses of $19bn

World’s largest car manufacturer pays out more than $34.6bn

Excessive risk-taking leads to more than $60bn in penalties

At the forefront of this, you’ll find the Chief Risk Officer (CRO), who has experienced a very turbulent path towards executive status. Adapting and evolving their role to meet new risk challenges, operating in an environment that’s becoming increasingly hard to predict and manage. As fortification architects, the CRO must be able to identify, assess, control and manage risks using a variety of processes, all while navigating increasingly stringent regulations. Using data-driven intelligence to ensure the organization will survive the next decade, makes the CRO one of the most important roles in any organization.

As new IT infrastructure and technologies are introduced, including the emergence of AI, Mobile & RPA, Cyber Risk has quickly jumped to number one on the agenda. In many organizations, this program was originally managed by the IT department but we’ve witnessed a shift in responsibility. As boards become increasingly concerned over cyber threats, the CRO has absorbed this role and reshaped the cybersecurity program. 

Similarly, due to the introduction of hybrid work strategies to provide higher value at lower cost, we are noticing organizations increasingly outsource key activities. A role that might have sat with an outsourced team is now a key topic for the risk committee. With third-party risk management playing a key factor, suppliers are under more scrutiny than ever before and for good reason. This year alone we witnessed the effects of supply chain disruptions from the shortage in microchips to the blockage in the Suez Canal.

There is also a growing public awareness and concern for ESG risks, as investors become increasingly aware of non-financial factors that play a part in their company analysis process.

It’s no secret that banks and insurers have been under regulatory pressure for some time now with Anti-Money laundering sitting at the top of the priority list due to increasingly large fines. However, we are starting to witness this type of regulatory pressure leak into other sectors. Some CROs even report spending so much time on the regulatory agenda that they lack appropriate time to fully focus on risk management issue.

With this increasing responsibility, it’s no surprise a common complaint from CROs is the continuous change. Nobody wants to be in a role where you’re always playing catch up.

GRC & ERM software is solving this challenge. A dedicated Risk & Audit Management platform for example brings the automation of processes, communications and intelligent reporting, freeing up time for the human to actually think about the risks. Imagine leaving behind all your excel and word documents, no longer are you spending hours calculating numbers but instead spending your time on the important work, assessing risks, implementing controls, identifying opportunities. 

A leading Canadian manufacturer aligned their audit activities and evolving risks using AuditComply, an Integrated Risk & Audit Management platform. We transformed the customer’s risk management program into a living, breathing component connected to all field events likely to influence their EHS risk status. ‘Live’ risk registers allow the team to own and manage any given set of risks in real-time. Pre-configured risk assessment methodologies provide better understanding of impact, likelihood and overall risk rating. A more agile framework was also introduced to make it easier to update and instrument the appropriate controls as risks are identified. Expansive control libraries allow the customer to monitor and test control effectiveness on an ongoing basis; linking controls with audits, assessments, incidents, tasks and NCs, providing a deeper layer of risk oversight not available in existing solutions.

Why Wait For Tomorrow?

Find out how AuditComply can guide & evolve your third-party risk management program today, request a demo here. 






    By entering my email address above, I consent to receiving electronic messages from AuditComply regarding information about their products and services. I understand that I may unsubscribe at any time.

    Report By Risk, Assess By Audit 

    AuditComply is an Integrated Risk Management (IRM) platform, revolutionizing the way enterprises assess, track, action and report on risk, compliance and quality processes in real time. Defining the next generation of GRC, AuditComply empowers enterprises to mitigate risk, drive compliance and improve quality within the industry’s most innovative and user-friendly assessment platform.

    Similar Articles