Recently I read a comment in a LinkedIn Group that stated Chief Risk Officers should be given more authority in order to enforce sound risk management practices. This made me raise my pen.
The notion of authority for a CRO worries me a bit along the lines that the risk management function and internal audit should be separated. I am more of the school that CROs sell benefits, facilitate better practices and influence good decision-making as broadly as they are able while the assurance function (eg Internal Audit) attests to the success or otherwise of the CRO’s efforts (Also see my blog on should Boards have a separate Risk Committee). Yes, sometimes the CRO’s job will be near on impossible and you would need the charisma of Richard Branson, however, being seen as a “Trusted Advisor” rather than an authoritative figure will in the end assist management make better decisions.
As many of the subsequent posts to the comment stated, you need to earn respect. In my words, “Trusted Advisor” status must be earned. You can have notional authority without influence.
Lastly, I was involved in the establishment of a Masters in Risk Management at Monash University, Australia, about 12 years ago and during a workshop on what might be a CRO’s ultimate skill set, we concluded someone with the core technical RM skills and an MBA was getting towards the mark. Since then I have often commented that a CRO needs to be an MBA on steroids. A CRO needs to understand strategy, finance, safety, project and change management, organisational behaviour as well as have a great understanding of the business. On top of that, a CRO needs to show strong leadership across all of these areas.