Why is risk management in SMEs better than in large corporations? Here are my comments.
If you want to promote effective management, de-emphasize independence and have the CRO report to the CEO with access to the board. Then hold the CEO (not the CRO) accountable for the effective management of risk and opportunity.
Providing assurance involves assessing the current situation, looking forward and anticipating what might happen in the near future and longer term, determining whether that is acceptable, and if it is not helping decision-makers take appropriate actions.