A chief risk officer requires certain characteristics to succeed at being the leader of risk management in any organization. This article provides a list of critical attributes for such a leader.
My best-selling book, World-Class Risk Management, describes how risk management can enable better decision-making, from strategy-setting to execution, and make a significant contribution to the success of any organization.
But how do you assess the leader of risk management within your organization?
Here are some attributes I consider critical. They tend to overlap but offer different ways of thinking about the individual and their team. They are not necessarily in order of importance; I leave the prioritization to you.
- Dedicated to helping the organization to succeed rather than simply avoid failures. (This should be the perception of others, not just the risk officer.)
- Has a deep understanding of the business, how it delivers value, is organized, makes decisions, and is run
- Seen as a trusted and valuable partner (not police) by the management team at all levels
- Listens, especially before speaking
- Looks to enable management to identify, assess, and evaluate risk rather than being the authority themselves
- Constructive and has good ideas
- Willing to recommend taking more ‘risk’ where appropriate for the business
- Helps everybody consider all the things that might happen, the multiple effects (positive and negative) that might flow from an event or situation, so they can make the best decisions for the organization
- Communicates effectively and is persuasive when appropriate and necessary
- Speaks well with and to authority
- An effective facilitator of discussions, especially across multiple groups
- Helps everybody understand how to identify, assess, evaluate, and respond to what might happen (risk)
- Seen as helping each executive, manager, and team succeed through informed and intelligent decision-making
- Enables an effective discussion around strategy, the setting of objectives, the management of major projects, and other key matters – either in person or by ensuring effective processes and methods are in place for managing the effects of uncertainty: what might happen (risk)
- Avoids enterprise list management and provides actionable, useful information to leaders of the organization that helps them understand the likelihood of achieving each of their objectives – in other words, not simply managing the so-called ‘top risks’ out of context
- Ensures that decision-makers have useful guidance on which risks to take
- A leader
- Works effectively with internal audit
- A potential leader of a business operation
- Objective and able to speak out as an independent voice when necessary and appropriate
Technical risk management expertise is not one of my top 20 attributes. Certainly it is valuable, but should it rate higher than any of the above?
What have I missed?
With which items do you disagree?
I welcome your comments.
PS – This is a review of my book from an experienced CRO:
Norman Marks’ latest book “World-Class Risk Management” (2015) is a must read for anyone interested in this evolving topic. It will appeal to the beginner as it leads one from the basics through the various concepts and techniques, while it challenges the most serious practitioner to re-evaluate what they do and why. The academic will also benefit from using this book because of the exhaustive references to some of the best source material on this topic. Norman challenges many stereotypical and clichéd views on risk management, but keeps coming back to simple, easy to understand concepts. He captures the essence of his thinking in “The management of risk is an essential element in successful management.” (page 13). This book makes you think, yet it is written in a lucid and friendly style. His thinking on ‘risk appetite’ challenges some ‘sacred cows’ held by many, but will help those who have struggled with this concept to find better ways of approaching this controversial subject. I wish he had written more on risk workshops but that may be another book someday. Well done, Norman, and thank you for sharing your experience, research and thinking.
He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
Latest posts by Norman D. Marks, CPA, CRMA (see all)
- How effective are your systems of governance, risk, and control/compliance (GRC)? - October 19, 2021
- Delivering value from IT audit - September 22, 2021
- Selecting software for risk management - August 18, 2021