Why is risk management in SMEs better than in large corporations? Here are my comments.
If you want to promote effective management, de-emphasize independence and have the CRO report to the CEO with access to the board. Then hold the CEO (not the CRO) accountable for the effective management of risk and opportunity.
Two recent articles, discussed in this post, attempt to describe how to explain cyber risk to the board.