Risk management is as critical in the not-for-profit sector as it is in the for-profit world. The more common definition of risk is the chance that events prevent an organization from achieving its objectives. In reality, risk is the possibility that events will affect the achievement of objectives.
Why is risk management in SMEs better than in large corporations? Here are my comments.
If you want to promote effective management, de-emphasize independence and have the CRO report to the CEO with access to the board. Then hold the CEO (not the CRO) accountable for the effective management of risk and opportunity.