Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
ManagementSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingPhysical SecurityEnterprise Services

The need for chief risk officers

As an organization becomes larger, the complexity of having a view of risk becomes more difficult for any one department to see. Enter the CRO.

By Patrick Gray
SEC0221-CRO-Feat-slide1_900px

ljubaphoto / E+ via Getty Images

SEC0221-CRO-slide2_900px

Patrick Gray

Photo courtesy of Gray

SEC0221-CRO-Feat-slide1_900px
SEC0221-CRO-slide2_900px
February 5, 2021

While many organizations understand the need for a security executive, organizations that have taken a holistic approach, have added the chief risk officer (CRO) position to evaluate all organizational risk. After speaking with academics, experts and executives in the risk and security field, I have found an increasing interest toward risk identification and mitigation and identified key factors in developing the ideal role and finding the perfect candidate for any enterprise.

The CRO takes a higher-level approach than the chief security officer (CSO), who is tasked with overseeing the physical and/or cybersecurity of an organization. The CRO looks at all aspects of risk and how it may affect an organization. This includes physical security and cybersecurity, but also may include financial, insurance, reputational and other risks.

Currently, only about 2,000 CROs exist in the U.S., according to Bloomberg, but as of this summer, “their ranks already have grown by 5% since last year.” Additionally, many companies do not have someone specifically titled a CRO, but instead have a vice president of risk management, a risk committee, or another executive, such as a CSO, pulling double duty.

“As an organization becomes larger, the complexity of having a view of risk becomes more difficult for any one department to see,” Ben Trowbridge, a cybersecurity expert and managing partner for Acelros explains. “You need someone who’s thinking about it globally or at least by major region.”


How a CRO can Improve Your Organization

Traditionally, the CRO position sat most often in the financial world; however other organizations are seeing the need for an executive solely focused on risk identification and management. “Financial services and healthcare have led the way” with prioritizing risk management, Trowbridge shares. “It depends on the size and complexity of other industries whether you see the chief risk officer really becoming a real role.”

Having an executive overseeing and preparing to mitigate risk is an obvious benefit. But, there are concrete statistics that support the creation and support of risk management. According to Deloitte’s 2019 survey of risk management, which advocates for the creation of a CRO, companies that view risk management as among the most important factors for achieving strategic goals tend to achieve higher growth. The survey says that among surveyed organizations, companies with a compound annual growth rate (CAGR) of 5% or more were twice as likely to view risk management as key to achieving strategic goals than those with a CAGR under 5% (40% versus 2%).

North Carolina State University’s Enterprise Risk Management Initiative’s annual survey found 59% of respondents sharing that the volume and complexity of risks increased “extensively” or “mostly” in the past five years. Add in the COVID-19 pandemic, which prompted new risks financially, operationally, safety-wise and cybersecurity-wise. With the number of business risks continuing to grow, appointing a senior figure to tackle risk seems like a no-brainer.

The reasons to establish a CRO are numerous, so why are organizations slow to create the position? Two likely culprits are the cost and the false belief that an organization does not need a risk manager. “People hear the term risk management, chief risk officer, they immediately dismiss it. They think: cost, overhead,” Dr. Mark Beasley, head of the NC State ERM program says. “I think that is changing; people are realizing it is more complex.”

After the Enron scandal, many energy companies added in a risk management leader to build trust within the industry. The CCRO, a voluntary membership organization, was established to create and uphold best practices in the industry and is still going strong nearly two decades later. Bob Anderson, a former CRO himself who has led the CCRO since its inception, explained that prior to Enron, much of the risk management function was performed by consultants.

Enron was the “impetus that forced these companies to come together and solve these problems,” he says. “That situation was so dramatic, companies were in a death spiral; it was really all about each company’s ability or inability to understand the risks underlying their business.”

In contrast with the financial sector, CROs in the energy field may face more instability, Anderson says, because energy companies can shift their business model so quickly. “Energy companies can completely disassemble their risk function and start over again. Their products and services can completely change in a year. It’s not as homogenous as in banking,” Anderson says.

 

How to Create the CRO Role & Find the Best Candidate

Once an organization realizes it needs a CRO, the work is just starting. An organization must identify the right person for the role and create the position within its organization. “It can be a tough position to fill with the right person,” Beasley says. NC State ERM’s annual survey found that identifying and retaining leadership and talent are two weak points for organizations.

Often, CROs have a financial background or come from the organization’s industry. Non-negotiable are communication skills. “Most cases, successful CROs have communication skills, charisma, buy-in of senior management and a small staff to provide for detailed skills around modeling, programming, quantitative analysis,” Anderson says. Like a CSO, an effective CRO relies upon strong communication skills not only to engage employees from the bottom up, but also to protect the risk department and prove the function’s value.

Because the CRO is pinpointing problems, the CRO must also know the business and have the support from the organization and its leadership. “The ideal person is someone who has two skill sets — one that really, really knows our business, how we work, how we make money, and what makes us tick,” Beasley says. “The second skill is how good are their diplomacy skills? How well are they respected by other executives in the business?”

Also important is what stage the CRO is in his or her career. “The CRO has to feel robust enough in their career and company to make lots of good recommendations,” Trowbridge says. “They’re often small, but add up. Most companies don’t make one big decision that causes all their risks, it’s a series of small decisions.”

Organizations should take care to finesse the relationship between the CRO and the CFO. Given the risk and financial issues often overlap, delineating responsibilities is vital. The CRO could, for example, offer oversight and serve as a partner with the CFO, leaving the CFO ultimate authority.

 

Organizational Structure

In an ideal world, the chief risk officer would report to the CEO and have a dotted line to the board or a board committee. In reality, most CROs report to the CEO or the CFO, depending on the industry. Best practices call for the CRO to have at least a dotted line to the board or a board committee.
What is important, however, is not just who the CRO reports to but executive support for the CRO. “If they don't have a champion at the board or a CEO who understands risk management, it’s easy for a CRO to fade into the background and become an overhead line item,” Anderson says.
If an organization has a chief security officer/chief cybersecurity officer and a chief risk officer, then the CRO serves as oversight for those functions, whereas the CSO/CISO manages their specific security areas. If the organization only has a CRO, then the responsibilities for cybersecurity and security fall to the CRO.

 

The Future of Risk

The COVID-19 pandemic has highlighted the importance of being able to analyze known risks and react to the unexpected. Companies with the following characteristics would be remiss if they did not consider having a full-time executive focused on risk:

  • Revenue greater than $1 billion;
  • Publicly traded;
  • Operating in regulated industries;
  • Diverse geographic footprint.

In these instances, the benefits of a capable executive providing a measured approach and preparing for risk comprehensively across the organization far outweigh the costs.

KEYWORDS: business continuity Chief Risk Officer risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Patrick gray

Patrick Gray is a Managing Director and Head of the Security Officers and National Security practice for Raines International, an executive search and advisory firm focusing on senior leadership positions across industries. Gray is a former U.S. Army Intelligence officer who specialized in personnel and cybersecurity and is a West Point graduate. He can be reached at pgray@rainesinternational.com.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Columns
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Logical Security
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

September 29, 2025

Global Security Exchange (GSX)

 

November 17, 2025

SECURITY 500 Conference

This event is designed to provide security executives, government officials and leaders of industry with vital information on how to elevate their programs while allowing attendees to share their strategies and solutions with other security industry executives.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • digital-cyber

    Five tips for chief information security officers to increase their strategic value to the CEO and board of directors

    See More
  • 5 mins with Ehret

    5 minutes with Jonathan Ehret – The need for third-party risk management in cybersecurity

    See More
  •  Risk management

    IT leaders stress the need for stronger risk management

    See More

Related Products

See More Products
  • physical security.webp

    Physical Security Assessment Handbook An Insider’s Guide to Securing a Business

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing