DEFINITION of Chief Risk Officer (CRO)
A chief risk officer is an executive responsible for identifying, analyzing and mitigating internal and external events that could threaten a company. The chief risk officer works to ensure that the company is compliant with government regulations, such as Sarbanes-Oxley, and reviews factors that could negatively affect investments or a company's business units. CROs typically have post-graduate education with over 20 years of experience in accounting, economics, legal or actuarial backgrounds. They are also referred to as chief risk management officers (CRMO).
BREAKING DOWN Chief Risk Officer (CRO)
The position of chief risk officer is constantly evolving. As new technologies are adopted by a company, the CRO must govern information security, protect against fraud and guard intellectual property. By developing internal controls and overseeing internal audits, threats from within a company can be identified before they result in regulatory issues.
Risks a CRO Must Watch For
The types of threats the CRO usually keeps watch for can be grouped into regulatory, competitive, and technical categories. As noted, companies must ensure they are in compliance with regulatory rules and fulfilling their obligations on reporting accurately to government agencies.
CROs must also check for procedural issues within their companies that may create exposure to a threat or liability. For example, if a company handles sensitive data from a third party, such as personal health information, there may be layers of security that the company is required to maintain to ensure that data is kept confidential. If there are lapses in that security – such as when an employee allows an unauthorized person, even within the company, to have access to a company computer that contains such data – it can be a form of exposure that a CRO must address. Unauthorized access to sensitive data may also constitute a competitive risk if there is the potential for rival organizations to use such information to take away clients or otherwise damage the public image of the company.
If a company maintains locations or sends employees to areas that have potential threats to their safety and health, a CRO must assess and create plans of action in response. For instance, if a company operates a warehouse or manufacturing facility in a country where there is civil or political unrest, the staff may be in harm’s way while performing their work duties. Likewise, if an organization has personnel in an area where a viral outbreak is spreading, the CRO will need to find out what the risks are and recommend measures the organization can take. They will also need to assess if the organization’s actions, such as attempting to remove employees from the location, comply with mandated procedures, including quarantines on the affected areas.