Chief Risk Officer, risk in business, risk management

By Jan van Vliet, EMEA VP and GM at Digital Guardian

Today organisations are faced with a record number of internal and external threats.

From malicious hackers to disgruntled employees, businesses need to be prepared and their systems fortified against anyone who might want to attack them. To address this challenge business are turning to an emerging role, the Chief Risk Officer (CRO); an executive-level employee tasked with identifying as many of these ‘risks’ as possible and putting processes in place to mitigate their potential impact.

So what exactly is this new role, and how do you know if your business requires a CRO?

The role of a CRO

As a c-suite executive a CRO is responsible for identifying, analysing and mitigating any and all risks, from cyber threats and fraud prevention to auditing and regulatory compliance, that could negatively impact the business.

An important part of protecting against all threats is having the right procedures in place. A large part of a CRO’s role is to monitor existing internal and external business procedures that may expose the business to risk. For example, if the business collects sensitive data from its customers it is the CRO’s responsibility to ensure every aspect of that process has been assessed from a risk perspective to make sure that data remains confidential at all times. This also includes the due diligence of any partners or third parties that are also involved, as well as the business’ own systems.

Another consideration for CROs is the physical risks that employees could be exposed to. For example, if an employee is required to travel to, or work in a hazardous environment the CRO must ensure the correct policies and procedures are in place to keep them safe.

With new risks emerging every day, the role of the CRO is undoubtedly a challenging one. However, many businesses now rightly see risk management as an intrinsic part of operations, which is why it’s becoming increasingly common to see a CRO at the executive table.

Choosing between a CRO and a Risk Committee

It is common practise for modern businesses to choose between employing a dedicated CRO or installing a wider committee that oversees risk as a group.

Having a CRO at the executive table sends a clear message both internally and externally that the business is serious about risk management. It also centralises all risk-based activity through a single executive, therefore eliminating any confusion and creating a single point of contact.

On the other hand, if organisations aren’t careful, the scope of responsibility involved can easily overwhelm even the most capable executive, turning them into a bottleneck and severely impacting their ability to do the job effectively.

A Risk Committee takes the same responsibilities of a CRO but spreads them out over a group of senior employees who then work together. This spreads the workload and provides an opportunity for executives from across the business to collaborate closely.

However, the additional coordination necessary, and without a clear leader, it can lead to a fragmented approach and often company politics get involved.

It doesn’t have not one or the other – many businesses opt for a blend of the two to get the best of both, with a CRO heading up the efforts of a larger Risk Committee.

What to look for when hiring a CRO

A successful CRO candidate should demonstrate several specific skillsets. First and foremost, they need the analytical skills, quantification skills and requisite expertise to identify and assess risks, then combat them effectively. This is vital – they simply cannot perform the job without these skills.

People and leadership skills also need to be outstanding. A major part of a CRO’s role is to properly educate employees and key stakeholders, while also facilitating communication between different groups across the business, so these skills will be essential.

A CRO is still a technical role and so a detailed knowledge of technology, networks and systems has also become a key requirement, especially with so much organisational risk now associated with online activity and e-commerce.

Finally, ideal candidates should possess a postgraduate degree (preferably in business administration) and have at least two decades of experience in economics, science, law, or accountancy.

The questions businesses should now be asking are: is its risk being managed properly and does it need to consider hiring a CRO?

Jan van Vliet, EMEA VP and GM Digital GuardianAbout the author

Jan van Vliet is Vice President and General Manager, EMEA at Digital Guardian

Jan is a seasoned senior executive with a proven track record of success in both emerging and mature markets. He is responsible for expanding Digital Guardian’s business and market share throughout EMEA, driving strategy and overseeing operations in both regions.

Jan holds a Bachelor and Master of Science degree in Computer Science from the Delft University of Technology. Currently Jan is shareholder and serves on the advisory board of Nochii Online Marketing B.V., an online marketing company in the Netherlands.