Planning & Risk Management, Undervisningsbygg Oslo KF
I am often confronted with the following questions: Who is a risk manager (CRO)? Where is her/his place on an organization chart? Do the existing standards/ frameworks have requirements or guidelines about this position? Did the risk manager’s role change during the last years? Why? In the following, I will share available data, as well as my reflections on these questions.
2. Who is the risk manager?
FERMA (Federation of European Risk Manager Associations) publishes a Risk Manager Report on a yearly basis. The last report from 2020 summarizes responses from 764 risk managers in 34 countries. According to these findings the risk manager is an experienced person (a man for the time beeing). However, the profession has reached better gender equality for the youngest generation.
Figure 1: Risk managers by gender and age
Source: https://www.ferma.eu/publication/the-european-risk-manager-report-2020-key-findings, page 13
Figure 2: The proportion of female risk managers
Source: https://www.ferma.eu/publication/the-european-risk-manager-report-2020-key-findings, page 13
Risk managers have long experience. Since the profession does not have licensing or authorization requirements, which regulates the entries to the profession as well as the follow-up of the quality of the performance, many risk managers do use the possible certification arrangements and get certified. According to Ferma’s report, 77 % of the survey respondents say that certification matters in practicing risk management. 44 % of respondents have a certification or plan to apply to one. They think that a certificate will have the following advantages :
- Improves internal recognition of the function and gains credibility from stakeholders
- Helps develop operational skills
- Improves employability
- Helps develop your professional network
- Improves remuneration.
Figure 3: Risk managers’ experience
Source: https://www.ferma.eu/publication/the-european-risk-manager-report-2020-key-findings, page 33
Today, the risk manager (CRO) position is a natural element of an organization with high-risk maturity. Deloitte’s Global Risk Management Survey from 2021 shows that all the 57 financial services institutions around the world, which have responded to this survey had CROs. The figure was only 65 % in 2002.
Source: Deloitte, Global Risk Management Survey, 12th Edition p: 16
3. What are the expectations of the existing standards/ frameworks about the risk manager function?
Neither ISO 31000: 2018  nor COSO Enterprise Risk Management  have a detailed overview of risk managers tasks and responsibilities.
COSO, ERM framework
- defines the chief risk officer role in a footnote under Principle 2- Establishing Operating Structures, as follows: “The chief risk officer is the individual who is delegated authority for enterprise risk management; other names for this role may be “head of enterprise risk management”, “head of risk”, “director of enterprise risk management” or “director of risk”.
- describes “the key roles” in an organization. Key roles consist of “Individuals in a management role who has the authority and responsibility to make decisions and oversee business practices to achieve strategic and business objectives. Within the management team, the chief risk officer is often responsible for providing expertise and coordinating risk considerations.” 
- states that enterprise risk management is the responsibility of the Board. The framework underlines the importance of the chief risk officer position for communicating risk management issues to the Board.
ISO 31000 focuses on risk management, not on the risk manager. In chapter 5.4.2-5.5.5 the standard underlines that the executive management should
- declare its commitment to risk management,
- ensure allocation of resources to risk management, define roles, authorities, and responsibilities
- underline that risk management is a core responsibility area
Ferma’s Risk Management Standard is the only standard that has a detailed description of the role of the risk manager.  The standard underlines that “(…) Depending on the size of the organization, the risk management function may range from a single champion, a part-time risk manager, to a full-scale risk management department. The standard states at the same time, that the role should include
- setting policy and strategy for risk management
- primary champion of risk management at the strategic and operational level
- building a risk-aware culture within the organization including appropriate education
- establishing internal risk policy and structures for business units
- designing and reviewing processes for risk management
- co-ordinating the various functional activities which advice on risk management issues within the organization
- developing risk response processes, including contingency and business continuity programs
- preparing reports on risk for the board and the stakeholders.
IIA’s (The Institute of Internal Auditors) 3 lines of Defense Model from 2013 contributed substantially to defining the role of the risk manager. IIA’s position paper gave the risk manager/risk management committee the following role: “(…) facilitates and monitors the implementation of effective risk management practices by operational management and assists risk owners in defining target risk exposure, and reporting adequate risk-related information throughout the organization…”.
The 3 lines of defense model introduced the necessity of a risk manager’s independence from risk owners, even if the said independence has limitations since the risk manager reports to the senior management, not directly to the Board.
Source: IIA position Paper -The Three Lines of Defense in Effective Risk Management and Control, January 2013 p:4
The new version of the 3 lines of defense model from 2020, focuses on the contribution of risk management to achieving objectives and creating value, as well as matters of defense and protecting value. In the new model, all roles are aligned. Alignment of activities is achieved through communication, cooperation, and collaboration. This ensures risk-based decision-making. Risk manager offers expertise and support while first-line roles ensure the day-to-day management of risks.
Source: The IIA’s Three Lines Model an Update of the Three Lines of Defense, p: 4
4. Did the risk managers’ roles change during the last years?
Risk managers are well educated and have analytical skills. They easily respond to the developments in the external and internal context and to the emerging risks and opportunities. The available data indicates that risk managers lately have contributed to analyze, and monitor emerging risks and opportunities connected with GDPR, IT-security, and crisis management/ pandemics as well as to risk-based decision making.
- FERMA has carried out two anonymous web-based surveys and interviews of selected GDPR-stakeholders in May and July 2019 across Europe. According to survey results, 74 % of risk managers assessed the threats associated with GDPR implementation, 30 % quantified the financial impact of the data protection incidents, using stress test scenarios, an index or scale, 44 % performed qualitative assessments of frequency and severity.
- FERMA has carried another survey in September and October 2020, to analyze the contribution of risk managers to the resilience of their organizations during the COVID-19 pandemic. Responses were received from 314 respondents in 21 countries. 17 % of risk managers say that they led the work when creating and implementing their organization’s COVID-19 crisis management strategy, 23 % are heavily involved but did not lead the work, 26 % had some involvement. Only 31 % did not have any involvement at all.
- FERMA’s European risk manager report 2020 informs that 45 % of risk managers have a regular and close collaboration with information security teams based on a clear mandate while 36 % have occasional collaboration. 10 % of the risk managers say that information security is their responsibility. Only 9 % of respondents are not involved in information security.
- The above-mentioned report from Ferma documents the risk manager’s presence at a strategic level of the organization
o 74% of risk managers assess risks that could affect the relevance and viability of their organizations’ strategy and objectives.
o 60 % of risk managers assess risks related to the different strategies considered by the organization during its strategy definition.
o 59 % of risk managers assess risks related to the non-alignment of their organization’s strategy with its mission, vision, and core values.
Angela Patel defines two basic principles which should be clear when deciding where and to whom the risk manager shall report : These are:
- Functional Independence & Separation of Duties: The risk management function needs to have an independent reporting line directly to senior management- preferably to the CEO, and in any case not through any business line that it is responsible to control.
- The integrity of the Three Lines of Defense: It may be tempting to group together “like” functions. However, in most cases, the combination of functions in a single reporting line to a single executive creates even more of a conflict of interest.
In my opinion, there is a correlation between the risk maturity of an organization and the place, authorities, and responsibilities of the risk manager. Risk-mature organizations take the advantage of risk manager’s qualifications not only to assist the first line to handle the existing risks, but to identify, analyze, and evaluate the emerging risks and opportunities.
 FERMA, European risk manager report-2020, https://www.ferma.eu/publication/the-european-risk-manager-report-2020-key-findings/
 FERMA, European risk manager report-2020, p:33
 Ayse Nordal& Ole-Martin Kjørstad, A Risk Maturity Model 2017,
 Deloitte, Global Risk Management Survey, 12th Edition p: 16
 ISO, ISO 31000: 2018 Risk Management Guidelines
 COSO, Enterprise Risk Management. Integrating with Strategy and Performance, June 2017
 COSO, Enterprise Risk Management, principle 2, pp: 31-35
 COSO, Enterprise Risk Management, Principle 2, p:31
 COSO, Enterprise RM, Principle 19, page 103
 FERMA, A Risk Management Standard, 2003, p:14
 IIA Position Paper, The Three Lines of Defense in Effective Risk Management and Control, January 2013 p:4
 FERMA, GDPR, and Corporate Governance, November 2019 p: 36
 FERMA, Risk management, recovery and resilience, Covid -19 Survey Report 2020
 Angela Patel, Governance and Organizational Positioning of Effective Risk Management Functions, October 2017 https://www.linkedin.com/pulse/governance-organizational-positioning-effective-risk-management/