Others argue that most organizations will have either a chief risk officer or a risk manager, but not both. Most companies likely would find these positions redundant. In fact, an organization with a full-time risk professional might have either a chief risk officer or a risk manager, but certainly not both. Therefore, ascent to the CRO slot might be a career aspiration of ambitious risk managers who have designs on entering the C-level executive arena.

According to Douglas J. Borg, director of Duke Medical Center Risk Management, “It's been my impression, at least in health-care risk management, this [CRO] title is most often associated with enterprise risk management programs, those programs that consolidate all corporate risks under one management area.” The notion of a CRO is fairly new for hospitals and health systems, he added, noting that it seems to be catching on. In a CRO arrangement, Borg envisions situations in which an organization might still have risk managers who specialize in specific areas of risk.

Steering the Enterprise

Accompanying the emergence of a chief risk officer position is the increased attention to enterprise risk management. This analyzes all risks across the organization's spectrum to assess them, quantify them, and prepare action plans to address them. It is not biased toward insurance, although it includes insurance as one tool.

The CRO position is focused more on speculative risks (investments, currency fluctuations, things traditionally handled by the company treasurer or comptroller), with pure risk management (fire, liability, etc.) as an afterthought. A CRO's duties might also include employee benefits, traditionally human resources turf.

This is not to say that the CRO role is just a board-room position, an ivory-towered theoretician with his head in the clouds. To the contrary, the individual should be hands-on, up to the elbows in assessing risks from a company's activities and business environment. CROs should address the broader spectrum of organizational risk, which can be divided into four main sectors: financial, compliance, operational, and strategic.

Assuming that a risk manager is interested in advancing to a CRO title, what are the steps? In assessing a CRO's ideal background, we should not overlook the obvious. A full-time risk manager would be a likely candidate. We cannot pigeon-hole this, however, as other professional backgrounds might also equip one to be an effective chief risk officer. These include auditing, investor relations, strategic planning, and line operation management.

Putting aside job backgrounds, a good CRO should possess specific skills. These include communication skills, broad strategic vision, a technical grounding in hazard analysis, and facilitation skills.

One question that CROs will face is, “What are the companies' strategic plans and what risk implications do those plans hold?” New markets, new products, and new partnerships are exciting business opportunities. All may entail varying degrees of risk. The CRO's job is to assess these risks and implement mechanisms to reduce their likelihood or to cushion their financial impacts.

In terms of the risks managed by CROs, semantic word games are verboten. Businesses are subject to different risks: operational, business, pure (insurance), credit, etc. There may be specific risk managers in these areas. An insurance risk manager would not necessarily have the same skills as a business risk manager or a bank's credit risk manager, for example. These people may report to a chief risk officer who must possess an overview of all these disciplines.

Some observers express caution at the proliferation of job titles. Is it just a mark of careerism or a matter of pouring old wine into new bottles? With all the Chief (fill in the blank) Officer positions today (CEO, CIO, CFO, CRO, COO), most entities also need chief ethics officers. (On second thought, the CEO acronym is taken, so perhaps we would have to call them chief honesty officers, or CHOs.)

Others warn that creating a position of chief risk officer sends the wrong message, a notion that managing risk is one person's job. (We also could make the same argument against the wisdom of creating a risk manager position.) In truth, however, preventing loss and curbing risk should be every employee's mission. Is it possible to create a distinct CRO job title, while still creating and maintaining a culture of ownership regarding safety and risk? This is the challenge for many organizations.

Let's also be realistic. Only very large companies will have the luxury of creating CRO positions. For storefront businesses or medium-sized enterprises, such job creation just is not realistic. Organizations need a certain heft and risk profile before there is any chance of their creating such positions.

Looking for new challenges in the risk management realm? Tired of seeing the risk management slot as a dead-end position? If so, set your sights higher and acquire the skills to propel yourself into the role of chief risk officer.

Kevin Quinley, CPCU, is senior vice president for Medmarc Insurance Group in Chantilly, Va. He can be reached at [email protected].