“I don't have any data to support an increase in CROs, but intuitively it seems that as companies are paying more attention to enterprise risk management, there will be an evolution to CROs,” said Ms. Ochenkowski, director of global risk management with Jones Lang LaSalle in Chicago.

She added that although the title may not necessarily be that of CRO, “it will be the job description of a senior-level person in charge of risk management and assessment that will continue to thrive.”

Ms. Ochenkowski advised traditional risk managers looking to upgrade to the CRO position to “make senior management more aware of their internal expertise in solving risk issues facing the organization.”

She added that basic to the CRO post is knowing their own business. “You need to not be the insurance person but someone who understands your industry and can help to assess risk/benefit rewards on a strategic level,” she explained.

Those who can demonstrate such abilities, she said, will “move forward in your organization–you will be a value-add to management.”

On the other hand, those whose only contribution is as a “conduit into the insurance industry,” she said, will “always be an outsider to the businesses. You may be valued, but you're not assessing the risks with senior management.”

And while the current financial crisis presents untold risks for organizations, it can also provide opportunities, she noted.

“For a risk professional to show an understanding of those risks and discuss with management some potential solution strategies for mitigation is invaluable,” said Ms. Ochenkowski. “With adversity comes opportunity, and this is a great opportunity for risk managers to move forward.”

Jeffrey Driver, CRO at Stanford University Medical Center in Palo Alto, Calif., has been at Stanford for five years, and came into the job as a CRO. Stanford, he said, was an early adopter of the position.

“As a CRO, you are basically responsible for all aspects of risk across the organization, from corner to corner,” he explained. “You could distinguish that from other types of managing risk. Some use a silo approach.”

He said a CRO in the health care field can cross over from employment risks, to workers' compensation, to professional liability, and also manage a captive insurer.

Mr. Driver is a member of the senior staff and has three directors–a senior director of finance, a senior director who is an attorney in claims and litigation, and a senior director in risk management who manages loss control for the organization.

Although he said he “fell into” the CRO position, he was, without a doubt, prepared. “I have a number of degrees and can see things from different viewpoints,” he noted. Those degrees include business finance and law, “and I also practice clinically. So in my profession, I can see risks holistically from various viewpoints.”

Mr. Driver explained that other skills are needed as well. “If you can peel away the intellectual part, the ability to work with senior management at all aspects of risk is very important–being able to get things done in a complex system.”

Although these skills are necessary for success, they “aren't the things you learn in school, and I'm not sure they can be taught, but it's something you have to be able to do,” he said. “Because you're going to come across some situations that will require a lot of effort to control the risk, and you have to work with senior management to correct them.” That includes finding ways to confront and control even the most challenging risks.

“We have to find ways to do things,” he explained. “I tell our senior management: 'It's not our job to say no. It's our job to find a way.' We're specialists in mitigating the risk, so very rarely will we go in and say, 'No.' We try to find the safest way possible.”

Emphasizing that “insurance is just one aspect of the total risk management package,” he agreed it's important for a risk manager to know the industry in which they're involved, inside and out. “I practice as a therapist, so I've walked the walk,” he said. “For me to cross into another field as a CRO would be difficult because I would have to understand the risk.”

To widen your knowledge base, he advised getting involved in a professional society, such as RIMS or the American Society for Healthcare Risk Management. Another association, the Public Risk Management Association, is available for public sector risk managers.

Mr. Driver agreed that a CRO also must look at risk strategically, citing the broader thinking he must employ in managing the organization's captive. With about 200 claims a year, he said proper coding “tells us a story about where our losses are. We can determine the driving factors of losses in our hospitals and medical groups.”

For example, he said, the data showed that a contributing factor to losses was poor communication among providers, physicians and patients. To remedy the situation and enhance communications, he said the organization turned to online education for patients and their families.

Now, Mr. Driver noted, “when the patient comes to us, they are better prepared. This year we're not seeing the same issues we were seeing, and so now we're moving to other issues.”

James D. Birchfield, CRO for Aggregate Industries Management Inc., in Rockville, Md., a global supplier of building materials–distributing aggregates, sand and gravel, and asphalt in 74 countries–said he is surprised there aren't more CROs, “given Sarbanes-Oxley [compliance and reporting requirements for public companies] and given the recent meltdown in all of the financial markets.”

He observed, however, that “unfortunately, I've met a lot of people who call themselves risk managers that are nothing more than insurance buyers. So I'm sure that's part of it.”

If you weeded out the true risk managers, he added, those actually managing risk within their corporations in an enterprisewide approach “would be the people who would be eligible to be upgraded to a CRO position,” estimating “that's probably 10 percent of the people who call themselves risk managers.”

CROs are typically found in large organizations, although Mr. Birchfield said that with globalization and other challenges, there should be more CRO-level positions in smaller companies–including those with as little as $100 million in revenues. (Mr. Birchfield characterized his own firm as “about a $2 billion company in the U.S. and about $30 billion globally.”)

What sometimes limits CROs, however, is “the company's reluctance to let a risk manager take on the full role,” he said. “The board has to recognize the value of a true risk management professional and have them involved in every aspect of the business.”

To make their way into the C-Suite, he said, risk managers need to speak up and continually sell their value and ability to the chief executive officer, chief financial officer and the board.

They need to “get involved in as many parts of the company as they possibly can,” he advised. “If they're only an insurance buyer, they need to get out into operations and learn about that. Chum up to the controller or the head of the finance department. They need to get out there and toot their own horn. That's the only way it's going to happen.”

Most importantly, he said, they must let other senior company officials know what more they can do for them. For example, he said he lets contract bidders know that “they don't necessarily have to bid jobs that high, because here are your surety costs, here is what we're going to back-charge, and we can fine-tune their bids.”

Eamonn Cunningham, CRO of Westfield Ltd. in Sydney, Australia–a retail property developer, owner and manager that owns about 120 shopping centers in the United States, Australia, New Zealand and the United Kingdom–is a believer in working into the position with a company.

“I'm in my 22nd year,” he noted. “I've come up through the ranks and have been CRO about two-and-a-half years.”

Mr. Cunningham began with the company as a certified public accountant working in the finance area. He moved into administration, with the responsibility of procuring insurance.

“When I moved into that area about 12 years ago, I saw there was a cleverer way of looking at risk management, so I brought Westfield along on a journey from procuring insurance the traditional way, to basic risk management, to the introduction of ERM about three years ago–what I like to call the 'enlightened' risk management phase.”

As a result of his efforts, the CRO position was created for him, he said.

While some organizations are constantly looking to improve profitability, he said his own firm, while still very conscious of the bottom line, has other priorities as well.

“Our reputation is absolutely invaluable, and we wanted to insure that there was nothing lurking in our vast operation that could adversely impact our reputation–one of our key risks,” he said, noting that the company wants to prevent something unexpected happening that could retard the company's growth.

His advice to risk managers looking to advance was simple: “Be very clear about what you want to achieve, and work hard to influence the people whose support you need to make it happen.” In his case, he said, “fortunately, the senior managers were incredibly supportive.”

Although support from the top is critical, he added, “you also must be working on support from middle management. If you don't bring middle management on this journey with you, then you're not going to succeed. Your program will be on a very, very rocky journey.”