Enterprise risk management team: Roles and responsibilities
Every facet of business operations is exposed to risks, requiring a risk management team that's composed of a diverse mix of corporate executives and managers.
Enterprise risk management brings together executive-level risk owners to manage the entire scope of an organization's risks more effectively. Typically, an ERM team cooperatively identifies and manages business risks and their cross-functional impacts.
"The ultimate goal of an organization is to achieve a strategy," said Joey Gyengo, a principal and U.S. enterprise risk management leader at professional services firm KPMG. "ERM helps bend the curve in a more successful way so we can manage some downside volatility as well as achieve upside potential. It's understanding your risks and where things need to go as well as where they could go wrong -- how an organization can execute on strategy while building resilience."
The mix of roles on an enterprise risk management team varies from organization to organization, depending on its size, resources and industry.
"Do what makes sense for your organization and choose the leaders that will really engage and be helpful as you look out for the organization's topmost risks," said Keri Calagna, a principal at Deloitte who leads the professional services firm's strategic risk advisory practice in the U.S. "It's not one-size-fits-all. So just be thoughtful about it, take a fresh look and periodically revisit it to see how things are changing and if you've got the right committee and construct in place."
Who participates in ERM and what are their roles?
Let's look at who should be involved in a risk management team along with some basic details on what they each bring to the ERM process.
Board of directors
The board of directors tends to play an active ERM role as part of its corporate oversight. There could be a board-level committee or a board representative who is part of the ERM team. Deloitte's board, for example, has a formal risk committee, according to Calagna.
Chief executive officer
The CEO should actively participate with the ERM team, but not all CEOs do. "The stronger the role the CEO plays -- being an ambassador and champion for the importance of risk -- the better the program is," Calagna said.
Chief risk officer
The chief risk officer (CRO) typically chairs the ERM team and works with organizational leaders on risk response and the continuous improvement of risk identification and management, often with support from project managers and risk management specialists. While historically more common in financial services firms and focused on credit and other financial risks, the CRO role is expanding into other industries and taking on responsibility for additional types of risks.
"The traditional risk officer reports to the CFO because risk is viewed as a protection of financial investments. We call that the transactional risk officer," said Alla Valente, an analyst at Forrester Research. She is also seeing the rise of transformational risk officers, who report directly to the CEO or the board of directors. "They're looking at risk from both risk and opportunity perspectives because, anytime you do something new, it's not without risk."
Chief audit officer
The number of individuals with full-time ERM jobs tends to be in the single digits, even in large companies. But the auditing function might employ hundreds of people, and its responsibilities could include managing the ERM process if there's no formal risk management committee.
Chief operating officer
As second-in-command to the CEO, the COO is responsible for day-to-day administration and operations, and they are engaged with all other enterprise functions to ensure that the business is running smoothly at all levels. Typically, the COO is more hands-on than the CEO and can help identify risk management gaps and mitigate risks.
Chief financial officer
Inherently concerned with risks to revenue and profitability as well as insurance risks and their potential financial impact, the CFO has always been involved in risk management efforts and plays a leading role in them in most organizations.
Chief legal officer
Also known as general counsel, the chief legal officer handles the enterprise's legal matters, including potential liability issues. While the company might have relationships with one or more law firms, the chief legal officer has a bird's-eye view of the company's legal posture, which makes the position a logical fit for a risk management team.
Chief privacy officer
The chief privacy officer ensures data usage doesn't violate regulations and laws, such as the EU's General Data Protection Regulation, the California Consumer Privacy Act and Illinois' Biometric Information Privacy Act. This role, another natural one to include in ERM efforts, might also be handled by the head of compliance.
Chief compliance officer
As part of broader governance, risk and compliance initiatives, the chief compliance officer -- or just compliance officer, in some cases -- ensures that the enterprise is complying with all relevant laws and regulations. In addition to data privacy, the compliance officer is concerned with issues like worker safety, marketing and financial practices. If the chief legal officer is part of the enterprise risk management team, the compliance officer might not need to be a member.
Chief information officer
Technology presents all sorts of business opportunities and potential risks. Networks and applications, for example, might have cybersecurity vulnerabilities as well as dependencies on other IT infrastructure components. As part of a risk management program, the CIO helps ensure business continuity and works with other organizational leaders to ensure that the various operating units have the technology they need to optimize their operations while minimizing operational risks.
Chief information security officer
As the head of the company's cybersecurity group and security operations center, the CISO creates, maintains and enforces security policies and helps facilitate a cyber-aware risk culture. Risk-related responsibilities include working closely with IT to minimize vulnerabilities in networks, systems and software as well as understanding the threat landscape and the business risks it poses.
Chief human resources officer
Also sometimes known as the chief people officer, the CHRO is concerned with managing and minimizing workforce-related risks. Oracle, for example, axed independent contractors en masse in 2020 because of independent contractor laws adopted in California and other states.
Chief strategy officer
The chief strategy officer, or someone else representing strategy, innovation and research activities, ensures risk management is aligned with the enterprise's strategic business goals.
Risk management for career professionals
The following articles provide resources for risk management professionals:
Chief sustainability officer
Environmental, social and governance (ESG) issues have moved to the top of many corporate agendas. The chief sustainability officer or chief ESG officer ensures risk management is aligned with the purpose and goals of the organization's ESG strategy and program.
Chief digital officer
Executives carrying the title of chief digital officer, chief innovation officer or chief transformational officer oversee innovation, change management, transformation, and mergers and acquisitions, all of which involve different degrees of risk.
Chief communications officer
The chief communications officer manages stakeholder communications and should be sensitive to potential risks affecting the integrity, reputation and credibility of the organization.
Department managers
Department heads and line-of-business leaders -- in many cases, the designated risk owners -- best understand the potential risks in their respective areas, sometimes with the help of enterprise risk managers. Business units, for example, make decisions to procure technology with the involvement of the CISO to minimize potential cybersecurity risks.
Staff
The general workforce typically doesn't participate directly with the risk management team, but employees can alert management to perceived risks. Staff members can also lower enterprise risks by exercising good cyber hygiene or contributing ideas on how to better manage risks.