Insights /

The Evolution of the CRO into Today’s World

The Evolution of the CRO into Today’s World

The Evolution of the CRO into Today’s World

In the 1900s, Chief Risk Officer (CRO) roles became more prominent in financial institutions after the appointment of James Lam at General Electric. Then in the 2000s, the global financial crisis saw the introduction of an avalanche of regulatory frameworks such as Basel, MiFID & GDPR which changed the role of the CRO. And now in today’s world, CROs need to address cyber, green finance, climate risk, and AML/CTF financing among other responsibilities. In this article, Director Andrew Murphy discusses how the role of the CRO has evolved since the 1900s and what the next 5 years will look like as the evolution continues.

The introduction of the CRO role in the early 1990’s was borne out of the need for tighter corporate governance resulting from fallout’s such as Barings. The key task of the CRO was to create a holistic picture of all risk exposures faced by a financial institution, forming an independent second line of control to support the CEO in understanding the complex interaction and interdependence between various risk dimensions.

Operationally, CROs were tasked with managing credit, liquidity and market risks through:

acting as an objective and unbiased advisor to the business;
reducing income and valuation volatility;
being a custodian of the risk appetite; and
implementing a risk culture.
Fast forward a decade into the 2000’s where risk-taking among big U.S. banks reached new heights, eventually setting off a massive global financial crisis with severe and wide-ranging consequences. From this monumental fallout there ensued an avalanche of regulatory frameworks such as Basel III, MiFID, EMIR, Solvency and so on, that required the CRO to implement enterprise risk management (ERM) programs, which involved centralised modelling and management of all risk across a firm’s departments and business units.

During the 2000s, we also witnessed the rise of digitalisation which meant that CROs had to:

enable digital innovation within the organisation;
build cyber risk resilience;
leverage risk technology to predict risk outcomes; and
integrate the digital risks into the wider ERM framework.
In today’s world, the remit of the Risk Officer is one of overall responsibility in which they are now tasked with introducing new risk agendas into the traditional risk domains such as operational, enterprise and conduct. The role is now shifting away from managing downside risk and regulatory expectations towards supporting the boardroom in building a sustainable business model.

CRO’s now have to find a way to introduce into these traditional risk domains:

cyber security;
big data;
climate risk;
strategic risk; and
human capital.
Redesigning the TOM to meet the emerging risks head on will be at the forefront of the CRO’s agenda over the next 5 years. Doing more with less will be a common theme where the objective will be to reduce manual internal controls and looking to potentially outsource automation of such regulatory requirements to smaller regtech firms. This will allow the CRO to allocate resources that will add value to the organisation and secure the longer-term sustainability of the company.

Disruptive business forces, competition from fintechs, and unpredictable economic events have created an environment of relentless volatility, uncertainty, complexity, and ambiguity (VUCA). This, in turn, has created a risk landscape that is in constant flux. Overall, the CRO will be expected to rethink the risk function’s operating model and to do more with very few resources. The new environment will imply a deeper involvement of the risk function into strategy design.

William McCoppin


William has experience across multiple markets, specialising in compliance and financial crime at the interim, mid-to-senior and executive level.