Learn to Think and Do Like a Chief Risk Officer (CRO)
You might wonder why we're focusing on what a CRO does in a course about operational risk management. The reason is that the roles of an operational risk manager and a CRO are fundamentally the same—the main difference lies in the scope of their responsibilities. A CRO oversees all types of risk, while an operational risk manager focuses specifically on operational risk. By understanding the broader role of a CRO, we can better apply those principles to the more specific field of operational risk management.
To understand how to think like a (CRO), we need to explore the elements of the Risk Management Framework (RMF), a structured approach that guides both thinking and actions.
What does a CRO do?
At its core, a CRO helps an organization effectively manage risk. But what does that actually mean? Let’s break it down.
First and foremost, risk management involves the entire organization—not just the CRO or the Risk Management department. The idea that "everybody is a risk manager" is popular, but it doesn’t mean everyone has the same responsibilities. An effective RMF clarifies the different roles and responsibilities related to risk management, specifying who does what and by when.
What is Manage
The word "manage" is key in the statement, “A CRO enables an organization to effectively manage risk.” In a business context, "manage" can mean many things: supervising, budgeting, planning, evaluating, prioritizing, setting objectives, assigning tasks, negotiating, strategizing, and more. The RMF organizes these activities into a coherent structure, ensuring they all work together when it comes to managing risk.
What is Risk
The term "risk" is widely used but often means different things to different people. Generally, it refers to the possibility of something bad happening. Some extend the definition to include both bad (downside risk) and good outcomes (upside risk), but this can create confusion. We already have a word for good outcomes—"reward." So, when we talk about a risk-reward trade-off, we mean we accept the possibility of something bad happening in hopes of achieving something good.
It’s important to note that we’re talking about the possibility, not the certainty, of bad things happening. If something is certain, it’s not a risk—it’s an inevitability. For example, if I leave a safe full of cash open in a public space, there’s no risk the money will be taken—it’s inevitable.
When we refer to risk as the possibility of something bad happening, we can refine this by considering the probability of various bad events and their potential severity. This helps determine how much attention we should give to different risks. For example, while the chance of a nuclear bomb being dropped today might be low, the severity would be catastrophic. If the context changes—say, due to an escalating conflict—this risk might demand more attention.
Who Decides
What constitutes a "bad" outcome can vary depending on who you ask and the context. For one person, something might be bad; for another, it could be catastrophic; and for someone else, it might be negligible. Who decides what is bad within an organization? This varies across organizations, with some more comfortable taking risks than others. For example, in the COSO framework, failing to meet objectives is considered a bad outcome. In contrast, financial institutions might define bad events as those causing financial or reputational loss—or both.
The Risk Management Framework
The RMF helps answer these kinds of questions, providing consistent, organization-wide definitions and guidelines for managing risk.
Comments