Risk appetite vs. risk tolerance: How are they different? 12 top enterprise risk management trends in 2023

Enterprise risk management team: Roles and responsibilities

Every facet of an enterprise's operations is exposed to risk, requiring an all-encompassing risk management team composed of a diverse mix of corporate executives and managers.

Enterprise risk management brings together executive-level risk owners to manage the entire scope of an organization's risks more effectively. Typically, an ERM team cooperatively identifies and manages risks and their cross-functional impacts.

"The ultimate goal of an organization is to achieve a strategy," said Joey Gyengo, principal at global professional services network KPMG. "ERM helps bend the curve in a more successful way so we can manage some downside volatility as well as achieve upside potential. It's understanding your risks and where things need to go as well as where they could go wrong -- how an organization can execute on strategy while building resilience."

The mix of roles on an enterprise risk management team varies from organization to organization, depending on its size, resources and the industry in which it operates.

"Do what makes sense for your organization and choose the leaders that will really engage and be helpful as you look out for the organization's topmost risks," said Keri Calagna, principal at multinational professional services network Deloitte. "It's not one-size-fits-all, so just be thoughtful about it, take a fresh look and periodically revisit it to see how things are changing and if you've got the right committee and construct in place."

Who participates in ERM and what are their roles?

Board of directors

The board of directors tends to play an active ERM role as part of its corporate oversight. There could be a board-level committee or a board representative who is part of the enterprise risk management team. Deloitte's board, for example, has a formal risk committee, according to Calagna.

Chief executive officer

The CEO should actively participate with the ERM team, but not all CEOs do. "The stronger the role the CEO plays -- being an ambassador and champion for the importance of risk -- the better the program is," Calagna said.

Chief risk officer

The CRO chairs the ERM team and works with organizational leaders on risk response and the continuous improvement of risk identification and management. While historically more common in financial services companies and focused on credit and other financial risks, the CRO role is expanding into other vertical industries and responsible for additional types of risks.

"The traditional risk officer reports to the CFO because risk is viewed as a protection of our financial investment. We call that the transactional risk officer," said Alla Valente, senior analyst at Forrester Research. "We're also seeing the rise of the transformational risk officer who reports directly to the CEO or sometimes with a direct line to the board of directors. They're looking at risk from both risk and opportunity perspectives because, anytime you do something new, it's not without risk."

Building an ERM team

Chief audit officer

The number of individuals with full-time ERM jobs tends to be in the single digits, even in large companies. But the auditing function may employ hundreds of people, which may include managing ERM if there's no formal risk committee.

Chief operating officer

As second-in-command to the CEO, the COO is responsible for day-to-day administration and operations and engaged with all other enterprise functions to ensure that the business is running smoothly at all levels. Typically, the COO is more hands-on than the CEO and can help identify risk management gaps and minimize risks.

Chief financial officer

Regularly concerned with risks to revenue and profitability as well as insurance risks and their potential financial impact, the CFO has always been involved in risk management efforts.

Chief legal officer

Also known as general counsel, the chief legal officer handles the enterprise's legal matters, including potential liability issues. While the company may have relationships with one or more law firms, the general counsel has a bird's-eye view of the company's legal posture.

Chief privacy officer

The chief privacy officer helps ensure that data usage doesn't run afoul of regulations and laws such as the EU's General Data Protection Regulation, the California Consumer Privacy Act and Illinois' Biometric Information Privacy Act. This role may also be handled by the head of compliance.

Compliance officer

Compliance ensures that the enterprise is complying with protection laws and regulations. In addition to privacy, the compliance officer is concerned with issues like worker safety. If the chief legal officer is part of the enterprise risk management team, then a compliance officer may not be necessary.

Chief information officer

Technology presents all sorts of business opportunities and potential risks. Networks and applications, for example, may have cybersecurity vulnerabilities as well as dependencies on other IT ecosystem components. The CIO helps ensure business continuity and works with other organizational leaders to ensure that the various operating units have the technology they need to optimize their operations while minimizing operational risks.

Chief information security officer

As the head of the enterprise's cybersecurity group and security operations center, the CISO creates, maintains and enforces security policies and helps facilitate a cyber-aware risk culture. Responsibilities include working closely with IT to minimize vulnerabilities in networks, systems and software as well as understanding the threat landscape.

Chief human resources officer

Also known as the chief people officer, the CHRO is concerned with risks to the workforce and minimizing workforce-related risks. Oracle, for example, axed independent contractors en masse in 2020 as a result of independent contractor laws adopted in California and other states.

Chief strategy officer

The chief strategy officer or someone representing strategy, innovation and research helps ensure that risk management is aligned with the enterprise's strategic business goals.

Risk management for career professionals

The following articles provide resources for risk management professionals:

Top 12 risk management skills and why you need them

Top enterprise risk management certifications to consider

Chief sustainability officer

Environmental, social and governance (ESG) issues have moved to the top of corporate agendas. The chief sustainability officer or chief ESG officer helps ensure that risk management is aligned with the organization's purpose and goals.

Chief digital officer

Executives carrying the title of chief digital officer, chief innovation officer or chief transformational officer oversee innovation, change management, transformation, and mergers and acquisitions, all of which involve different degrees of risk.

Chief communications officer

The chief communications officer manages stakeholder communications and is sensitive to potential risks affecting the integrity, reputation and credibility of the enterprise.

Department managers

Department heads and line-of-business leaders best understand the potential risks in their respective areas, sometimes with the help of enterprise risk managers. Business units, for example, make decisions to procure technology with the involvement of the CISO to minimize potential cybersecurity risks.


The general workforce doesn't participate with the enterprise risk management team, but employees can alert management to perceived risks. Staff members can also lower enterprise risks by exercising good cyberhygiene or contributing ideas on how to better manage risks.

Next Steps

Traditional vs. enterprise risk management: How do they differ?

Risk management process: What are the 5 steps?

Implementing an enterprise risk management framework

7 risk mitigation strategies to protect business operations

Risk appetite vs. risk tolerance: How are they different?

Dig Deeper on Risk management and governance

Cloud Computing
Mobile Computing
Data Center