Enterprise risk management brings together executive-level risk owners to manage the entire scope of an organization's risks more effectively. Typically, an ERM team cooperatively identifies and manages risks and their cross-functional impacts.
"The ultimate goal of an organization is to achieve a strategy," said Joey Gyengo, principal at global professional services network KPMG. "ERM helps bend the curve in a more successful way so we can manage some downside volatility as well as achieve upside potential. It's understanding your risks and where things need to go as well as where they could go wrong -- how an organization can execute on strategy while building resilience."
The mix of roles on an enterprise risk management team varies from organization to organization, depending on its size, resources and the industry in which it operates.
"Do what makes sense for your organization and choose the leaders that will really engage and be helpful as you look out for the organization's topmost risks," said Keri Calagna, principal at multinational professional services network Deloitte. "It's not one-size-fits-all, so just be thoughtful about it, take a fresh look and periodically revisit it to see how things are changing and if you've got the right committee and construct in place."
Who participates in ERM and what are their roles?
Board of directors
The board of directors tends to play an active ERM role as part of its corporate oversight. There could be a board-level committee or a board representative who is part of the enterprise risk management team. Deloitte's board, for example, has a formal risk committee, according to Calagna.
Chief executive officer
The CEO should actively participate with the ERM team, but not all CEOs do. "The stronger the role the CEO plays -- being an ambassador and champion for the importance of risk -- the better the program is," Calagna said.
Chief risk officer
The CRO chairs the ERM team and works with organizational leaders on risk response and the continuous improvement of risk identification and management. While historically more common in financial services companies and focused on credit and other financial risks, the CRO role is expanding into other vertical industries and responsible for additional types of risks.
"The traditional risk officer reports to the CFO because risk is viewed as a protection of our financial investment. We call that the transactional risk officer," said Alla Valente, senior analyst at Forrester Research. "We're also seeing the rise of the transformational risk officer who reports directly to the CEO or sometimes with a direct line to the board of directors. They're looking at risk from both risk and opportunity perspectives because, anytime you do something new, it's not without risk."
Chief audit officer
The number of individuals with full-time ERM jobs tends to be in the single digits, even in large companies. But the auditing function may employ hundreds of people, which may include managing ERM if there's no formal risk committee.
Chief operating officer
As second-in-command to the CEO, the COO is responsible for day-to-day administration and operations and engaged with all other enterprise functions to ensure that the business is running smoothly at all levels. Typically, the COO is more hands-on than the CEO and can help identify risk management gaps and minimize risks.
Chief financial officer
Regularly concerned with risks to revenue and profitability as well as insurance risks and their potential financial impact, the CFO has always been involved in risk management efforts.
Chief legal officer
Also known as general counsel, the chief legal officer handles the enterprise's legal matters, including potential liability issues. While the company may have relationships with one or more law firms, the general counsel has a bird's-eye view of the company's legal posture.
Chief privacy officer
The chief privacy officer helps ensure that data usage doesn't run afoul of regulations and laws such as the EU's General Data Protection Regulation, the California Consumer Privacy Act and Illinois' Biometric Information Privacy Act. This role may also be handled by the head of compliance.
Compliance ensures that the enterprise is complying with protection laws and regulations. In addition to privacy, the compliance officer is concerned with issues like worker safety. If the chief legal officer is part of the enterprise risk management team, then a compliance officer may not be necessary.
Chief information officer
Technology presents all sorts of business opportunities and potential risks. Networks and applications, for example, may have cybersecurity vulnerabilities as well as dependencies on other IT ecosystem components. The CIO helps ensure business continuity and works with other organizational leaders to ensure that the various operating units have the technology they need to optimize their operations while minimizing operational risks.
Chief information security officer
As the head of the enterprise's cybersecurity group and security operations center, the CISO creates, maintains and enforces security policies and helps facilitate a cyber-aware risk culture. Responsibilities include working closely with IT to minimize vulnerabilities in networks, systems and software as well as understanding the threat landscape.
Chief human resources officer
Also known as the chief people officer, the CHRO is concerned with risks to the workforce and minimizing workforce-related risks. Oracle, for example, axed independent contractors en masse in 2020 as a result of independent contractor laws adopted in California and other states.
Chief strategy officer
The chief strategy officer or someone representing strategy, innovation and research helps ensure that risk management is aligned with the enterprise's strategic business goals.
Risk management for career professionals
The following articles provide resources for risk management professionals:
Chief sustainability officer
Environmental, social and governance (ESG) issues have moved to the top of corporate agendas. The chief sustainability officer or chief ESG officer helps ensure that risk management is aligned with the organization's purpose and goals.
Chief digital officer
Executives carrying the title of chief digital officer, chief innovation officer or chief transformational officer oversee innovation, change management, transformation, and mergers and acquisitions, all of which involve different degrees of risk.
Chief communications officer
The chief communications officer manages stakeholder communications and is sensitive to potential risks affecting the integrity, reputation and credibility of the enterprise.
Department heads and line-of-business leaders best understand the potential risks in their respective areas, sometimes with the help of enterprise risk managers. Business units, for example, make decisions to procure technology with the involvement of the CISO to minimize potential cybersecurity risks.
The general workforce doesn't participate with the enterprise risk management team, but employees can alert management to perceived risks. Staff members can also lower enterprise risks by exercising good cyberhygiene or contributing ideas on how to better manage risks.