Canada: CROs In The Spotlight: Market Turmoil Heightens Prominence Of, And Regulatory Focus On, The Role Of The Chief Risk Officer In Canadian Financial Institutions

The recent financial crisis has brought new focus, from financial institutions and their regulators, on the ways in which financial institutions, including insurance companies in Canada and abroad, manage the risks they face. Everyone is acutely aware of the need to better understand the risks they face, and to minimize those risks. This has in turn heightened the prominence of, and regulatory focus on, the relatively new role of the "Chief Risk Officer", or CRO, as a key member of the senior executive team of many financial institutions. Julie Dickson, Canada's Superintendent of Financial Institutions, has recently made numerous public comments on the critical role of the CRO, and her office now holds annual risk management seminars with CROs from the various types of regulated institutions. Speaking to CROs at one such recent session, she noted, "As CROs you have an incredibly important role to play, and a difficult role." The increased attention on CROs, in her words:

". reflects a key learning from the global financial turmoil: there is a real need for regulators and financial institutions to focus on both the role of the CRO, and solid risk management practices."1

In that context, this article provides a brief history of the CRO role, a summary of the current state of the position and a survey of possible trends relating to the role, including likely future challenges and pressures.

Development of the CRO position

The creation of the CRO position is widely credited to James Lam, who, in the mid-1990s, assumed the title of CRO at GE Capital and implemented a system of risk management widely known today as enterprise risk management, or "ERM".2 In simple terms, ERM is a risk management system that analyzes and addresses risk on a firm-, or enterprise-, wide basis. ERM has grown over time into a vast industry fed by a voluminous amount of business and scholarly research and writing (all of which is beyond the scope of this article). Although fairly unique when introduced, corporate scandals (Enron, Worldcom, etc.), along with the introduction of various regulatory schemes necessitating compliance with certain risk metrics (Sarbanes-Oxley, Basel II, etc) allowed ERM and the concept of the CRO position to gain further momentum and acceptance, even if such acceptance was intended merely to allow a firm to comply with specific regulatory requirements, rather than being an endorsement of the CRO position and/or ERM itself. The position gained the earliest footholds in the finance and energy sectors.3 In the years just prior to the recent crisis, the CRO position had evolved beyond simply being a tool used by large multinational firms, or firms subject to specific regulatory compliance requirements, and beyond the traditional risk management focus of prevention of loss. In the most proactive firms, the CRO position had begun to be viewed as a tool which created value by identifying opportunities to exploit risks, as opposed to simply shielding firms from potential risks.4 In all environments, it had become much more demanding.

The CRO position today


It would appear that, post-crisis, the CRO position continues to vary considerably across industries, reflecting differences in the type, severity and potential impact of risks faced. In addition, the role may differ considerably between firms in the same industry, possibly reflecting the relative newness of the concept and position. Factors influencing such differences include (i) the size and global reach of the firm, (ii) the firm's culture or approach to risk (i.e. whether risk management is considered a high priority of the board of directors or CEO), (iii) the presence of an ERM proponent or an individual keen to spearhead the development of a CRO position, and (iv) the competency of the CRO himself/herself. All of these factors serve to define the position of CRO at any particular firm. However, in general terms, the CRO responsibilities typically are focussed on (i) "technical oversight", and (ii) "directional influence".

Technical oversight refers to the specific responsibility to compile information, data and analysis related to the various known (and, potentially, unknown) risks of a firm (e.g. operational, compliance and financial risks), and to identify new risks to the firm, and based on such knowledge, to gain or develop a comprehensive understanding of the role that risk plays in the firm, including overlapping or conflicting risks and in particular those risks which may not be recognizable without a view of the firm as a whole. This oversight, which goes to the heart of an ERM approach, can be starkly contrasted to the "traditional" approach to risk management which involves, to use industry jargon, risk "silos", wherein each department or business unit of a firm manages its risks separately. It is widely acknowledged that the skill set required for the technical oversight responsibility of the CRO position is not well defined and this is a further reason why the "typical" role of a CRO is not readily definable.5

The second of a CRO's principal responsibilities, directional influence, is what differentiates a CRO from most risk managers and what makes a quality CRO a critical and valued member of the senior management team, or "C-Suite". A CRO's ability to develop a comprehensive understanding of the whole of a firm's risks is significant; however, unless this understanding is translated into corporate action that leads to desired business outcomes, the utility of a CRO will remain relatively limited.

As well, the CRO position has, generally, been described as being responsible for some or all of the following functions:

  • Providing the overall leadership, vision and direction for ERM;
  • Establishing an integrated risk management framework for all aspects of risks across the organization;
  • Developing risk management policies, including the quantification of management's risk appetite through specific risk limits;
  • Implementing a set of risk metrics and reports, including losses and incidents, key risk exposures, and early warning indicators;
  • Allocating economic capital to business activities based on risk, and optimizing the company's risk portfolio through business activities and risk transfer strategies;
  • Improving the company's risk management readiness through communication and training programs, risk-based performance measurement and incentives, and other change management programs;
  • Developing the analytical, systems and data management capabilities to support the risk management program.6


A significant determinant, if not the significant determinant, of the influence of a CRO on the activities of a firm, is the reporting structure within which the CRO operates. A wide variety of reporting structures are observed today, each of which may function effectively, but also present certain difficulties or disadvantages. Certain reporting structures include:

Board of Directors: Similar to the CEO, oftentimes a CRO reports directly to the board of directors. The ability of a CRO to report directly to the board regarding the risks faced by a firm would appear to provide an effective mechanism for, ultimately, translating a CRO's understanding of enterprise-wide risk into desired business outcomes, and may be particularly effective if board members are familiar with and view risk management as a significant priority for the firm. However, where board members, already charged with a host of other responsibilities, do not proactively embrace risk management (whether for lack of interest, understanding, time or any other reason), the efforts, ideas and ultimate value of a CRO may be significantly diminished.

Board Committee: A variant is a structure wherein the CRO reports to a board committee, such as a Risk Committee. Similarly, a structure which allows a CRO to present findings and strategies to certain board members can be advantageous, but is subject to limitations similar to those applicable to reporting to the entire board of directors, particularly where the CRO reports to a firm's Audit Committee (which is already charged with other critical and and time-consuming responsibilities) rather than a dedicated Risk Committee.

CEO: No matter how influential the position of CRO may become in a firm, there are those, including some CROs themselves,7 who will always consider the CEO to be the firm's ultimate CRO. As such, a reporting structure wherein the CRO reports directly to the CEO (provided a strong relationship exists between the CRO and the CEO), may be an effective manner to translate a CRO's understanding of firm-wide risks into desired business outcomes, as this understanding is conveyed to the individual charged with the overall management of the firm. As with reporting to the board of directors, where a CEO does not embrace the utility of a CRO, the position is likely to be of limited effectiveness. Reporting to the CEO also appears to be OSFI's preferred approach, as last June Superintendent Dickson noted:

"The global banking industry has acknowledged that CROs should have been more front-and-centre at their firms. As a result of the global financial turmoil, most banks have made changes to ensure that CROs now report directly to the CEO. The status and visibility of CROs within a firm is important - both with the CEO and the board. Many life companies are following suit and this is a development that I encourage."8

In a recent survey, conducted for KPMG International, of nearly 400 executives from insurance companies around the world, and reported in KPMG's November 2009 publication "Getting the Balance Right" (available at, 45% of respondents reported that their CROs report to the CEO. Robert Lang of HSBC was quoted as noting "Speaking as a Chief Executive, I would always foresee a CRO as my direct report and that person would always be a key contributor to the daily running of my business and its strategic considerations".

CFO, Chief Information Officer, Chief Compliance Officer: A reporting structure where a CRO reports to the CFO, CIO, CCO or other C-Suite member is, generally, viewed as providing a CRO with less influence, and ultimately as being less effective in creating positive business outcomes simply because these positions (CFO, CIO and COO) typically lack the required influence on a firm-wide basis to implement strategies that were developed as a result of firm-wide analysis in order to address firm-wide issues. In the same recent survey for KPMG, 20% of respondents reported that their CROs report to the CFO.

Future of the CRO position

The role of a CRO will no doubt continue to evolve, shaped by a number of factors. Perhaps, if the financial crisis had not occurred, the role would emphasize identifying those risks that create value for a firm, a concept that, as discussed above, characterized the years just prior to the financial crisis. However, in light of the financial crisis, it seems that the future motivations of financial institutions, with regard to implementing ERM and appointing CROs, which will in turn significantly influence the role of CROs, will be directed more toward loss prevention and regulatory compliance. In fact, Ernst & Young recently predicted in its Global Insurance Center 2010 U.S. Outlook for the life insurance industry that "[t]he chief risk officer will also face increasing demands from regulators and ratings agencies on risks assumed and capacity".9

In Canada, Superintendent Dickson has demonstrated this increasing regulatory focus by noting that, generally,

"I think that a seasoned, smart CRO who is part of the most senior management team, who has clout and who is respected within the organization as someone who is striving to maximize shareholders and depositors interests over the long run - not over the short run - is key. The CRO position is one where financial institutions should not skimp on talent. After all, this is one person who has to deal with shareholder pressure to increase profits and share price, which typically has meant taking on least until a problem occurs."10

Further, she has separately commented:

". whenever a new CRO, for example, is appointed at a financial institution, we consider how that affects our risk assessment. We discuss how much depth the new CRO has, the person's clout and general disposition toward risk. At times, I have to say we have expressed, within OSFI, positive and negative views about such appointments."11

In terms of OSFI's focus, she has noted:

"The themes in two recent industry reports, the Institute of International Finance (IIF) report, released on July 17, 2008 and the Counterparty Risk Management Policy Group (CRMPG) III report, released on Aug 6, 2008, are similar. The reports are voluminous, but they contain several items worth noting for both banks and insurance companies.

Chief Risk Officers should periodically commission a review and assessment of the institution's investment in risk management, for presentation to the senior management and the board. This should not happen only after a big problem has occurred; it should happen as part of the normal course of business.12

Comparing the different industries regulated by OSFI, she has remarked to the property and casualty insurance CROs:

"While the P&C industry has perhaps been ahead of the other sectors in the management of specific risks, the establishment of the CRO position, and the processes that accompany it, which allow for quicker assessment of risk across an entire organization, have been slower to develop in the P&C industry to date.

OSFI recognizes that the P&C industry has a diversity of institutions in terms of their size, number and complexity of business lines, risk appetite, etc., and that all of these factors will logically lead to different requirements with respect to the robustness of the risk management program. However, I cannot overemphasize the importance of having an organization-wide enterprise risk management process in place to help manage the numerous known, unknown, and emerging risks that P&C institutions face in these challenging times."13

In the UK, meanwhile, the November 2009 report prepared by David Walker entitled "A Review of Corporate Governance in UK Banks and other Financial Industry Entities", commonly know as the Walker Report, includes the recommendation that banks and other financial institutions be served by a CRO who should participate in the risk management and oversight process at the highest level on an enterprise-wide basis. The Walker Report also recommends that the CRO have an internal reporting line directly to the CEO or CFO as well as report to a board Risk Committee.14 Similarly, the Committee of European Banking Supervisors (CEBS), recently published its high-level principles for risk management as part of its 2010 Standards and Guidelines.15 These high-level principles, which are intended to "strengthen the risk culture within institutions through enhancements in the risk management function" and which the CEBS recommends be implemented by its members prior to the end of 2010, include additional guidance with respect to "the role of the Chief Risk Officer and risk management functions".

The role and prominence of the CRO will also continue to be shaped by the composition and risk management focus of boards. As Superintendent Dickson commented recently:

"In a recent speech on the topic of governance, I suggested that institutions should consider adding risk management expertise to their boards, as well as insurance expertise. As boards change, your role as CROs will change. Having people who truly understand risk management on the board will likely lead to deeper board discussions, which is never a bad thing."17

Another challenge facing the CRO position is a lack of qualified individuals. As discussed above, the technical competence of a CRO is critical, as is the novel skill set required - the ability to grasp all risks of a firm, from financial to operational. Further, complicating this issue is the fact that firms, necessarily, face different risks, which subjects any CRO hired from outside the firm to a relatively steep learning curve.

A final future challenge for CROs, as well as ERM in general, may be to remain a relevant management position (and in the case of ERM, a relevant risk management technique). Put another way, the challenge is to avoid becoming, over time, merely the latest corporate fad or mantra (see Total Quality Management, Quality Circles, Continuous Improvement, Six Sigma, etc.). If the CRO position, as a whole, fails to produce desired business results, or to attract qualified individuals, it may become less relevant, perhaps remaining of high profile only in highly regulated sectors, such as the financial or energy industries. A return to economic prosperity may also threaten the status of the position - as Superintendent Dickson recently noted: "While CROs are valued today, their advice may not be as valued when times are good again."18


1 Remarks by Superintendent Julie Dickson, Office of the Superintendent of Financial Institutions Canada (OSFI) to the 2009 OSFI Risk Management Seminar for Life Insurance Companies, Toronto, Ontario, November 5, 2009.
2 Economist Intelligence Unit. (2005). "The evolving role of the CRO", The Economist Intelligence Unit, London/New York/Hong Kong (May) at p. 3.
3 Ibid. at p. 4.
4 Buehler K., Freeman A., Hulme R. "Owning the Right Risks" (2008). Harv Bus Rev 102-110.
5 Haubenstock, M. "Organizing a Financial Institution to Deliver Enterprise-wide Risk Management". Journal of Lending & Credit Risk Management 81(6), 46-52.
6 Lam J. (2003). What is enterprise risk management. Enterprise Risk Management (chap. 4 pp 43-55). Canada: Wiley. cited in Yi-Shang Huang, The Determinants of Enterprise Risk Management: Evidence from the Appointment of Chief Risk Officers in Publicly-listed Financial Firms in Taiwan. (Risk Management and Informational Engineering Thesis, Ming Chuan University, 2008) [unpublished] at p. 18.
7 Comment by Beverly S. Margolian, Executive Vice-President and Chief Risk Officer at Manulife Financial, at the Chief Risk Officer Forum Session 20 PD, Record, Volume 30, No. 2, Spring Meeting, San Antonio, Texas, June 14-15, 2004.
8 Remarks by Superintendent Julie Dickson, Office of the Superintendent of Financial Institutions Canada (OSFI) to the 2009 OSFI Risk Management Seminar for Life Insurance Companies, Toronto, Ontario, June 9, 2009.
9 Ernst & Young, Global Insurance Centre 2010 Outlook: US life insurance industry outlook, online:$FILE/US_life_outlook_v3.pdf at p. 2.
10 Remarks by Superintendent Julie Dickson, Office of the Superintendent of Financial Institutions Canada (OSFI) to the Canadian Centre for Ethics and Corporate Policy, Toronto, Ontario, April 17, 2008.
11 Remarks by Superintendent Julie Dickson, Office of the Superintendent of Financial Institutions Canada (OSFI) to the 2009 OSFI Risk Management Seminar for Life Insurance Companies, Toronto, Ontario, November 18, 2009.
12 Remarks by Superintendent Julie Dickson, Office of the Superintendent of Financial Institutions Canada (OSFI) to the Northwind Professional Institute 2008 Life Insurance Invitational Forum, Cambridge, Ontario, November 13, 2008.
13 Supra, note 1.
14 See Recommendation 24 in the Walker Report.
15 Committee of European Banking Supervisors (2010). High level principles for risk management, online: Committee of European Banking Supervisors
16 Committee of European Banking Supervisors, News Release, CEBS today publishes its high level principles for risk management" (16 February 2010), online: CESB
17 Supra, note 10.
18 Supra, note 10.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

In association with
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:
  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.
  • Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.
    If you do not want us to provide your name and email address you may opt out by clicking here
    If you do not wish to receive any future announcements of products and services offered by Mondaq you may opt out by clicking here

    Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

    Use of

    You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


    Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

    The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


    Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

    • To allow you to personalize the Mondaq websites you are visiting.
    • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
    • To produce demographic feedback for our information providers who provide information free for your use.

    Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

    Information Collection and Use

    We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

    We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

    Mondaq News Alerts

    In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


    A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

    Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

    Log Files

    We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


    This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

    Surveys & Contests

    From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


    If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


    From time to time Mondaq may send you emails promoting Mondaq services including new services. You may opt out of receiving such emails by clicking below.

    *** If you do not wish to receive any future announcements of services offered by Mondaq you may opt out by clicking here .


    This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

    Correcting/Updating Personal Information

    If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

    Notification of Changes

    If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

    How to contact Mondaq

    You can contact us with comments or queries at

    If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.

    By clicking Register you state you have read and agree to our Terms and Conditions