Canada: CROs In The Spotlight: Market Turmoil Heightens Prominence Of, And Regulatory Focus On, The Role Of The Chief Risk Officer In Canadian Financial Institutions

The recent financial crisis has brought new focus, from financial institutions and their regulators, on the ways in which financial institutions, including insurance companies in Canada and abroad, manage the risks they face. Everyone is acutely aware of the need to better understand the risks they face, and to minimize those risks. This has in turn heightened the prominence of, and regulatory focus on, the relatively new role of the "Chief Risk Officer", or CRO, as a key member of the senior executive team of many financial institutions. Julie Dickson, Canada's Superintendent of Financial Institutions, has recently made numerous public comments on the critical role of the CRO, and her office now holds annual risk management seminars with CROs from the various types of regulated institutions. Speaking to CROs at one such recent session, she noted, "As CROs you have an incredibly important role to play, and a difficult role." The increased attention on CROs, in her words:

". reflects a key learning from the global financial turmoil: there is a real need for regulators and financial institutions to focus on both the role of the CRO, and solid risk management practices."1

In that context, this article provides a brief history of the CRO role, a summary of the current state of the position and a survey of possible trends relating to the role, including likely future challenges and pressures.

Development of the CRO position

The creation of the CRO position is widely credited to James Lam, who, in the mid-1990s, assumed the title of CRO at GE Capital and implemented a system of risk management widely known today as enterprise risk management, or "ERM".2 In simple terms, ERM is a risk management system that analyzes and addresses risk on a firm-, or enterprise-, wide basis. ERM has grown over time into a vast industry fed by a voluminous amount of business and scholarly research and writing (all of which is beyond the scope of this article). Although fairly unique when introduced, corporate scandals (Enron, Worldcom, etc.), along with the introduction of various regulatory schemes necessitating compliance with certain risk metrics (Sarbanes-Oxley, Basel II, etc) allowed ERM and the concept of the CRO position to gain further momentum and acceptance, even if such acceptance was intended merely to allow a firm to comply with specific regulatory requirements, rather than being an endorsement of the CRO position and/or ERM itself. The position gained the earliest footholds in the finance and energy sectors.3 In the years just prior to the recent crisis, the CRO position had evolved beyond simply being a tool used by large multinational firms, or firms subject to specific regulatory compliance requirements, and beyond the traditional risk management focus of prevention of loss. In the most proactive firms, the CRO position had begun to be viewed as a tool which created value by identifying opportunities to exploit risks, as opposed to simply shielding firms from potential risks.4 In all environments, it had become much more demanding.

The CRO position today


It would appear that, post-crisis, the CRO position continues to vary considerably across industries, reflecting differences in the type, severity and potential impact of risks faced. In addition, the role may differ considerably between firms in the same industry, possibly reflecting the relative newness of the concept and position. Factors influencing such differences include (i) the size and global reach of the firm, (ii) the firm's culture or approach to risk (i.e. whether risk management is considered a high priority of the board of directors or CEO), (iii) the presence of an ERM proponent or an individual keen to spearhead the development of a CRO position, and (iv) the competency of the CRO himself/herself. All of these factors serve to define the position of CRO at any particular firm. However, in general terms, the CRO responsibilities typically are focussed on (i) "technical oversight", and (ii) "directional influence".

Technical oversight refers to the specific responsibility to compile information, data and analysis related to the various known (and, potentially, unknown) risks of a firm (e.g. operational, compliance and financial risks), and to identify new risks to the firm, and based on such knowledge, to gain or develop a comprehensive understanding of the role that risk plays in the firm, including overlapping or conflicting risks and in particular those risks which may not be recognizable without a view of the firm as a whole. This oversight, which goes to the heart of an ERM approach, can be starkly contrasted to the "traditional" approach to risk management which involves, to use industry jargon, risk "silos", wherein each department or business unit of a firm manages its risks separately. It is widely acknowledged that the skill set required for the technical oversight responsibility of the CRO position is not well defined and this is a further reason why the "typical" role of a CRO is not readily definable.5

The second of a CRO's principal responsibilities, directional influence, is what differentiates a CRO from most risk managers and what makes a quality CRO a critical and valued member of the senior management team, or "C-Suite". A CRO's ability to develop a comprehensive understanding of the whole of a firm's risks is significant; however, unless this understanding is translated into corporate action that leads to desired business outcomes, the utility of a CRO will remain relatively limited.

As well, the CRO position has, generally, been described as being responsible for some or all of the following functions:

  • Providing the overall leadership, vision and direction for ERM;
  • Establishing an integrated risk management framework for all aspects of risks across the organization;
  • Developing risk management policies, including the quantification of management's risk appetite through specific risk limits;
  • Implementing a set of risk metrics and reports, including losses and incidents, key risk exposures, and early warning indicators;
  • Allocating economic capital to business activities based on risk, and optimizing the company's risk portfolio through business activities and risk transfer strategies;
  • Improving the company's risk management readiness through communication and training programs, risk-based performance measurement and incentives, and other change management programs;
  • Developing the analytical, systems and data management capabilities to support the risk management program.6


A significant determinant, if not the significant determinant, of the influence of a CRO on the activities of a firm, is the reporting structure within which the CRO operates. A wide variety of reporting structures are observed today, each of which may function effectively, but also present certain difficulties or disadvantages. Certain reporting structures include:

Board of Directors: Similar to the CEO, oftentimes a CRO reports directly to the board of directors. The ability of a CRO to report directly to the board regarding the risks faced by a firm would appear to provide an effective mechanism for, ultimately, translating a CRO's understanding of enterprise-wide risk into desired business outcomes, and may be particularly effective if board members are familiar with and view risk management as a significant priority for the firm. However, where board members, already charged with a host of other responsibilities, do not proactively embrace risk management (whether for lack of interest, understanding, time or any other reason), the efforts, ideas and ultimate value of a CRO may be significantly diminished.

Board Committee: A variant is a structure wherein the CRO reports to a board committee, such as a Risk Committee. Similarly, a structure which allows a CRO to present findings and strategies to certain board members can be advantageous, but is subject to limitations similar to those applicable to reporting to the entire board of directors, particularly where the CRO reports to a firm's Audit Committee (which is already charged with other critical and and time-consuming responsibilities) rather than a dedicated Risk Committee.

CEO: No matter how influential the position of CRO may become in a firm, there are those, including some CROs themselves,7 who will always consider the CEO to be the firm's ultimate CRO. As such, a reporting structure wherein the CRO reports directly to the CEO (provided a strong relationship exists between the CRO and the CEO), may be an effective manner to translate a CRO's understanding of firm-wide risks into desired business outcomes, as this understanding is conveyed to the individual charged with the overall management of the firm. As with reporting to the board of directors, where a CEO does not embrace the utility of a CRO, the position is likely to be of limited effectiveness. Reporting to the CEO also appears to be OSFI's preferred approach, as last June Superintendent Dickson noted:

"The global banking industry has acknowledged that CROs should have been more front-and-centre at their firms. As a result of the global financial turmoil, most banks have made changes to ensure that CROs now report directly to the CEO. The status and visibility of CROs within a firm is important - both with the CEO and the board. Many life companies are following suit and this is a development that I encourage."8

In a recent survey, conducted for KPMG International, of nearly 400 executives from insurance companies around the world, and reported in KPMG's November 2009 publication "Getting the Balance Right" (available at, 45% of respondents reported that their CROs report to the CEO. Robert Lang of HSBC was quoted as noting "Speaking as a Chief Executive, I would always foresee a CRO as my direct report and that person would always be a key contributor to the daily running of my business and its strategic considerations".

CFO, Chief Information Officer, Chief Compliance Officer: A reporting structure where a CRO reports to the CFO, CIO, CCO or other C-Suite member is, generally, viewed as providing a CRO with less influence, and ultimately as being less effective in creating positive business outcomes simply because these positions (CFO, CIO and COO) typically lack the required influence on a firm-wide basis to implement strategies that were developed as a result of firm-wide analysis in order to address firm-wide issues. In the same recent survey for KPMG, 20% of respondents reported that their CROs report to the CFO.

Future of the CRO position

The role of a CRO will no doubt continue to evolve, shaped by a number of factors. Perhaps, if the financial crisis had not occurred, the role would emphasize identifying those risks that create value for a firm, a concept that, as discussed above, characterized the years just prior to the financial crisis. However, in light of the financial crisis, it seems that the future motivations of financial institutions, with regard to implementing ERM and appointing CROs, which will in turn significantly influence the role of CROs, will be directed more toward loss prevention and regulatory compliance. In fact, Ernst & Young recently predicted in its Global Insurance Center 2010 U.S. Outlook for the life insurance industry that "[t]he chief risk officer will also face increasing demands from regulators and ratings agencies on risks assumed and capacity".9

In Canada, Superintendent Dickson has demonstrated this increasing regulatory focus by noting that, generally,

"I think that a seasoned, smart CRO who is part of the most senior management team, who has clout and who is respected within the organization as someone who is striving to maximize shareholders and depositors interests over the long run - not over the short run - is key. The CRO position is one where financial institutions should not skimp on talent. After all, this is one person who has to deal with shareholder pressure to increase profits and share price, which typically has meant taking on least until a problem occurs."10

Further, she has separately commented:

". whenever a new CRO, for example, is appointed at a financial institution, we consider how that affects our risk assessment. We discuss how much depth the new CRO has, the person's clout and general disposition toward risk. At times, I have to say we have expressed, within OSFI, positive and negative views about such appointments."11

In terms of OSFI's focus, she has noted:

"The themes in two recent industry reports, the Institute of International Finance (IIF) report, released on July 17, 2008 and the Counterparty Risk Management Policy Group (CRMPG) III report, released on Aug 6, 2008, are similar. The reports are voluminous, but they contain several items worth noting for both banks and insurance companies.

Chief Risk Officers should periodically commission a review and assessment of the institution's investment in risk management, for presentation to the senior management and the board. This should not happen only after a big problem has occurred; it should happen as part of the normal course of business.12

Comparing the different industries regulated by OSFI, she has remarked to the property and casualty insurance CROs:

"While the P&C industry has perhaps been ahead of the other sectors in the management of specific risks, the establishment of the CRO position, and the processes that accompany it, which allow for quicker assessment of risk across an entire organization, have been slower to develop in the P&C industry to date.

OSFI recognizes that the P&C industry has a diversity of institutions in terms of their size, number and complexity of business lines, risk appetite, etc., and that all of these factors will logically lead to different requirements with respect to the robustness of the risk management program. However, I cannot overemphasize the importance of having an organization-wide enterprise risk management process in place to help manage the numerous known, unknown, and emerging risks that P&C institutions face in these challenging times."13

In the UK, meanwhile, the November 2009 report prepared by David Walker entitled "A Review of Corporate Governance in UK Banks and other Financial Industry Entities", commonly know as the Walker Report, includes the recommendation that banks and other financial institutions be served by a CRO who should participate in the risk management and oversight process at the highest level on an enterprise-wide basis. The Walker Report also recommends that the CRO have an internal reporting line directly to the CEO or CFO as well as report to a board Risk Committee.14 Similarly, the Committee of European Banking Supervisors (CEBS), recently published its high-level principles for risk management as part of its 2010 Standards and Guidelines.15 These high-level principles, which are intended to "strengthen the risk culture within institutions through enhancements in the risk management function" and which the CEBS recommends be implemented by its members prior to the end of 2010, include additional guidance with respect to "the role of the Chief Risk Officer and risk management functions".

The role and prominence of the CRO will also continue to be shaped by the composition and risk management focus of boards. As Superintendent Dickson commented recently:

"In a recent speech on the topic of governance, I suggested that institutions should consider adding risk management expertise to their boards, as well as insurance expertise. As boards change, your role as CROs will change. Having people who truly understand risk management on the board will likely lead to deeper board discussions, which is never a bad thing."17

Another challenge facing the CRO position is a lack of qualified individuals. As discussed above, the technical competence of a CRO is critical, as is the novel skill set required - the ability to grasp all risks of a firm, from financial to operational. Further, complicating this issue is the fact that firms, necessarily, face different risks, which subjects any CRO hired from outside the firm to a relatively steep learning curve.

A final future challenge for CROs, as well as ERM in general, may be to remain a relevant management position (and in the case of ERM, a relevant risk management technique). Put another way, the challenge is to avoid becoming, over time, merely the latest corporate fad or mantra (see Total Quality Management, Quality Circles, Continuous Improvement, Six Sigma, etc.). If the CRO position, as a whole, fails to produce desired business results, or to attract qualified individuals, it may become less relevant, perhaps remaining of high profile only in highly regulated sectors, such as the financial or energy industries. A return to economic prosperity may also threaten the status of the position - as Superintendent Dickson recently noted: "While CROs are valued today, their advice may not be as valued when times are good again."18


1 Remarks by Superintendent Julie Dickson, Office of the Superintendent of Financial Institutions Canada (OSFI) to the 2009 OSFI Risk Management Seminar for Life Insurance Companies, Toronto, Ontario, November 5, 2009.
2 Economist Intelligence Unit. (2005). "The evolving role of the CRO", The Economist Intelligence Unit, London/New York/Hong Kong (May) at p. 3.
3 Ibid. at p. 4.
4 Buehler K., Freeman A., Hulme R. "Owning the Right Risks" (2008). Harv Bus Rev 102-110.
5 Haubenstock, M. "Organizing a Financial Institution to Deliver Enterprise-wide Risk Management". Journal of Lending & Credit Risk Management 81(6), 46-52.
6 Lam J. (2003). What is enterprise risk management. Enterprise Risk Management (chap. 4 pp 43-55). Canada: Wiley. cited in Yi-Shang Huang, The Determinants of Enterprise Risk Management: Evidence from the Appointment of Chief Risk Officers in Publicly-listed Financial Firms in Taiwan. (Risk Management and Informational Engineering Thesis, Ming Chuan University, 2008) [unpublished] at p. 18.
7 Comment by Beverly S. Margolian, Executive Vice-President and Chief Risk Officer at Manulife Financial, at the Chief Risk Officer Forum Session 20 PD, Record, Volume 30, No. 2, Spring Meeting, San Antonio, Texas, June 14-15, 2004.
8 Remarks by Superintendent Julie Dickson, Office of the Superintendent of Financial Institutions Canada (OSFI) to the 2009 OSFI Risk Management Seminar for Life Insurance Companies, Toronto, Ontario, June 9, 2009.
9 Ernst & Young, Global Insurance Centre 2010 Outlook: US life insurance industry outlook, online:$FILE/US_life_outlook_v3.pdf at p. 2.
10 Remarks by Superintendent Julie Dickson, Office of the Superintendent of Financial Institutions Canada (OSFI) to the Canadian Centre for Ethics and Corporate Policy, Toronto, Ontario, April 17, 2008.
11 Remarks by Superintendent Julie Dickson, Office of the Superintendent of Financial Institutions Canada (OSFI) to the 2009 OSFI Risk Management Seminar for Life Insurance Companies, Toronto, Ontario, November 18, 2009.
12 Remarks by Superintendent Julie Dickson, Office of the Superintendent of Financial Institutions Canada (OSFI) to the Northwind Professional Institute 2008 Life Insurance Invitational Forum, Cambridge, Ontario, November 13, 2008.
13 Supra, note 1.
14 See Recommendation 24 in the Walker Report.
15 Committee of European Banking Supervisors (2010). High level principles for risk management, online: Committee of European Banking Supervisors
16 Committee of European Banking Supervisors, News Release, CEBS today publishes its high level principles for risk management" (16 February 2010), online: CESB
17 Supra, note 10.
18 Supra, note 10.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

In association with
Related Topics
Related Articles
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions