With risk playing a role in many IT-related endeavors, such as data and physical security efforts and privacy and regulatory compliance initiatives, who keeps track?
Enter the chief risk officer, who acts as an organization's linchpin for enterprise risk management (ERM), including IT and data security. CROs are fast becoming familiar faces among C-level executives at large organizations. According to Forrester Research Inc. in Cambridge, Mass., the executive ranks of any company that has revenue of at least US$1 billion and can be classified as "critical infrastructure" -- such as financial institutions, energy companies and health care providers -- are likely to include a CRO. By next year, three quarters of large, critical infrastructure organizations will have a formal ERM office with a CRO or equivalent role, according to Forrester.
After its early emphasis in financial services, ERM has played an increasingly crucial part in business planning across industries during the past several years. Its widespread acceptance was spurred in part by regulations such as the Sarbanes-Oxley Act for accounting oversight and Basel II for measurement of international banking capital. As different types of operational risk also get included under the ERM umbrella, the CRO's job is to eliminate the "fragmented" approach to managing risk, according to Forrester. With government regulations and the rise of corporate governance policies addressing enterprisewide risk, Forrester and other analyst firms have hammered on the importance of having a single point person in place to oversee its management.
"With the fragmented, siloed approach to risk management, there is no one watching risk across the organization," Forrester analyst Michael Rasmussen wrote in a December 2004 report on ERM trends. "In today's complex business world, one weak spot can impact the entire business. Without a framework to work within, and someone in charge of risk management, organizations are running in the dark."
An Expanding Role