This post is (again) going to upset some people.
My hope is that even if you disagree with me, it will make you think.
Let’s start with a provocative statement:
The only risk that matters (much) is one that will have a notable effect on achieving enterprise objectives.
Do you worry about traffic congestion on the other side of the freeway?
Do you worry about traffic issues that are behind you?
No. You only worry about traffic congestion that you are either in or could be in as you travel to your destination.
Now:
Does the CRO own enterprise objectives? No.
Is the CRO responsible for achieving them? No.
Is the CRO responsible for identifying all the risks that might interfere with achieving enterprise objectives? I hope not: they may help, that’s all.
Is the CRO responsible for assessing their effect on objectives? Again, they can help.
Is the CRO responsible for evaluating whether a risk is acceptable? No.
Is the CRO responsible for taking action to change the level of risk as needed? No.
So why should the CRO be responsible for risk reporting to the board?
Shouldn’t those responsible for achieving objectives be responsible for reporting related risks and what they are doing about them?
Shouldn’t those responsible for reporting and projecting enterprise performance include the consideration of risk?
Подробнее…
