Skip to content

You're the new CRO: What do you do now?

Stepping into the role of a Chief Risk Officer (CRO) marks the beginning of a journey that is as rewarding as it is challenging.

Your early days are crucial for establishing credibility, understanding the landscape you're operating within, and laying down the frameworks that you need (all of this is also true for the financial risk side of your role, but as operational risk experts, we’re going to talk mainly about operational risk here).

From aligning risk management with the organization’s strategic objectives to embedding a risk-aware culture and navigating regulatory landscapes, the focus needs to be about leading change, driving innovation – and ensuring that risk management becomes a strategic partner that adds real value to the organization.

What should you do in your first 90 days to lay this foundation? We believe it breaks down like this:

  • Understanding your new terrain
  • Laying the foundations in your first month
  • Building momentum: days 30 to 60
  • Solidifying your strategy: days 60 to 90
  • Navigating challenges and celebrating early wins

Protecht has developed a comprehensive CRO checklist to guide you through your first 90 days and beyond, offering practical advice and insights to help you build a resilient, risk-aware organization. Find out more and download the checklist now:

Download checklist

Understanding your new terrain

Starting as CRO puts you in a prime position to shape the organization’s risk posture and resilience. Your first order of business is to map the landscape: understanding the strategic and operational framework.

To steer in the right direction, you must first anchor yourself to the company's strategic goals. How do these objectives reflect in the day-to-day operations, and where does risk management fit? Begin with the organization’s strategic plan, understanding its mission, vision, and the key performance indicators (KPIs) that matter most. Remember, your success as a CRO is tied to how well risk management supports and enhances these strategic objectives.

At the same time, risk management does not exist in a vacuum. It's part of a complex ecosystem within your organization, influenced by its structure, culture, and external relationships. Early on, take time to map out this ecosystem. What are the subsidiaries, legal entities, and operational units that make up the organization? How do they interlink, and what are their respective risk profiles?

This initial phase is about ensuring that when you start implementing your risk management strategies, they're informed, strategic, and aligned with the organization’s goals. Take your time, ask questions, and immerse yourself in the culture.

Laying the foundations in your first month

With a clear understanding of your new terrain, it's time to lay the groundwork for your tenure as CRO. Your primary mission now is to assess the organization’s current risk framework.

Begin by evaluating the risk management policies, frameworks, and tools in place. Are they aligned with the organization’s strategic objectives? Do they cover all critical areas, and are they understood and adopted across the organization? This phase is also about taking stock of the risk register, understanding the major risks the organization faces, and how these are being managed or mitigated.

It’s also important to engage with key stakeholders. This includes the board, senior management, and the front-line teams who deal with operational risks daily. These conversations give you insights into the risk perceptions across the organization, uncover the pain points, and highlight areas for improvement. They’re also an opportunity to start building trust and rapport.

Regulatory requirements also need to be on your mind. Start by reviewing the last regulatory interactions, audit findings, and compliance reports, to understand organization’s regulatory standing and any immediate areas that require attention. Plan to meet with compliance teams and external regulators early on – both to understand regulatory trends, expectations, and areas of focus, and to establish yourself as a proactive and engaged CRO.

Building momentum: days 30 to 60

Having established a solid understanding of your organization’s risk framework and fostered key relationships, the next phase of your journey is about transitioning from assessment and planning to action and implementation.

Consider the organization’s incident and event capture processes. Are they adequately linked back to your risk and control frameworks? This linkage is crucial for not just addressing risks as they arise but also for learning from them to strengthen your risk posture. Identifying opportunities for automation can significantly enhance efficiency, allowing your team to focus on strategic risk management rather than getting bogged down in manual tasks.

It’s also a good time to start building risk awareness throughout the organization. Engage in conversations about risk with various departments, highlighting how understanding and managing risk is part of everyone's job. As you start to implement changes and initiatives, keep the organization informed about what you're doing, why you're doing it, and how it benefits everyone. Develop a communication strategy that includes regular updates, highlights successes, and openly discusses challenges and how they're being addressed – not just for the risk team, but for the whole organization.

Solidifying your strategy: days 60 to 90

As you approach the 90-day mark, the focus shifts to reinforcing the foundation you've laid and setting a clear direction for the future with a long-term, sustainable risk management framework.

Which strategic risk management initiatives will drive long-term value? This could involve developing a more sophisticated risk appetite framework that aligns with your organization’s strategic goals, enhancing risk reporting to provide richer insights for decision-makers, or integrating advanced risk analytics to predict and mitigate future risks. Developing these initiatives often requires cross-departmental collaboration and resources, so it's crucial to build strong business cases for each project.

The only constant in risk management is change, so embedding continuous improvement into your risk framework is also essential. This means regularly revisiting your risk assessments, control measures, and risk management processes to ensure they remain relevant and effective. Encourage feedback from your team and the wider organization to identify areas for refinement. Strong data analytics and regular review cycles will help you keep ahead of changes before they become a problem.

The eventual goal of your risk management strategy should be to embed a risk-aware culture, where employees feel empowered to identify and report risks, and where managing risk is part of everyone's job description. Encourage open discussions about risk, celebrate examples of effective risk management, and integrate risk considerations into decision-making processes at all levels.

Navigating challenges and celebrating early wins

You'll encounter both challenges and successes in your first 90 days. Challenges in the realm of risk management are as varied as they are certain, and facing these challenges head-on with a strategic, thoughtful approach is key:

  • Communicate and educate: Resistance often stems from a lack of understanding. Take the time to communicate the reasons behind changes or new initiatives and educate stakeholders
  • Use data: In the face of external threats or internal gaps, robust data analytics can be your best ally. Use data to inform your strategies and make the case for necessary resources or changes
  • Foster collaboration: Challenges are easier to overcome when you're not facing them alone. Encourage a collaborative culture where teams across the organization come together to find solutions
  • Seek external insights: Outside perspectives can provide valuable solutions to internal challenges. Don't hesitate to seek advice from industry peers, consultants, or other experts

Navigating challenges is crucial, but equally important is recognizing and celebrating the early successes in your risk management journey:

  • Building confidence: Early successes demonstrate the effectiveness of your risk management strategies, building confidence in your approach among your team and stakeholders.
  • Gaining support: Sharing these wins helps gain support for your risk management initiatives, reinforcing the importance of continued investment in risk management.
  • Motivating your team: Celebrations acknowledge the hard work and dedication of your team, boosting morale and motivating them
  • Setting a precedent: Early wins set a precedent for success, creating momentum for your risk management program, and encouraging a culture of continuous improvement.

Conclusions and next steps for your organization

Your initial 90 days are critical for setting the tone, but the true measure of success will be in how you continue to evolve and adapt your risk management strategy over time.

To support you in this journey, Protecht has developed a comprehensive CRO checklist to guide you through your first 90 days and beyond, offering practical advice and insights to help you build a resilient, risk-aware organization.

We encourage you to download our CRO checklist today. It's more than a guide; it's a companion in your journey towards risk management excellence. Use it to assess your progress, identify areas for improvement, and continue to drive strategic value through effective risk management.

Download checklist

About the author

Jared Siddle is Protecht's Director of Risk, North America. He is a Qualified Risk Director who has been Head of Risk Management at three different companies, including two of the world's largest asset managers. Jared has proven success in banking, fund management and other financial service companies across over 26 countries. He is passionate about governance, risk, compliance and sustainability. He is an expert at designing, developing, and executing customised enterprise-wide risk frameworks.