Man crossing a living root bridge in India

The Board Imperative: Champion CROs to boost risk governance and growth

Boards can bolster resilience, seize new opportunities and create long-term value by collaborating with and further empowering their CRO.

In brief

  • Boards must continue to empower the CRO, ensuring they have an effective and robust mandate. 
  • Understanding the views of risk leaders on emerging risk is key to anticipating disruption and turning threats into opportunity. 
  • Employing the right technology and data can shine a light on emerging risk.

There is an immense opportunity for businesses to accelerate growth and limit unnecessary exposure to risk by improving communication and alignment in priorities between non-executive board members and the C-suite. This is a familiar finding from a number of research programs conducted by EY teams in the past 12 months. Our new series of articles – “The Board and the CxO” – explores practical steps that boards can take to further enhance this relationship in order to better identify and seize emerging opportunities.

This article, the first in the series, explores the relationship between boards and risk leaders as well as acknowledges the ever-growing importance of the Chief Risk Officer (CRO). Against a backdrop of risk volatility and diverging priorities, we explore the reasons why increased empowerment and greater collaboration with the CRO is required. We then define three key areas of focus for boards to equip and enable CROs to continue to succeed.

The insights in this report are based on the results of a survey of non-executive board directors and risk leaders. Reflecting the fact that many businesses in non-regulated sectors do not have a dedicated CRO, risk leaders surveyed include CROs and other individuals responsible for orchestrating risk management, who do not form part of the C-suite.

Download the PDF: Champion CROs to boost risk governance and growth

Young girl standing inside abandoned house covered with banyan roots and branches

Chapter 1

Board-CRO collaboration is vital

As the risk environment continues to increase in complexity, it has never been more crucial for boards and CROs to closely collaborate.

The risk landscape has become more complex


New threats and risks are materializing rapidly, many of which are interconnected. The early months of 2022 have already highlighted the extent to which businesses are exposed to geopolitics, new COVID-19 variants and supply chain issues. Then there are the longer-term risks associated with the shift to stakeholder capitalism, securing and retaining talent, climate change and cybersecurity. In addition, new regulation, including in relation to ESG, will require boards to bolster their support for their business’ approach to risk.


To remain resilient, boards need to first understand the full spectrum of threats that could undermine value and imperil transformation. Importantly, this includes both current and emerging risks. Boards must have sufficient perspective of C-suite priorities and might look for this collective view from the CRO.

Views will no doubt differ. For example, according to an EY survey of more than 600 board directors and risk leaders, 62% of risk leaders identify changing customer demands and expectations as a significant risk, compared with just 48% of boards.

Global Board Risk Survey
of risk leaders identify changing customer demands and expectations as a significant risk.
Global Board Risk Survey
of boards identify changing customer demands and expectations as a significant risk.

Aligning on strategic opportunities is critical

Business opportunities lie in what is often referred to as “upside risk”. However, according to the survey data, consistent with their roles, boards and risk leaders frequently have diverse views on their business’ greatest strategic opportunities.

Boards rank technology disruption as the number one strategic opportunity for their business. In contrast, risk leaders rank this least important and instead rank changing consumer demands and preferences as the greatest strategic opportunity.

Whatever the cause, for these divergent views, boards and CROs have an opportunity to better communicate and constructively challenge each other’s views, highlighting potential blind spots that may represent upside opportunities. Furthermore, considering CEOs rank risk management as the number one area of the enterprise they wish to make the most change, it is also an opportune time to consider the board’s role in bridging this divide.

Man shining flashlight down a dark road lined with trees at night

Chapter 2

Three ways boards can enable CROs

With demand for robust risk management and enterprise resilience intensifying, boards must equip and further empower CROs to succeed.

1. Crystalize risk management expectations

To propel the CRO, it is important to outline the board’s risk management expectations. The survey data outlines four key areas where there is significant opportunity for improvement, which require the following actions:

Take a holistic approach to risk management

Boards want a holistic approach to risk management that incorporates both emerging and traditional risks. However, just 39% of boards today believe their organization’s risk management capabilities are more than moderately effective at managing both atypical and emerging risks.

Identify opportunities in risk

Boards require executive management to better identify opportunities that lie in risk. For example, if a new competitor emerges and secures a new venture funding round, this development might be included as part of the wider reporting on competitive risk.

However, in this example, this business also presents an opportunity from the board’s perspective, as an acquisition target or a potential strategic partner. Therefore, boards must adequately challenge executives, including the CRO, to identify these “upside risks”, and consider how they might be reframed as opportunities.

Interlink risks with secondary impacts

Boards want CROs to better assist executive management in considering how risks are interlinked and identify potential second-order impacts. For example, climate change presents interconnected risks for businesses related to operations, supply chain, customer base displacement and reputation, assuming limited action.

Boards identify this as a key area for improvement. However, only just over half (52%) say their risk management capabilities are more than moderately effective at understanding how different risks are interconnected.

Consider a wide range of stakeholders

Boards expect executives, including CROs, to consider the objectives of a broad set of internal and external stakeholders when assessing risks as part of business decision-making. Through doing so, the outcome expected is the elevation of the importance of risks like climate change and ESG factors, therefore enabling boards to challenge management on key topics, such as how supply chain partners are decarbonizing their operations.

In the financial services sector, there is already evidence that ESG risk factors are increasingly considered in business decisions. For example, 48% of CROs within banks say ESG is embedded in their loan decisioning processes.  

In addition, boards should also ensure that CROs (or their equivalent) are fully aware and are kept updated of the business’ strategy and long-term ambitions, sharing any insight about emerging megatrends that might impact the business. This is a crucial input to assist executive management to mitigate downside risk and capture “upside” opportunities.

Despite this, 55% of board members feel their organization’s risk management capability currently falls short of keeping pace with changes in business strategy.


2. Encourage a digital-first approach to risk management

According to the EY Global Board Risk Survey 2021, the extent to which technology is used to identify and manage risk is the most important factor that determines effective risk management.


Boards can help by advocating through the approval of strategic capital and finance plans for the resources CROs need to deploy adequate technologies that support executive management in their risk decision-making process.

Technology helps in many ways: 

  • Automation technology can be used to process low-value manual tasks, such as risk-model verification and simple data processing, freeing up management time to focus on exploring the implications and impacts of emerging risks. 
  • Data collection and monitoring can also be automated, to occur in real time, thus flagging potential issues to risk and business teams much earlier than would be achievable with a less sophisticated approach. 
  • Cloud and AI-based technologies can also be deployed to execute complex scenario analyses and unearth previously unattainable insights in risk interdependencies.

3. Champion the CRO

Many businesses in non-regulated sectors do not have a formal CRO as part of their C-suite. As the demands on risk leaders intensify and the need for collaboration with executive management and the board grows, boards might challenge businesses that do not currently have a CRO to consider formalizing the role in their C-suite.

However, just as important is the mandate and responsibility that this individual is given. Boards should ensure through their executive management teams that the CRO is sufficiently empowered within the organization and connected with other senior executives through clear and open channels of communication.

For example, instead of communicating risk exposures separately during scheduled board meetings, the board should insist that risk and opportunity assessments are integrated into regular management reporting vehicles. These can be strategies, business plans, operational performance reports and investment proposals.

Robust governance in the form of a risk sub-committee (where not already mandated) may also be necessary to align and calibrate expectations and progress in line with the organizations risk management framework; thus helping to build risk management capabilities.  Importantly, these committees should ensure their composition is adequate to cover a wide range of newer risk topics such as technology, sustainability and talent.

Key questions for boards to consider

Boards have an important role to play in onboarding a CRO or enhancing board-CRO relations in order to support their business’ new growth and transformation agendas. With that context, here are some key questions that should be front of mind:

  1. If you don’t already have a CRO in the C-suite, given the increasing complexities of risks, should you revisit the need with the CEO? If you do have one, are you doing enough to empower and embolden them in your discussions and interactions with the executive management teams?
  2. Have you been clear with your executive management team what you expect from your CRO when it comes to challenging them?  Have their responsibilities been clearly communicated? Do they have enough exposure to and a sound understanding of the business strategy to be asking the right questions?
  3. How do you ensure that the CRO does not dilute executive management accountability for all aspects of doing business, including monitoring risk exposures, effectiveness of controls and reporting relevant outcomes to the board?
  4. Are you regularly consulting with your CRO on how executive management can be better equipped and informed to take advantage of new technology, data and managed services to improve their risk-based decision-making processes?


Increased collaboration with the CRO (or equivalent) is crucial to help set boards up for success in mitigating increasingly complex risks and staying ahead of the competitive landscape. Boards can achieve this by clarifying their expectations, encouraging a digital-first approach to risk management, and formalizing and empowering the role of the CRO as a key C-suite contributor.