I have said many times that it’s not about managing risks: it’s about managing the achievement of objectives.
It’s about being successful.
Success is measured through the achievement of specified objectives.
We improve the likelihood and extent of success if we understand what might happen, both good and bad, as we strive to achieve our objectives.
The “what might happen” is risk, but the focus should not be on managing them individually but on being successful – taking the right level of the right risks.
The CRO (or equivalent) should be concerned with helping leadership run the organization and achieve its objectives, rather than helping them manage a list of risks.
Let me explain what I mean with a hypothetical story.
The executive team has come to the point in their monthly meeting where they review the report of the Chief Risk Officer.
The CEO invites the CRO to join…