Enterprise Risk Management - Who is in charge? Sector by sector analysis

You've implemented an Enterprise Risk Management (ERM) program because everyone says it's essential, but now your organization is drowning in buzzwords, overlapping responsibilities, and vague frameworks. One team member even quipped that ERM is "90% buzz words, 10% making sure someone doesn't wreck the company with a bad decision."

Sound familiar?

The truth is that despite its critical importance, ERM often suffers from a perception problem. Many professionals view it as an abstract exercise in documentation rather than what it truly is: a strategic framework for quantifying risk that enables balanced risk/reward decisions for your business.

This article cuts through the noise to address the central question that derails many ERM initiatives: who exactly is in charge? The answer varies significantly by sector and organization size, but one universal truth remains - responsible risk management is never a solo mission.

What is Enterprise Risk Management? Beyond the Buzzwords

Enterprise Risk Management is a comprehensive, organization-wide methodology for identifying, assessing, and prioritizing risks to minimize threats and maximize opportunities. When implemented effectively, ERM supports the achievement of strategic objectives while protecting organizational value.

To make this concrete, let's break down the types of risks that ERM addresses:

• Strategic Risks: These arise from business decisions that fail to align with strategic goals—for example, failing to adapt to regulatory changes or missing market shifts.
• Operational Risks: These result from inadequate internal processes, people, and systems—including cybersecurity threats, supply chain failures, and technology breakdowns.
• Financial Risks: These affect a company's financial health, encompassing credit risk, market risk, liquidity risk, and issues with capital adequacy.
• Compliance & Legal Risks: Risks associated with violating laws and regulations like Sarbanes-Oxley (SOX) or the General Data Protection Regulation (GDPR).
• Security Risks: These involve the misappropriation of assets. A stark example is employee theft, which costs U.S. retail companies an estimated $40 billion annually, according to research by Smartsheet.

The ERM Power Structure: A Team Sport, Not a Solo Mission

The central question—"Who is in charge?"—has a multifaceted answer because ERM is fundamentally a collaborative system of accountability. While responsibilities may be distributed, effective ERM requires clear leadership and a well-defined power structure.

The Leadership Core

• Board of Directors: Holds ultimate responsibility for risk oversight, often delegating specific monitoring duties to a dedicated risk committee. According to TechTarget, their role should be active, not passive, with regular review of enterprise-wide risk assessments.
• Chief Executive Officer (CEO): The primary champion for a risk-aware culture. A CEO who treats ERM as a compliance checkbox rather than a strategic imperative will undermine the entire program.
• Chief Risk Officer (CRO): The program's conductor. The CRO heads the ERM team, chairs the risk committee, establishes the risk management framework, and collaborates with business leaders on risk response strategies. In financial services, this role has gained significant prominence and authority in the post-2008 landscape.

The Cross-Functional Roster of Risk Owners

Beyond the leadership core, ERM involves a broad team of executives, each responsible for risks in their domain:

• CFO (Chief Financial Officer): Owns risks impacting revenue, profitability, and financial reporting.
• COO (Chief Operating Officer): Manages operational risks across the organization's value chain.
• CIO/CISO (Chief Information/Security Officers): Address technology and cybersecurity risks, enforcing policies to minimize vulnerabilities.
• CLO/CPO/CCO (Chief Legal/Privacy/Compliance Officers): Oversee legal liabilities and ensure compliance with regulations like GDPR, SOX, and HIPAA.
• CHRO (Chief Human Resources Officer): Manages workforce-related risks, from employee safety to talent retention.

This ideal structure, however, often encounters significant challenges in practice. A KPMG survey revealed that 52% of U.S. C-suite leaders lack integrated risk and resilience capabilities. The top challenges were:

• Lack of awareness and communication (72%)
• No integrated view of risks (71%)
• Performing duplicative efforts (71%)

These statistics highlight the gap between ERM theory and implementation reality, a pain point frequently expressed by practitioners who feel their work is "very vague and subjective" rather than "evidence driven and analytical."

Sector-by-Sector Analysis: Who Leads the Charge?

While the C-suite roster provides a good guide, the emphasis on who leads risk management varies significantly by industry due to sector-specific threats and regulatory landscapes.

Financial Services

Primary Risks: Market risk, credit risk, liquidity risk, tail risk, and intense regulatory scrutiny. The focus is on economic capital modeling (ECM) and maintaining capital adequacy.

Who's in Charge?: The CRO role is most prominent and powerful here. As one practitioner on Reddit notes, daily work involves "testing models to make sure they are doing what is intended, tuning models to make sure they are most efficient... and lots of model documentation."

The CFO and Chief Compliance Officer are critical partners, with responsibility for maintaining regulatory ratios and preventing financial misconduct.

Key Regulations: Basel II Accord, Sarbanes-Oxley (SOX).

Technology & Cybersecurity

Primary Risks: Data breaches, system outages, intellectual property theft, and compliance with data privacy laws like GDPR.

Who's in Charge?: The CISO and CIO are on the front lines. The Chief Privacy Officer (CPO) is crucial for navigating GDPR, addressing common pain points like what one professional described as a "data team [that] is nowhere close to being compliant as in no procedure or policy for data destruction."

Key Frameworks: NIST Cybersecurity Framework (CSF) and SANS CIS 18, though practitioners often find these frameworks "confusing as heck," emphasizing the need for expert guidance.

Healthcare

Primary Risks: Patient data privacy (HIPAA compliance), patient safety, medical malpractice, and rising operational costs.

Who's in Charge?: The Chief Compliance Officer is essential for navigating HIPAA. The COO manages risks related to patient care and operations, while the Chief Legal Officer handles liability and malpractice risks.

Construction & Engineering

Primary Risks: Physical safety hazards, project delays, budget overruns, and supply chain disruptions.

Who's in Charge?: Risk management is deeply embedded in operations. The COO and on-the-ground Project Managers are the primary risk owners. A formal CRO is less common in this sector.

There's notable skepticism about technology's role in risk management, with one industry professional arguing on Reddit that "the attempt to 'disrupt' the construction industry with technology has several flaws... we were building just as fast if not faster decades ago." This highlights how responsible risk management must balance innovation with proven methodologies.

Implementing ERM: From Framework to Action

Many professionals find ERM work feels "very vague and subjective" and express a desire for it to be more "evidence driven and analytical." Moving from theory to practice requires:

Step 1: Choose a Guiding Framework

Frameworks provide the necessary structure for an effective ERM program:

• COSO Framework: The gold standard for many organizations. It consists of five integrated components: Governance and Culture, Strategy and Objective-Setting, Performance, Review and Revision, and Information, Communication, and Reporting. Learn more from the official COSO ERM Framework.
• ISO 31000:2018: This internationally recognized standard provides principles and guidelines for effective risk management across organizations of any size or sector. More details are available from the International Organization for Standardization.

Step 2: Leverage Technology (The Right Way)

Many organizations have had frustrating experiences with ERM software that was "extremely poor in features... buggy but above all cost a huge amount of money to fix/maintain," as one IT professional described.

When selecting ERM technology, consider:

• Clear alignment of features with your specific risk management needs
• Transparent pricing for maintenance and support
• Scalability to handle operational risk and incident management
• Strong reporting and modeling capabilities

The Key to Responsible Risk Management

The most effective ERM programs share several characteristics that transcend industry differences:

1. Top-Down Commitment: Without senior management support, ERM becomes what one professional called "a chicken and egg dilemma" – unable to gain traction or demonstrate value.
2. Cross-Functional Integration: Risk management must break down silos to identify correlated risks across divisions.
3. Clear Accountability: Each risk category needs a designated owner with authority to implement mitigation strategies.
4. Continuous Improvement: ERM is not a one-time project but an ongoing process that evolves with the organization.
5. Strategic Orientation: As one risk manager noted, "Risk is opportunity." Effective ERM doesn't just protect value—it helps create it by providing the confidence to pursue strategic initiatives.

When these elements come together, ERM transcends buzzwords to become what it was always meant to be: a powerful strategic enabler that provides the confidence to innovate, grow, and maintain a competitive advantage in an uncertain world.

Remember that while responsibility for ERM may be distributed across various roles, creating a culture of responsible risk management begins with leadership commitment and a shared understanding that managing risk is everyone's business.

The next time someone asks "who's in charge of ERM?" in your organization, the answer should be clear: everyone plays a part, but leadership must drive the vision from the top.

Frequently Asked Questions

What is Enterprise Risk Management (ERM) in simple terms?

Enterprise Risk Management (ERM) is a business-wide strategy to identify, assess, and prepare for potential risks that could prevent the organization from achieving its objectives. It's not just about avoiding threats; it's also about creating a framework that allows the business to take calculated risks to maximize opportunities and create value. ERM addresses various types of risks, including strategic, operational, financial, and compliance-related issues.

Who is ultimately responsible for ERM in an organization?

The Board of Directors holds the ultimate responsibility for overseeing risk management, but ERM is a collaborative effort involving leaders across the organization. While the board sets the tone, the Chief Executive Officer (CEO) champions the risk-aware culture, and a Chief Risk Officer (CRO) often orchestrates the program. Other executives like the CFO, COO, and CISO are "risk owners" responsible for managing risks within their specific domains.

Why is ERM important for a business?

ERM is important because it shifts risk management from a reactive, compliance-focused task to a proactive, strategic function that helps create and protect organizational value. By providing a clear view of potential threats and opportunities, an effective ERM program gives leadership the confidence to make balanced risk/reward decisions, pursue strategic goals, and build a more resilient business in an uncertain environment.

How do you start implementing an ERM program?

To start implementing an ERM program, an organization should first secure commitment from senior leadership and then select a recognized framework like COSO or ISO 31000 to provide structure. The next steps involve identifying and assessing risks across the company, assigning clear ownership for each risk, and leveraging appropriate technology to support the process. It's a continuous cycle, not a one-time project.

What is the difference between a CRO and a CFO in risk management?

The key difference lies in their scope: the Chief Risk Officer (CRO) is responsible for the entire enterprise-wide risk management framework, acting as the program's conductor across all risk categories. The Chief Financial Officer (CFO), on the other hand, is a "risk owner" who is specifically responsible for managing financial risks, such as those related to revenue, profitability, credit, and market fluctuations.

What are the most common challenges in implementing ERM?

The most common challenges in implementing ERM are a lack of top-down commitment, poor communication, and failing to get an integrated, company-wide view of risks. Many organizations struggle with siloed departments, leading to duplicative efforts and an inability to see how different risks are connected. Overcoming these hurdles requires strong leadership and a culture that treats risk management as everyone's responsibility.