top of page

What a CEO Needs From Their Risk Function - and Why They Rarely Get It

  • Feb 5
  • 4 min read

Updated: Mar 24

From the Chair | Encina Consulting


Most CEOs I have worked with have a complicated relationship with their Risk function. They know they need one, but they're not always sure what it's for. And they've usually had at least one experience that made them quietly wonder whether it was doing more harm than good.


That experience tends to follow a pattern. The exec meeting is running late. The agenda is overloaded. A decision has been reached, the meeting closes... and then the CRO speaks. Not at the beginning, when it might have been useful, but at the end, when the room has already moved on. Their questions are generic. The concerns are theoretical. Eyes around the table move to the ceiling. The CEO thanks the CRO for their input and closes the agenda item. Nothing changes. This happens again next month.


This is not a small problem. It is one of many symptoms that indicate a Risk function that has been set up wrong, or never properly set up at all.


What a CEO Needs From Their Risk Function - and Why They Rarely Get It | Jon Macdonald Risk Expert

The question that changes everything


The best thing a CEO can do when they hire their CRO is offer them three pointers, to help set them up for success:


This is what I am genuinely worried about. And you don't need to do anything about this yet.

This is where I want you involved, and where I don't need your involvement, right now.

This is what I need from you, right now.


Or, more common than you may like to think:


This is what I am genuinely worried about. And you don't need to do anything about this yet.

I am not sure where I want you involved, and where I don't need your involvement, right now.

I don't know what I need from you, right now.


These pointers help because they are honest. They set the scene for a strong working relationship. And for the CRO to know they have time and space to assess their landscape before diving in.


Many CEOs have a CRO because they have to, due to regulatory expectation, board requirement and investor pressure. And its not uncommon that they don't have a clear view of what they want the CRO's role to be. Acknowledging this openly, and working through the options together, is a far better starting point than arriving with a framework and a five-year plan.


The shape of a Risk function is not fixed. It can be hands-on or independent. It can have a small, focused remit or a broad strategic one. The CRO can be a close advisor to the CEO or a genuinely independent voice at board level. These are choices and they should be made explicitly, with the whole executive team involved, not inherited by default.


What a CEO needs from their Risk Function - and what a genuinely good CRO actually delivers


The CEO's who have CROs they genuinely trust and respect notice a set of qualities their CRO has, beyond the necessary technical expertise.


They know the business model intimately. Not the org chart, not the risk register but the actual commercial mechanics of how the business makes and loses money. When the CEO is reviewing performance with the CFO, the best CRO is equally present in that conversation, able to challenge assumptions, identify exposures, and contribute to solutions. They put their hand up to solve problems. They are a valued commercial peer, not a governance overhead. They lead through risk events, not just report on them. When something goes wrong, the CEO knows they can rely on them to take ownership of the response - coordinating the reaction, managing the regulatory relationship, keeping the board informed without panicking them. A CRO who produces a report about a risk event is useful. A CRO who leads the business through one is invaluable.


They own the regulatory relationship. Not in a compliance sense, but in a trust sense. The best CROs build enough goodwill with the regulator that they can pick up the phone informally, navigate a tricky question without it becoming a formal issue, or open a door for a commercial opportunity that might otherwise have faced resistance. That relationship is an asset and it takes years to build.


The best CROs keep governance costs under control. One of the most undervalued things a good CRO does is stop unnecessary governance from proliferating. Risk functions have full time staff, who want to justify their existence, and who are, like all people, creative. Left without strong leadership policies multiply, control documentation gets longer and irrelevant risk limits get measured. A CEO needs their CRO to know what's needed and what isn't. To push back on over-engineering and protect the business from its own habit of adding process when what's needed is clearer judgment.


And then there is the thing that is hardest to describe but most important in practice. On any given day, the CEO should be able to walk into the CRO's office - or call them - for a fifteen-minute conversation about something that is bothering them. Not a formal risk review. Not a board paper. Just a straight, confidential conversation with someone who knows the business, understands the commercial context, has a view on the personal capabilities of the team, and can offer a grounded, honest perspective. A sparring partner. Someone who will tell them what they actually think.


Most CEOs have never had that. The ones who have don't want to go back.


At Encina Consulting, we offer expert assistance on this and any other aspect of Risk function training and management. Book a confidential call here to discuss what you and your team most need and we'll be in touch soon.


Jon Macdonald | Risk Governance Advisor & CEO Coach | Founder, Encina Consulting

Copyright 2026

 
 
 

Comments


bottom of page