[cgio]

You completely miss the role of CROs or risk function in an organisation. Using your analogy, the Chief Testing Office would not write the tests. They would establish how test coverage is defined and measured, and the target coverage. They would monitor the progress of each team in meeting these targets. It is a governance role that sits as a second line behind the first line that has the immediate responsibility to manage the risk.

Risk adjusted rates are not traditionally in the mandate of a CRO. They sit with Finance or Treasury. And they should be abstracted from front line, who would experience them only through optimisation of their funding.

[roenxi]

This sounds well lined up with what I was saying? The CRO doesn't manage risks. Having him in with the executives is a signal that the company is putting resources into communicating with the regulators rather than that they are committed to managing risks in any way. That isn't what these regulatory-heavy roles are for. Their job is to make sure the regulators don't investigate. That is in no way a signal that the company has any ability at risk management, and is a slight signal that they might think "risk" just means that the government will sue them or shut them down.

If a company were actually serious about managing the risks it'd be some relatively quiet role reporting to someone responsible for operations like a CTO, COO or head of product. Maybe part of the CEOs personal staff but not an exec.

[salawat]

>If a company were actually serious about managing the risks it'd be some relatively quiet role reporting to someone responsible for operations like a CTO, COO or head of product. Maybe part of the CEOs personal staff but not an exec.

Actually, that is the real red flag. That quiet little role is completely overridden by the first inconvenienced exec. Having a C-level at least means the role is considered co-equal, and if outweighed by the rest of the C-team they at least have the resources and discretion to do the best they can with what they have.

The approach you mention is what I call "ablative armor for management" or an accountability sink. Responsibility is delegated, but no authority is actually invested. If they can't say no with sufficient gravitas to upset operations, then they're nothing but a figurehead.