[roenxi]

This sounds well lined up with what I was saying? The CRO doesn't manage risks. Having him in with the executives is a signal that the company is putting resources into communicating with the regulators rather than that they are committed to managing risks in any way. That isn't what these regulatory-heavy roles are for. Their job is to make sure the regulators don't investigate. That is in no way a signal that the company has any ability at risk management, and is a slight signal that they might think "risk" just means that the government will sue them or shut them down.

If a company were actually serious about managing the risks it'd be some relatively quiet role reporting to someone responsible for operations like a CTO, COO or head of product. Maybe part of the CEOs personal staff but not an exec.

[salawat]

>If a company were actually serious about managing the risks it'd be some relatively quiet role reporting to someone responsible for operations like a CTO, COO or head of product. Maybe part of the CEOs personal staff but not an exec.

Actually, that is the real red flag. That quiet little role is completely overridden by the first inconvenienced exec. Having a C-level at least means the role is considered co-equal, and if outweighed by the rest of the C-team they at least have the resources and discretion to do the best they can with what they have.

The approach you mention is what I call "ablative armor for management" or an accountability sink. Responsibility is delegated, but no authority is actually invested. If they can't say no with sufficient gravitas to upset operations, then they're nothing but a figurehead.