[salawat]

>If a company were actually serious about managing the risks it'd be some relatively quiet role reporting to someone responsible for operations like a CTO, COO or head of product. Maybe part of the CEOs personal staff but not an exec.

Actually, that is the real red flag. That quiet little role is completely overridden by the first inconvenienced exec. Having a C-level at least means the role is considered co-equal, and if outweighed by the rest of the C-team they at least have the resources and discretion to do the best they can with what they have.

The approach you mention is what I call "ablative armor for management" or an accountability sink. Responsibility is delegated, but no authority is actually invested. If they can't say no with sufficient gravitas to upset operations, then they're nothing but a figurehead.