CROs are taking on broader roles, covering risks for which it’s extremely rare to have the full breadth of expertise. Mark Whale from
global analytics software leader FICO discusses how a host of new risk categories are making the CRO’s role tougher than ever, and spurring the rise of the Super CRO.

The role of the Chief Risk Officer at a bank is unrecognisable from a few short years ago. It is likely that most CROs currently in post applied for a very different job from the one they find themselves carrying out today. The advertised job spec would
have focused primarily on managing credit, market, liquidity and interest rate risk. Today the role has expanded way beyond these financial risks. For example, climate, emerging technologies, fraud, third-party vendors, cybersecurity and governance of artificial
intelligence use across the business, to name but a few, are all risks the CRO has to understand and consider.  

The reality is that today regulation requires CROs to ensure adequacy of risk information and analysis and effectively challenge strategy and plans across 15 or more risk categories. This creates the need for CROs to increasingly push back on the first line
of defence, which could ignite a source of confrontation within an organisation.

The difficulty is, someone needs to take ownership of risk as a whole to avoid risk silos, and that role naturally sits on the shoulders of the Chief Risk Officer, whether they have the expertise or not. This is where we now see the rise of the Super CRO;
someone that can strategically collaborate across operating functions so that they can deliver rapid business change. Increasingly, this ‘pro business’ exchange means first-line operations will build out their own risk and control functions.

New risks require new data, insights and actions

Climate risk was one of the first ‘new’ risks added to the CRO’s plate. In a 2021 study it was the

most important emerging risk for bank CROs. Banks now actively model and simulate the impact of climate risks to help meet Paris 2030 goals, and establish the impact on credit losses and stranded assets. However, actions based on those models, such as climate-related
loan pricing, are only just starting to be integrated into business models in most financial institutions.

The best-in-class organisations go way beyond modelling for price; they also use innovative sets of data and AI powered optimisation to generate insights and turn them into actionable strategies. Using the example of the California wildfires in January 2025,
leading risk operations used satellite imagery to model the impact of property and garden maintenance against the susceptibility to fire. Simulations were able to show how debris in roof gutters and unmaintained gardens created pathways for wildfires to envelop
properties. Risk teams were then able to quickly run optimisations that output decision strategies to mitigate these risks. These strategies included creating communications that directed fire departments and property owners to take preventative actions that
saved tens of millions of dollars in fire related losses.

Another area of risk that wasn’t on the agenda 20 years ago is cybersecurity. By 2023 this had made its way to the top of the CRO agenda, and climate dropped to third place. Today, this is the risk that is most likely to keep CROs up at night. As it is related
directly to fraud, and is such a technical area, cyber risk will fall under the Chief Information Security Officer’s (CISO) job role, but there is an increasing push forCRO’s to take overall risk ownership.

We have heard from leading banks how this can lead to increasing internal conflict. On the one hand, CROs take ultimate ownership of all risks. In the case of EU banks, The Digital Operational Resilience Act (DORA) mandates that they oversee risk management
frameworks, incident response and recovery plans. On the other hand, the CISO generally has the tools and technical knowledge to manage cyber risk far more effectively than the CRO.

Recent cyber-attacks on major retailers, airports and motor manufacturers, demonstrate the significant impact cybersecurity breaches can have on an organisation and keep the risk at the top of the CRO agenda. This is another area where emerging sets of data,
such as Software Bill of Materials (SBOM) for 3^rd and 4^th party vendors can help CROs and CISOs to model susceptibility to risk and drive action plans.

Then there is the exponential growth in AI. While it offers many efficiency and effectiveness benefits, it also brings some significant

operational risks if not managed responsibly. There is a race to make the most of this technology, but banks cannot fully benefit from AI if it’s misunderstood, misused, or misguided.

There’s a responsibility to ensure that AI models are robust, explainable, ethical, and are auditable to mitigate these risks. CRO’s can help drive the overarching frameworks, but the advanced technical competency to drive these controls needs to be delivered
by first-line analytic and operational functions. Collaborative tooling can make it much easier to demonstrate each of these responsible AI controls and satisfy the needs of CROs — and, of course, the regulators.

Taking a holistic view of risk and driving business performance

With so many complex, rapidly shifting new risks to monitor and manage, it is impossible for any individual to be an expert in every field, which means CROs are held back by some significant skills gaps. Is it time to begin a fundamental restructure of risk
governance so that first-line operations build out their own risk and control functions? Does it make more sense to share responsibility for the key risk areas among highly trained experts, rather than hang on to the myth of a Super CRO that is capable of
managing all risks single-handedly?

What we are seeing is a shift from the CRO as expert in a small set of risks to the Super CRO who is a collaborator, someone who can provide robust risk management frameworks to challenge the business effectively. And by being pro-change, they can directly
impact customer experience and the bottom line.

Super CROs need a different set of tools. Leveraging multiple sources of data, including novel sets, is critical, but it’s often difficult to make this data available to the business without the right support. The growth in risk categories and the available
data sources mean that marketplaces that make data ingestion easy are increasingly gaining traction.

Beyond insight generation, Super CROs are also investing in platforms that facilitate collaboration around strategy design and execution, enabling multiple teams to ensure that strategies meet their risk targets, achieve growth goals and meet changing regulations.
This technology supports the shifting role of the CRO from a gatekeeper and a monitoring function to a business enabler. Because more than ever before, the Super CRO is a builder, not a blocker.