Ensuring sustainable growth in any organisation is essential. This report examines the evolving nature of the Chief Risk Officer (CRO) role within UK Financial Services firms as they, and their boards, navigate the strategic duality of risk: ensuring threat protection while enabling value creation.
Drawing on an analysis of 31 semi-structured interviews with CRO’s, the report explores how they have become a strategic partner within the boardroom and suggests how CRO’s, boards, and firm leaders can enable the risk function to be a force for sustainable growth.
Background
The exploration of innovation in risk management and the CRO’s role has stalled. Regulatory focus on compliance and value preservation overlooks risk’s dual nature—both threat and opportunity. As competition intensifies due to technology, global mobility, and extended supply chains, risks are harder to predict and have broader impacts. Businesses must rethink risk management, board composition, and the CRO’s role in balancing risk and value creation.
Regulations like the UK’s 2018 Corporate Governance Code and FCA Handbook SYSC 21.1 reinforce the CRO’s oversight of risk appetite, yet little research examines how this aligns with value creation. The CRO, positioned at the firm's core, could offer strategic insights beyond compliance. A shift toward a holistic risk approach is needed to integrate governance, strategy, and performance, ensuring firms take necessary risks to maximize value while maintaining resilience.
Project Objectives
The study examines the role of Chief Risk Officers (CROs) in UK organizations, focusing on value creation. Specifically, it aims to:
- Explore how CROs can contribute to value creation.
- Identify factors influencing CROs’ ability to act as value creators, such as regulations, governance structures, stakeholder pressure, and strategic decision-making.
- Assess how CROs navigate risk as both a threat and an opportunity.
Key Findings
The life of a CRO – One job many forms
The findings of our study make evident that the shift towards a more strategic outlook requires CRO’s to assume multiple roles that capture the plethora of responsibilities that their position encompasses, such as advisor, challenger, coach, though CRO’s differed in how they perceived their position in their organisations and the combination of roles they held.
We have distilled the range of roles mentioned in our study sample into four key personas: Firefighter, Architect, Swiss Army Knife and Conductor. Many CRO’s report they take on different personas and forms depending on the circumstances.
Firefighter
Firefighter CRO’s are frequently summoned to handle crises, a role that can become all-consuming for some in our sample. While crisis management is both important and expected, several interviewees questioned whether frequent firefighting is the best use of a CRO’s expertise. Most CRO’s view their primary value in preventing fires rather than extinguishing them – creating systems and conditions that reduce the likelihood of crises occurring in the first place. This preventive mindset leads us to the second persona: the Architect.
Architect
As a Senior Manager Function 4 (SM4) in financial firms, the CRO designs and implements robust risk controls that help organisations navigate both current and emerging risks while pursuing growth opportunities. When organisations pursue new opportunities, our interviewees consistently emphasised that early involvement of the CRO and their team is crucial to success in this role. Much like an architect whose expertise is most valuable during the initial design phase – not after key decisions are locked in – the CRO’s input must be sought at the outset of new initiatives. They unanimously acknowledged that this effectiveness is built
Swiss Army Knife
As CRO’s take on larger roles in strategic decision-making, the range of risks they oversee continues to expand. CRO’s must, therefore, like a Swiss Army Knife, be able to deal with a greater diversity of problems. They must maintain awareness of a complex and evolving risk landscape and be able to shift their view of the risk priorities accordingly. This requires the CRO to be adaptable, think broadly, and keep learning through the application of new tools. It also underscores the need for experienced risk teams that can manage risks through their full lifecycle such that CRO’s can hand off well-understood risk with mature management frameworks to operational teams.
Conductor
Risks manifest differently across a company’s various business lines and functions. Like a conductor, the CRO must identify these variations, and understand how actions in one area can either amplify or reduce risks in another. Balancing and combining these risks in alignment with the organisation’s strategy is a key part of the role. Several CRO’s see their role as combining the horizontal view of the organisation, maintaining both a broad view and the ability to focus on specific details when needed.
Integrating the CRO in Strategic Decision Making
To make sense of the multiple personas, forms and activities of the CRO we can think of them in a continuous state of tension across two dimensions:
- focusing on opportunities or threats; and
- managing their integration within the firm.
CRO’s and their risk teams can operate with a relatively weak coupling to the firm’s objectives, or they can be strongly integrated. Our research suggests that the former is sub-optimal to business outcomes and growth. These two dimensions define the CRO’s Growth Enablement Framework below.

Figure 1: CRO Growth Enablement Framework
The CRO Growth Enablement Framework has three layers, all of which are part of a comprehensive approach to enabling growth:
- Foundation Enabler: Activities in this first layer focus on risk as a threat
- Operational Consultant: In this layer, the CRO and risk function are more deeply embedded in the business, viewing risk not just as a threat but as a potential source of value.
- Strategic Partner: At the highest level of integration, CRO’s who are effectively embedded at board level help shape the organisation’s overall strategy, not just specific initiatives