To become a chief risk officer (CRO), you will need an advanced degree and at least 10 years — and sometimes as much as 20 years — of experience in a cross-section of corporate operational areas. This position is typical only in large corporations that have complex risk management needs, and the job is slotted at the executive vice president level. The credentials needed to compete for the job are quite substantial, in most cases.
Development of the CRO position was in a response to the financial crises and resulting increase in regulatory requirements imposed on corporations by various jurisdictions in the mid-2000s. Chief risk officers typically handle risk oversight and crisis management across many functional corporate areas, including internal audit, insurance, investigations, information technology, fraud and government compliance, among other things. To become a chief risk officer, you can approach the position from various angles, including finance, accounting and legal.
As an initial matter, you will need an advanced degree. A CRO is a senior executive in charge of some of the most sensitive parts of an operational landscape. A Master of Business Administration (MBA) degree with an emphasis in accounting or economics would be appropriate, as would a law degree. Any advanced degree that shows your knowledge of internal auditing, insurance, corporate fraud, information security, legal liability and compliance could support your candidacy.
You will need a significant amount of experience in a complex environment within the corporate world to become a chief risk officer. An employer typically will expect at least 10 years of relevant experience working with major corporations at the senior executive level. Some corporations want as much as 20 years of experience. Keep in mind that it is important to target experience in the type of industry in which you want to work. Risk management for the healthcare industry is significantly different from risk management for universities, for instance.
The only typical route to a chief risk officer position is perhaps through a company's internal audit department. Internal audit is a risk management function, so the person who holds a director of internal audit position would have many of the skills needed to become a chief risk officer. The key to the position is the ability to manage risks and rewards across the entire company. Any internal promotion likely would depend on your ability to demonstrate an expansive outlook even though you direct only one functional area. Another good fit is through the legal department, because almost all of the responsibilities of the CRO position have a legal underpinning.