The survey also clarifies the role that companies expect CROs to perform. Where ERM structures are advanced, CROs are very senior officers and participate in decision-making at the highest levels of the organization. At the other end of the continuum, the survey included several insurers that do not have a single, titled CRO role, though there may be an officer leading ERM efforts. More robust ERM programs have typically been in place for a few years and are now fully embedded as part of routine business operations, while late adopters struggle to define the ideal role, structure and prominence of their risk teams.
Interestingly, despite the varying levels of sophistication and formality, all survey respondents felt their organizations have adequate processes to manage the risks to their business. In some cases, EY analysis reveals a degree of complacency where risk management capabilities do not seem sufficiently developed. There are just as many examples, however, where risks are very effectively monitored, controlled and mitigated without the recognizable or formalized superstructure that is often associated with modern ERM