What should you think about when hiring a CRO?

In my role at Damhurst & Co, I’m fortunate to meet many highly skilled and experienced Chief Risk Officers (CROs) – and the CEOs that recruit them. 

This, as well as Damhurst’s culture of research-led recruitment, has given me some insight into what companies should think about when hiring a CRO.  

Risk management is a complex process that requires considerable skill, knowledge, and experience. At our recent breakfast roundtable, hosted with Sicsic Advisory , we explored the issue of cyber risk and its impact on the insurance market. This discussion highlighted the need for CROs to be constantly adapting to new technologies and the associated risks – and to pass on this understanding to leaders and staff. 

As technology continues to change the way we do business, here are some of my key considerations for recruiting a CRO: 

Technological knowhow 

The recent cyber attacks on the NHS have highlighted a greater need than ever for robust cyber risk management and organisational preparedness.  

A surge in the adoption of AI also underscores the importance of implementing safe and ethical practices, as certain IT and customer support roles become automated.  

CROs therefore need a firm understanding of the ongoing developments in AI and machine learning in order to implement appropriate processes and systems to prevent cyber attacks. This also means knowing what questions to ask staff in tech roles to ensure effective controls are in place. 

Where IT and data management are outsourced to third parties, the role of CRO is also key to ensuring strong governance, oversight, and contingency planning. 

Regulatory expertise 

It goes without saying that CROs also need to establish strong and constructive relationships with regulators such as the FCA and the PRA, and to stay informed about new regulatory requirements.  

Participants in our roundtable breakfast discussed the FCA’s recent ‘Dear CEO’ letter on cyber risk, in which the regulator outlined a requirement for firms to scenario-test their Important Business Services (IBSs) to identify any vulnerabilities by March 2025. The FCA has also expressed concerns around information held by third parties, stating that companies should implement stringent controls to reduce the risk of cyber attacks. 

CROs should have an expert understanding of both UK and international regulatory standards, remaining fully aware of their firms’ regulatory responsibilities as they evolve and change. 

Communication and diplomacy 

Effective communication with stakeholders and decision-makers is also key to the role of the CRO. 

Despite a growing awareness of the risk of ransomware and cyber attacks, there are differing levels of enthusiasm for offering cyber / BI cover at board level. As a result, some insurers are currently avoiding the UK mid-market because of concerns over their ability to provide the necessary cover for business interruption and operational resilience. 

There’s clearly a business opportunity here, and CROs need to be able to relay emerging issues to senior management in a clear and timely way, conveying both the necessary mitigation measures and the importance of these. 

A strategic approach 

As well as being effective communicators, CROs need to have strong strategic skills. This means developing and implementing plans for risk management infrastructure in line with evolving technology and their firm’s overarching strategic objectives. 

In cyber risk, the role of the CRO now extends to conducting simulated hacks to assess companies’ response and preparedness, working with IT personnel to build in-house capabilities and operational resilience. 

The most effective CROs take a strategic approach to improving operational risk policies and procedures. This encompasses not just people, processes and systems, but also both prevention and protection.  

Damhurst’s extensive network of talent includes CROs across the P&C and specialty markets in Bermuda, Europe, London and the US. If you’re looking for strategic support with your recruitment process, get in touch.