When Do You Need a Chief Risk Officer?

Like it is in the First Amendment, a separation of church and state is also critical for banks.

And in financial services, that means ensuring there is distance between the employees who make the daily decisions that help drive revenue and those who are responsible for ensuring such decisions fall within the bank’s risk parameters. That’s where a chief risk officer can step in.

“Risk management is a process, not an event,” says David Dunn, chief risk officer at FIS, a core technology provider. “It is meant to be a process that is dynamic, and it evolves and changes with the organization. We usually think of it as bad things, but risk can be about opportunities. How do we think about those things to make timely decisions?”

Not every bank has a chief risk officer, given that some institutions are too small to bear the cost of having this executive and instead delegate these responsibilities to other staff. Only 54% of banks have a CRO, according to Bank Director’s 2026 Risk Survey, but unsurprisingly, bigger banks are more likely to have one. Sixty-one percent of banks from $1 billion to $5 billion in assets have a CRO and the number jumps to 96% for banks from $5 billion to $10 billion. Asset size and regulatory requirements can be a big driver of the decision to add a dedicated risk officer. Regardless, a person whose sole job is to consider risk can help position a bank to achieve its strategic plans while curbing the potential for credit, regulatory, security and compliance issues.

“If I were on the board and we didn’t have a CRO, and depending on the bank’s strategy, growth and complexity, I’d be asking: ‘At what point do we start a dialogue about hiring one?’” says Ryan Luttenton, a partner in risk consulting at Crowe. “‘When is the right time, why now and what value can the role bring to the organization?’”

In general, banks usually start considering hiring a dedicated CRO once they are approaching $1 billion in assets, according to Cameron Boyd, a managing partner in the financial services practice at Smith & Wilkinson, a talent advisory firm. That’s because the regulatory scrutiny begins to intensify once an institution has passed that threshold. The need for a CRO then usually intensifies as the bank approaches $10 billion.

But the decision to add the position of CRO should not be solely driven by regulatory demands. Instead, a bank’s board and management team should consider whether the organization could benefit from an individual taking on this role. For instance, hiring a CRO could be a prudent decision if a bank is looking to grow into a new business line, complete an acquisition or make another strategic move that could bolster its risk profile. That would mean starting the recruitment process 12 to 24 months in advance of when the bank would like to have a CRO on board.

“At some point, that step gets pushed — whether by growth, complexity or regulatory expectations,” Luttenton says. “You want to be able to take that step proactively, based on what’s best for the organization, and give yourself the time and runway to implement the role effectively.”

Additionally, adding a CRO may free up the CEO to focus on other strategic initiatives, Boyd says. The bank could restructure its team by having some managers report to the CRO instead of the CEO. As the bank grows, “the CEO may find the increasing number of direct reports cumbersome,” Boyd adds.

In general, CROs have broad oversight and may be responsible for areas such as credit, compliance, enterprise risk management, cyber risk and operational risk, though not every bank structures the role in the same way. According to Bank Director’s Risk Survey, respondents said that other executives reported to the CRO, including the chief compliance officer (65%), the chief information security officer (38%), the chief information officer (24%) and the chief credit officer (21%). Eighty-one percent said the CRO reported directly to the CEO.

Dunn is an advocate of banks of all sizes having a risk officer since it’s a way to segregate duties within the three lines of defense model, which divides responsibilities to ensure independence and transparency. The first line of defense is operations and the daily running of the institution while the third line is internal audit. The second line, which is where risk management sits, involves monitoring and oversight. “You want a second set of eyes,” he adds. “When we think of a second line risk function, what does risk management do for the organization? One aspect of it is this idea of oversight and credible challenge to really step back without passion or prejudice and ask, ‘Is this really the best way?’”

When a CRO is brought on for the first time, the bank’s various business lines could bristle at the thought of there being an added layer of internal scrutiny. But the board and management must signal to the rest of the organization that this new hire is important and will have a seat at the table. It’s important that the risk officer be brought into any decision-making at the beginning of the process rather than asking the person to rubber stamp decisions at the end, says Tom Jasper, chief operating officer at Choice Financial Group in Fargo, North Dakota.

Stewart Goldman, a senior client partner at the consulting firm Korn Ferry, suggests that bringing in business line heads during the interview process can help make integrating this new function easier. When hiring a CRO, the bank should look for an individual who is able to navigate internal issues. “If a bank hasn’t had a risk officer or hasn’t had a mature risk function before, bringing in someone who has the skill set and who can understand culturally and commercially how do we align our risk philosophy is important,” he adds. “It is influence skills. There needs to be more risk discipline. How do I get people to do that without having them think I’m trying to turn their world upside down?”

Bringing in a CRO for the first time should start with alignment between the board and the management team, Jasper says. That means they need to agree on the strategic direction of the bank and the risk it is willing to take on. “If your strategy is more of the same then that’s one type of CRO hire. But if the bank is going to branch off and do something different then that’s a different type of hire,” he adds.

Although the role of CRO is not a new one at the $6 billion Choice, the bank did recently complete the process of recruiting a new executive to fill the position.

The bank has participated in banking as a service for almost a decade and was looking for a CRO to help support growing that business. But management was also looking for an executive with experience in “innovative and novel banking” in case Choice ever wanted to expand, Jasper says. Choice ended up hiring Natalie Parker, who was the CRO for Tulsa, Oklahoma’s Vast Bank, a $565 million subsidiary of Vast Holdings. The bank has partnered with USBC and Uphold to offer tokenized deposits.

“For our institution, the CRO search is the most difficult to execute, and other than the CEO, it is the most critical,” Jasper says. “The reason is, I think, you really need a strong alignment between your CEO and the board as it relates to the direction of the bank. The CRO is overseeing that future direction.”