Nimble Risk Management (NRM)

Effects of Organizational Structure

Corporate risk management has gained unprecedented importance in recent years, becoming a central focus at the highest organizational levels. This shift is driven by a combination of escalating regulatory scrutiny, intensifying cybersecurity threats, evolving environmental, social, and governance (ESG) expectations, and persistent economic uncertainty. It is also being driven by rapidly emerging disruptive technologies such as AI, wars and global geopolitical unrest, global pandemics, and supply chain disruptions. Risk management, once viewed primarily as a compliance exercise, is now seen as a strategic function essential for organizational resilience and growth. How companies respond to these complex risks organizationally now and in the future has profound implications for a company’s continued existence and long-term success.

In the past, it was quite common for risks to be managed by many people across companies, often by people who had other primary job functions, where often corporate risk was managed in a less formal, decentralized, and uncoordinated manner.  Today companies are rapidly evolving and moving away from traditional risk management org structures and processes to new org structures and mindsets in which a resilient risk culture fuels and, in many ways, leads growth. In the U.S., the proportion of organizations with complete enterprise risk management (ERM) processes and org structures have increased significantly over the past decade, but still only about a third report having mature or robust risk oversight. This suggests a growing recognition of the importance of risk management, but also highlights the ongoing need for further investment and development in this area.

The Evolving Role of the Chief Risk Officer (CRO)

McKinsey & Company (a.k.a. McKinsey) is one of the world’s top-3 management consulting firms and is widely regarded as a leading adviser to senior leaders at top global organizations. In 2025 McKinsey released a series of reports about the rapidly evolving role of the CRO (Chief Risk Officer) globally to deal with this increased level of disruptions and the risks they bring. A CRO’s role is to help company executives and employees understand their company’s long-term vision, mission, and objectives relating to risk and resilience.

To achieve their risk management objectives, CRO’s strive to create a company risk culture. Establishing a mission, vision, and risk culture doesn’t happen overnight; nor is it easy. One CRO McKinsey interviewed for their reports describes this as a “cultural journey” in which risk and resilience principles slowly permeate into all levels of the organization. To quote one recent McKinsey report, “Today’s chief risk officers (CROs) sit at the forefront of enterprise-wide decision-making and long-term strategy setting. They work closely with CEOs and other senior executives to navigate disruptions and risks inherent to the business while also ensuring that they maintain the independence that enables prudent guidance”. As the recent McKinsey reports state, the role of CRO itself is evolving in response to the increasing levels of risks that companies are facing today.

Other Evolving Risk Management Job Titles

Not all companies have CRO’s or even employees with the word ‘risk’ in their job titles or job descriptions today, but this is changing. Professionals who work in risk management at companies today typically hold a variety of titles, reflecting their level of responsibility, area of specialization, and the specific focus of their role. Common titles involving risk management responsibilities in the fastest evolving companies include:

  • Risk Analyst: Entry-level or mid-level professionals who identify, assess, and report on potential risks to the organization.
  • Risk Manager: Oversees risk management processes, develops mitigation strategies, and communicates policies across the company.
  • Senior Risk Manager: Takes on more strategic responsibilities, often managing teams and influencing company-wide risk strategies.
  • Chief Risk Officer (CRO): The top executive responsible for the overall risk management framework and strategy of the organization; sometimes also called Director of Risk Management or Enterprise Risk Manager.
  • Risk Management Director: Similar to a CRO, but may focus on specific divisions or types of risk within larger organizations.
  • Compliance Officer / Compliance Manager: Ensures that the company adheres to regulatory requirements and internal policies, often overlapping with risk management functions.
  • Operational Risk Manager: Specializes in risks related to business operations and processes.
  • Risk Control Manager / Specialist: Focuses on implementing and monitoring controls to minimize risk exposure.
  • Regulatory Affairs Manager: Manages compliance with laws and regulations, particularly in highly regulated industries.
  • Model Risk Specialist / Financial Modeler: Assesses and manages risks associated with financial models and quantitative analysis.
  • Loss Control Consultant: Works to prevent financial losses due to various operational risks, often in insurance or finance sectors.
  • Risk and Compliance Investigator: Conducts investigations into potential or actual compliance breaches or risk incidents.

These titles may vary depending on the industry and company size, but they represent the most common roles found in corporate risk management structures.

Organizational Structures Commonly Used for Governance & Risk Management:

Organizational Structures Commonly Used for Governance & Risk Management:

1. Centralized Data Governance Model

In this model, a single entity or individual oversees all data governance activities. This approach is characterized by:

  • Decision-Making Authority: A designated data governance lead or council makes key decisions regarding data policies and standards.
  • Benefits:
    • Consistency: Ensures uniformity in data management across the organization.
    • Quality Control: Facilitates better decision-making through standardized data practices.
    • Security: Enhances tracking and security of data assets.
  • Risks: May lead to rigidity and slow response times to business needs.

2. Decentralized Data Governance Model

This model distributes data governance responsibilities across various business units, allowing for localized decision-making. Key features include:

  • Local Management: Each department manages its own data sets and governance strategies.
  • Benefits:
    • Flexibility: Adapts quickly to specific departmental needs.
    • Improved Representation: Incorporates diverse perspectives from different units.
  • Risks: Potential for inconsistent data practices and duplication of efforts

3. Hybrid Data Governance Model

Combining elements of both centralized and decentralized models, the hybrid approach offers flexibility while maintaining some level of oversight. Characteristics include:

  • Framework with Local Autonomy: A central body provides guidelines and best practices, while departments have the autonomy to manage their own data.
  • Benefits:
    • Balances standardization with responsiveness to local needs.
    • Facilitates collaboration across departments while maintaining overall governance.

Summary

Selecting the appropriate organizational structure for data governance depends on various factors including company size, culture, and specific goals. Whether centralized, decentralized, or hybrid, each model has its advantages and challenges. Establishing a Governance and Risk Management Council and clearly defining roles can significantly enhance the effectiveness of any chosen structure.

Governance Councils

How to Establish a Data Governance Council
Regardless of the overarching data governance model, forming a Governance Council is essential. A Governance Council typically includes:

Members Assigned to Council:
Assign to the Council key stakeholders from various departments (IT, legal, compliance) who will set the strategic direction for data governance initiatives.

Defined Governance Budgets & Responsibilities:
Define objectives and policies for data management. Approve budgets and allocated resources for data governance initiatives

Roles Within Data Governance Structures

A well-defined roles framework enhances the effectiveness of any governance structure. Common roles include:

  • Data Owners: Senior leaders responsible for specific data domains who ensure quality and compliance.
  • Data Stewards: Individuals tasked with managing data quality and implementing policies within their domains.
  • Data Users: Employees who interact with data in their daily tasks, providing feedback on usability and quality.

Best practices to guide the establishment of a Governance Council:

  • Obtain Executive Sponsorship
    Securing support from senior leadership is crucial. An executive sponsor, such as a Chief Data Officer (CDO) or Chief Information Officer (CIO), can provide the necessary authority and resources for the council’s initiatives.
  • Define the Council’s Purpose and Scope
    Clearly outline the council’s objectives, which should align with organizational goals. This includes defining what data domains and business functions fall under its purview. A well-defined charter will serve as a guiding document, detailing responsibilities and decision-making processes.
  • Establish Composition and Roles
    Form a cross-functional team that includes representatives from various departments such as IT, legal, compliance, and business units. Each member should have clearly defined roles, such as data owners, stewards, and analysts. This diversity ensures multiple perspectives on data management.
  • Develop a Governance Framework
    Create a comprehensive framework that encompasses policies, standards, procedures, and metrics for data governance. This framework will guide the council’s activities and ensure consistency in data management practices across the organization.
  • Set Meeting Protocols

Establish regular meeting schedules and protocols for setting agendas and documenting decisions. Meetings should be structured to facilitate productive discussions and decision-making processes.

  • Implement Training Programs
    Develop training programs for council members and stakeholders to ensure everyone understands data governance principles and practices. This training fosters transparency and empowers employees to engage with the council effectively.
  • Communicate Effectively
    Establish a communication plan to keep the organization informed about the council’s activities, successes, and challenges. Regular updates help build trust and encourage participation from all stakeholders.
  • Monitor Progress and Adapt
    Regularly assess the effectiveness of the governance initiatives using key performance indicators (KPIs). Be prepared to adjust strategies based on feedback and changing organizational needs.

Not having a Governance Council can lead to inconsistent data management practices, poor data quality, compliance risks, security vulnerabilities, operational inefficiencies, lack of accountability, and missed strategic opportunities. Establishing such a council is crucial for fostering effective data governance that supports organizational goals. By following the best practices outlined above, organizations can create a robust Data Governance Council that effectively manages data assets while ensuring compliance with regulations and enhancing decision-making capabilities.

Third Party Risk Management (TPRM)

 ‘TPRM’ is often used to describe Third Party Risk Management. TPRM involves identifying, assessing, and mitigating risks associated with third parties, i.e. entities on whom your data’s confidentiality, integrity, or availability relies but are not your employees or customers. Supply chain companies are a type of third party. Nearly all businesses rely on some form of supply chain for sourcing, production, or distribution. It is very common for companies to have supply chains composed of multiple levels, reflecting the complexity and fragmentation of modern supply networks.

The first step in establishing a third-party risk management program is determining which department and roles are responsible for establishing and administering your protocol. If you don’t have a risk management department —and many companies don’t—the responsibility often falls to roles like:

  • Chief Information Security Officer (CISO)  
  • Chief Technology Office (CTO)
  • Information Technology (IT)  
  • Sourcing and Procurement  
  • Contract Manager  

Other executive titles often used for company Enterprise Risk Management (ERM) roles are:

  • Chief Risk Officer (CRO)
  • Chief Financial Officer (CFO
  • Chief Audit Officer (CAO)
  • Chief Operating Officer (COO)
  • Director of Risk Management
  • Vice President of Risk Management
  • CCEO – Chief Compliance and Ethics Officer
  • Specialized titles for risk management roles: Operational Risk Manager, Compliance Risk Manager, and Cyber Risk Manager.

Once your company has determined which department and roles are responsible for establishing and administering your risk management protocol, the next step is developing a protocol for handling risk management.