Today’s chief risk officers (CROs) sit at the forefront of enterprise-wide decision-making and long-term strategy setting. They work closely with CEOs and other senior executives to navigate disruptions and risks inherent to the business while also ensuring that they maintain the independence that enables prudent guidance.

To better understand the evolving role of the CRO, we conducted in-depth interviews with more than 30 current and former CROs of major financial institutions from across the globe. In a previous article, we laid out the six habits that make CROs successful: being explicit about their risk and resilience purpose, creating the next generation of risk leaders, leading beyond risk, treating supervisors as partners, focusing on what only they can do, and monitoring their personal effectiveness. In this article, we build on this to examine the ways that top CROs develop different objectives, mindsets, and operating models based on both internal preferences and external conditions.

In the course of our research, one thing became clear: There’s no one-size-fits-all approach to achieving CRO excellence. Successful CROs exhibit the six habits previously referenced, but they still differ in how they emphasize various facets of their roles to meet distinct moments. With organizations facing a hyperconnected, geopolitically fraught, tech-forward world, there’s simply too much volatility to pave a linear pathway to success.

Through our study, we have identified three common CRO archetypes that describe different combinations of objectives and mindsets and the resulting operating models. CROs’ intrinsic preferences, as well as extrinsic factors such as changing company strategies, global crises, evolving market dynamics, regulatory changes, and shifting trade policies, can influence their archetypes and may cause them to shift, at least temporarily, from one archetype to another. Examining these archetypes can help CROs better understand their innate inclinations—and help them identify conditions under which they could benefit from altering their archetype to deal with shifting circumstances.

Three CRO Archetypes

Based on the interviews, we labeled the three CRO archetypes as the “architect,” the “protector,” and the “business accelerator.” Each risk leader typically gravitates toward one of these archetypes, in many cases influenced by their previous work experience. But as a CRO’s organization matures over time or disruption necessitates change, shifting to another archetype can be advantageous.

The Architect

CROs who intrinsically gravitate toward the architect archetype are motivated by a desire to leave the risk function better for the next generation. They especially value building and institutionalizing world-class capabilities and risk culture and setting high standards for risk management. They focus on creating strong risk foundations and investing in long-term capabilities to support the resiliency and efficiency of their organizations.

Architect CROs devote much effort to supporting their teams through leadership development, mentorship, and training—preparing younger leaders to step into bigger, broader roles. Craig Broderick, former CRO of Goldman Sachs, said, “As you become more strategic and less tactical with time, not only do you rely more on your colleagues for day-to-day work, but you spend more time partnering with them and mutually growing. One of the most important functions of any senior leader is that they create depth of people in the organization who are capable of taking over.”

External circumstances (such as a major regulatory change) can push CROs of all types to put on their architect hats. In such situations, those who do so successfully first consider the future sustainability of the decisions and design choices that they make. “I always think about the management team ten or twenty years from now,” shared Marlene Debel, Metlife’s CRO and head of MetLife Insurance Investments. “I hope they will look back and say, ‘I’m really glad they made that decision.’ In a business like ours, you live with your decisions for a long time.”

For CROs who gravitate toward the architect archetype, it’s important to remain mindful of the need to be nimble in some contexts and to appropriately and pragmatically react to fast-moving events. They need to recognize that perfect can be the enemy of good when time is of the essence.

The Protector

CROs who gravitate toward the protector archetype are motivated by creating highly responsive risk organizations that can handle whatever is thrown at them. Don Truslow, former CRO of Wachovia, told us, “You get pulled into everything. Stick to your guns. Recognize your role. Do what you can to help, whether that’s pleasant things or unpleasant things. There are a lot of things that are outside your control, and you get anxious because you can’t control them, but you do your best. And just remember that one day, the sun will come up.”

Protector CROs tend to focus on the most pressing issues at hand, whether they are managing day-to-day risk or implementing broader “change the bank” priorities. They make decisions quickly and confidently—even during a crisis.

Protector CROs often come from risk-related backgrounds that have taught them to mobilize swiftly and act with conviction. But every CRO will at some point during their career need to play protector. “It’s a decision-making role; you’re not just an adviser,” said Brian Leach, the former top risk executive at Citigroup who is credited with helping stabilize the organization in the wake of the 2008 financial crisis. “The ability to handle a crisis is the lifeblood of a CRO.”

One potential pitfall for CROs who gravitate toward the protector archetype is that they may lead with so much intensity that they risk overtaxing their teams and creating burnout. They should pay attention to the health of their teams and make sure that they build long-term, sustainable capabilities in the risk function rather than become overly reliant on short-term fixes.

The Business Accelerator

CROs who gravitate toward the business accelerator archetype are motivated by maximizing business growth and profitability while remaining vigilant about risk. Through informed, calculated, and proactive risk management, they enable their organizations to reach business goals efficiently and effectively. Lorie Rupp, CRO of First Citizens Bank, noted that she tries to create an even balance between risk management and strategic planning: “My job is about the rules and regulations and industry practices, but if I don’t support the business strategy, I am of no use to the company. My value becomes pretty unbalanced.”

These CROs put significant effort into engaging with their executive teams to understand their businesses’ strategic objectives. They develop strong, trust-based partnerships with their business counterparts to aid collaboration and joint decision-making. Alexandra Boleslawski, CRO of Crédit Agricole Group, reflected on how important it is for a CRO to internalize the business strategy: “We are completely part of the decision-making process, and we are sitting at the committee that gives the go. And to be able to provide your opinion, you need to understand the strategy. Of course, you will look at the risk on a stand-alone basis, but you also need to look at the risk in the global picture and whether this is consistent with the overall strategy.”

It’s no surprise that business accelerator CROs often come from a strong business background. They value having a say in steering their companies’ strategic directions and allocating capital commensurately. When it comes time to challenge the CEO, as every CRO will occasionally need to do if circumstances warrant, “EQ trumps IQ,” said Trevor Adams, former CRO of Nedbank. “It comes back to relationships. A good relationship means you can be open and feel safe in conversation and not be threatened when you raise something or disagree.”

CROs who gravitate toward the business accelerator archetype should be careful, as they prioritize business goals, to stay ahead of (not just respond to) regulatory developments. They should also make sure that they sufficiently invest in longer-term needs of risk management infrastructure. While leading beyond risk is important, an organization without a robust risk management function can be especially vulnerable to the next crisis that comes its way.

How Each CRO Archetype Budgets Time

Our research indicates that architect, protector, and business accelerator CROs spend their time differently across four important areas (exhibit). Architect CROs split their time across the four areas more evenly than do other archetypes. Protector CROs tend to allocate comparatively much more time to day-to-day risk management. Business accelerator CROs allocate comparatively more time to engaging with their executive teams and boards. To assess their operating models, CROs can ask themselves several questions: Am I allocating time in ways that will help me achieve my top priorities? Where am I spending too much time? What adjustments might be needed for success?

Our analysis suggests that no archetypical approach is inherently more effective than another. All three have benefits and can be highly effective at different moments in an organization’s journey. While every CRO may naturally lean toward a particular archetype—guided by strengths, personality, and experiences—being self-aware of their inclinations and alert to when circumstances require a shift will help them navigate the course of their careers. Our hope is that by understanding these archetypes, CROs can develop a better understanding of how they lead themselves and align their strategies with long-term organizational needs.

Which CRO Archetype Are You?

Successful CROs often reflect on their leadership objectives, mindsets, and operating models. To understand which archetype they naturally gravitate toward, CROs can consider and answer several questions.

Embracing the CRO Archetype Journey

CRO excellence requires continuous recalibration and adaptation, and successful CROs can transition to a different archetype when the moment demands it. A range of internal and external factors—including strategic changes, competitive dynamics, regulatory developments, and unforeseen external events—can catalyze shifts from one archetype to another. It can be helpful to consider the following questions to identify whether any of these situations are occurring:

• Is the company experiencing a change in the regulatory regime that requires the risk function to be adjusted or modernized for the future? This is often a moment to embody the architect CRO archetype and focus on implementing foundational risk management, establishing frameworks, and cultivating risk talent and culture.
• Has the company been thrust into a crisis situation, or are there warning signs of a crisis on the horizon? These are moments to serve as a protector CRO to stabilize the company, manage urgent threats, and safeguard assets.
• Does the organization need its risk function to help enable strategic pivots? This could be the time to act as a business accelerator CRO, becoming involved in steering the company’s strategic direction and optimizing capital allocation in ways that encourage growth.

Frequent reflection on such questions can help ensure that a CRO doesn’t wait too long to shift among archetypes when a change is needed. “A truly successful CRO will likely evolve from one archetype to another over the course of their tenure,” said Mark Hughes, former CRO of the Royal Bank of Canada, “and will certainly need the ability to move deftly between archetypes, depending on the situation.”

Nigel Williams, former group CRO of Commonwealth Bank of Australia, made a shift from architect to business accelerator CRO. “I’d say that earlier in my career, it was about, ‘How do we fix data, and how do we solve problems around risk issues like data accuracy and consistency?’” he said. “Today, it’s about, ‘How do we get real value out of the data assets that we have?’” Evolving technological capabilities catalyzed a shift in Williams’s focus from an emphasis on tactically solving data-related risk issues to leveraging data for the business’s benefit.

After he overcame some challenges at his organization, Shaun Dooley, group CRO of National Australia Bank, found that calmer circumstances allowed him to shift his perspective from protector to architect CRO, focusing more on long-term planning. “I moved toward thinking, ‘What’s the future risk profile?’ I pushed myself into the future a lot more, doing a lot of studying.”

Each CRO archetype embodies a specific operating model that allocates time across various areas and stakeholders based on objectives and mindsets. External events and internal strategic changes can require CROs to shift from one archetype to another. Effective CROs use their networks to keep a pulse on the magnitude and velocity of changes, allowing them to act quickly when circumstances warrant. The best CROs are versatile and well-rounded leaders who are self-aware about their go-to archetype’s benefits and limitations and who exhibit the ability to seamlessly shift operating models among all three archetypes when needed.