Global market benchmark: what are the most common risk reporting lines and operating models?

4 min read
Sep 15, 2022

An increasing number of risk leaders want to evolve and improve their risk functions, using reliable data to reinforce their plans. Responding to this, Risk Leadership Network has now published a cross-sector market report to identify and analyse the risk operating models in place at more than 50 different companies around the world.

Download now [Free Excerpt]: Risk operating models: the market benchmark

Trying to secure bigger budget to grow the risk team, evolve the scope of the risk function’s responsibilities or change risk governance structures can be a slow – and painful – process for risk leaders.

Many feel trapped in the operating models they inherited, and changing the status quo can be hard to sell internally.

Having a window into what other organisations have in place provides data that risk leaders can leverage: it empowers them to benchmark where their risk functions sit, compared to peers, and then use this benchmark to make better, more informed requests around the future of Risk at their businesses.

Risk Leadership Network’s latest benchmark, Risk operating models – the market benchmark aggregates data from listed enterprises, private firms and government-owned corporations to compare how companies from multiple sectors delegate risk responsibilities, report to senior leaders and – crucially – govern the management of risk throughout the business.

In addition to compiling extensive quantitative data, we conducted in-depth interviews with risk leaders at more than 50 companies around the world, gathering insights on the structure of their risk team, the extent to which they use (or do not use) risk champions, and the leadership functions they report into, as well as other related topics.


The benchmark report is divided into two main sections:

  1. Risk operating information – This section comprises key observations about the risk operating models in place at the companies we studied (available to read in our snapshot of the report, see below), the main areas of risk responsibility and information about the most common risk reporting lines.
  2. Four main models – Based on our interviews with risk leaders and the data gathered, we have identified the four main risk operating models being used by large and medium-sized businesses; while companies may deviate from these models slightly, their risk management structure is likely to broadly align with at least one of them.

To download an excerpt of the report – which provides a detailed overview of the risk reporting lines implemented at 50 different companies, as well as data on which group functions typically take responsibility for major risk activities – please click here.

The most popular reporting lines

According to our research, illustrated in the chart below (for a higher resolution version, see our snapshot of the report following the link above), Finance is the most common reporting line for chief risk officers (CROs), risk directors and heads of risk.

Other major reporting lines that were common amongst the wide sample of companies we studied include direct to the CEO and Legal – and a few companies report into Strategy, which does appear to represent a growing trend.


One of the most popular operating models: large centralised group risk function

One of the four main risk operating models highlighted in the benchmark report is the “large centralised group risk function with risk partners,” which can be found most often at complex, global businesses, such as mining and telecommunication operators, and financial services organisations.

Key attributes of this model include:

  • The risk function is typically led by a CRO who sits on the executive leadership team.
  • 10 - 15% of resources in the team, who are often organised into centres of excellence (COE), focus on setting and communicating the risk framework to the rest of the business, driving continual improvement and leading risk reporting.
  • The remaining resources are typically risk partners deployed into the business to work with risk owners (though they tend to still be part of the group risk team and report to the CRO).

While some of the core responsibilities of this large risk function include the obvious – enterprise risk management, assurance and compliance – we also found that the majority of risk resources working as part of a larger team are spending an increasing amount of their time on policy governance as well.

Finally, it is important to recognise that as with all the operating models identified in our report, there are benefits and trade-offs to consider. For example, in the case of the large centralised group risk function, an ability to manage risk more proactively is balanced by the lack of flexibility this structure provides from a resourcing perspective.

As we continue to assess how companies in different industries and geographies manage risk – we already have a specific report on energy and utilities sector operating models, and watch out for our upcoming benchmark report on risk operating models in the MENA region – this latest global report provides risk leaders with a benchmark to compare their own risk governance framework against.

Want to read the full report?

Members are already using this benchmark and leveraging its insights to enhance their own internal requests to bring their risk function more in line with industry standards.

To find out more and download an excerpt of the benchmark report, which also includes data about how risk responsibilities are distributed amongst teams, click here.

To learn more about how you can access the full report, as well as our other benchmarks and resources, click here to enquire about Risk Leadership Network membership.

Get new blog posts by email