What are the most common risk reporting lines and operating models?

4 min read
Sep 15, 2022

An increasing number of risk leaders want to evolve and improve their risk functions, using reliable data to reinforce their plans. Responding to this, Risk Leadership Network has now published a cross-sector market report to identify and analyse the risk reporting lines and operating models in place at more than 50 different companies around the world.

Download the full report: Risk operating models - the market benchmark

Why are risk leaders using this benchmark?

Trying to secure bigger budget to grow the risk team, evolve the scope of the risk function’s responsibilities or change risk governance structures can be a slow – and painful – process for risk leaders.

Many feel trapped in the operating models they inherited, and changing the status quo can be hard to sell internally.

Having a window into what other organisations have in place provides data that risk leaders can leverage: it empowers them to benchmark where their risk functions sit, compared to peers, and then use this benchmark to make better, more informed requests around the future of Risk at their businesses. Download the full benchmark and analysis.

Key findings from the report

1. The most popular reporting lines

According to our research, illustrated in the chart below, Finance is the most common reporting line for chief risk officers (CROs), risk directors and heads of risk.


For a full size version of this image download the full benchmark report.

Other major reporting lines that were common amongst the wide sample of companies we studied include direct to the CEO and Legal – and a few companies report into Strategy, which does appear to represent a growing trend.

global market benchmark
Download the global market benchmark
What are the most common risk reporting lines and operating models?


2. One of the most popular operating models: large centralised group risk function

One of the four main risk operating models highlighted in the benchmark report is the “large centralised group risk function with risk partners,” which can be found most often at complex, global businesses, such as mining and telecommunication operators, and financial services organisations.

Key attributes of this model include:

  • The risk function is typically led by a CRO who sits on the executive leadership team.
  • 10 - 15% of resources in the team, who are often organised into centres of excellence (COE), focus on setting and communicating the risk framework to the rest of the business, driving continual improvement and leading risk reporting.
  • The remaining resources are typically risk partners deployed into the business to work with risk owners (though they tend to still be part of the group risk team and report to the CRO).

While some of the core responsibilities of this large risk function include the obvious – enterprise risk management, assurance and compliance – we also found that the majority of risk resources working as part of a larger team are spending an increasing amount of their time on policy governance as well.

As with all the operating models identified in our report, there are benefits and trade-offs to consider. For example, in the case of the large centralised group risk function, an ability to manage risk more proactively is balanced by the lack of flexibility this structure provides from a resourcing perspective.

Create standout risk reports
How to create standout risk reports that demonstrate the real value of Risk
View the full feature article.
Read now


Data and methodology

Risk Leadership Network’s  benchmark, Risk operating models – the market benchmark aggregates data from listed enterprises, private firms and government-owned corporations to compare how companies from multiple sectors delegate risk responsibilities, report to senior leaders and – crucially – govern the management of risk throughout the business.

In addition to compiling extensive quantitative data, we conducted in-depth interviews with risk leaders at more than 50 companies around the world, gathering insights on the structure of their risk team, the extent to which they use (or do not use) risk champions, and the leadership functions they report into, as well as other related topics.

Format of the report

The benchmark report is divided into two main sections:

  1. Risk operating information – This section comprises key observations about the risk operating models in place at the companies we studied, the main areas of risk responsibility and information about the most common risk reporting lines.
  2. Four main models – Based on our interviews with risk leaders and the data gathered, we have identified the four main risk operating models being used by large and medium-sized businesses; while companies may deviate from these models slightly, their risk management structure is likely to broadly align with at least one of them.

Download the full report to access all the insight from the benchmark.

What's next?

  • Download the full benchmark report - members are already using this benchmark and leveraging its insights to enhance their own internal requests to bring their risk function more in line with industry standards.
  • Sector deep-dives - we've already created a specific report on energy and utilities sector operating models, and another for risk operating models in the MENA region based on requests from our members. If you'd like to see a deep-dive into your sector or region, please get in touch and we'll discuss the next steps and membership.
  • Collaborate with leading risk leaders - how do you leverage the data in the report? Risk Leadership Network hold regular small meetings on specific topics within risk reporting between risk leaders in our network. To request to join the next meeting in your focus area, fill in this request form.

Get new posts by email