A. The CRO should provide the vision for the organization’s risk management.
B. In addition to providing overall leadership for risk, the CRO should communicate the organization’s risk profile to stakeholders.
C. Although the CRO is responsible for top-level risk management, he is not responsible for the analytical or systems capabilities for risk management.
D. The CRO may have a solid line reporting to the CEO or a dotted line reporting to the CEO and the board.
