alt Hacker News> But just because a company has appointed a CRO doesn’t necessarily mean that it has made risk management a high priority.
Priority or not, it suggests the company doesn't understand risk. In a company that doesn't look at risk-adjusted rates of return as a natural part of how they do things a CRO is mild bad sign.
An analogy might be helpful. Testing code is, with some squinting, a form of institutionalised risk management. Any particular test doesn't necessarily do anything useful, but they apply a certain level of pressure that means the code in general fails less and force people to think more about how they're writing their functions. If a company tells you that it has a special pool of coders who add tests, separate from the ones that write the actual code, that is a bad sign that they know how to do testing. A huge chunk of the value is forcing the person who makes the front line decisions to think about what they are doing. Not to say a dedicated testing team doesn't sometimes make sense in some unusual companies, but it is an exception to the rule. Risk management isn't the type of responsibility that should be separated out into a separate role for most companies because that is much less valuable than the people doing the work being part of a management chain that understands risk.
Replies
Agreed. This maps directly to the white-box vs black-box testing distinction: either you own your priors and trace the full data lineage from training through validation, or you're relying on an opaque validation set of unknown provenance. And that's before factoring in the organizational politics.
I find this line of thinking similiar to copmanies with "innovation" officers. That is, having an employee who is in "charge of" innovation implies all other employees dont?
What risk measures for risk adjusted returns would you use (e.g., in SaaS)?
You completely miss the role of CROs or risk function in an organisation. Using your analogy, the Chief Testing Office would not write the tests. They would establish how test coverage is defined and measured, and the target coverage. They would monitor the progress of each team in meeting these targets. It is a governance role that sits as a second line behind the first line that has the immediate responsibility to manage the risk.
Risk adjusted rates are not traditionally in the mandate of a CRO. They sit with Finance or Treasury. And they should be abstracted from front line, who would experience them only through optimisation of their funding.