The Board-Level CRO: Governance Positioning and SMF4 Approval Considerations
The Board-Level CRO: Governance Positioning and SMF4 Approval Considerations
The Chief Risk Officer at an FCA-regulated firm occupies a governance position that is structurally different from every other member of the executive leadership team. Every other C-suite executive — the CEO, CFO, COO, CMO — is accountable for delivering commercial outcomes within the firm’s risk appetite. The CRO is accountable for defining what that appetite is, for ensuring the firm understands and manages its exposure relative to it, and for providing independent challenge when business decisions carry risk that the organisation is inadequately assessing or mispricing. This independence is not a governance preference — at FCA-regulated firms, it is a regulatory requirement.
The governance positioning of the CRO — how the role is structured relative to the CEO, the board, and the Risk Committee — determines whether this independence is real or nominal. A CRO who reports solely to the CEO, whose budget is controlled by the business lines they oversee, and who attends the Risk Committee only by invitation is not structurally positioned to provide independent oversight regardless of their personal capability. Getting the governance positioning right before making the appointment is as important as getting the appointment right.
The SMF4 Designation: What It Adds to the CRO Role
At FCA-regulated firms, the CRO holds the SMF4 designation — the Chief Risk Officer Senior Management Function. The designation requires FCA approval via Form A before the individual can begin exercising their SMF4 responsibilities, imposes the Duty of Responsibility for risk management failures within the CRO’s area of accountability, and requires the individual to maintain a Statement of Responsibilities that accurately describes their specific risk oversight obligations.
The SMF4 designation does not automatically attach to all CRO-equivalent roles at all firms. Some firms have a Head of Risk or Group Risk Director who performs the risk oversight function but is not designated as SMF4 — typically because the firm has assessed that the individual’s role falls within the Certification Regime rather than the Senior Managers Regime. Boards should confirm with their compliance function which specific designation applies to the risk oversight function at their firm type before opening the appointment process, because the regulatory requirements and the approval process differ significantly between the two.
Where the SMF4 designation applies, the CRO is a personally accountable senior manager in the full regulatory sense — not simply a senior executive with risk oversight responsibilities. The personal accountability dimension changes what the role requires of the individual and what the appointment process needs to assess.
Governance Positioning: The CRO’s Reporting Line and Authority
The FCA expects the Chief Risk Officer at a regulated firm to have a reporting line that protects their independence from the business lines they oversee. At most regulated firms, this means the CRO has a primary reporting line to the CEO (to ensure operational integration) and a secondary reporting line directly to the board or the Risk Committee (to ensure governance independence). The secondary reporting line is the structural mechanism by which the board maintains oversight of the risk function independently of the CEO’s filter.
The FCA pays attention to whether this secondary reporting line is genuine or merely documentary. A CRO who attends Risk Committee meetings but whose written reports to the committee are reviewed and edited by the CEO before submission, whose access to the committee Chair is mediated through the CEO’s office, or who is unable to escalate a material risk concern directly to the board without the CEO’s knowledge and consent, does not have a genuine independent reporting line regardless of what the governance documents say.
The board’s role is to actively maintain the CRO’s independence by ensuring that the secondary reporting line is structured and exercised in a way that gives the CRO genuine access to the board, genuine authority to challenge business decisions, and genuine protection from commercial pressure. This requires the Risk Committee Chair (SMF10) to take an active role in managing the CRO relationship — meeting privately with the CRO before formal Risk Committee meetings, ensuring the CRO’s assessment of the firm’s risk position is heard independently of management’s presentation, and being willing to raise governance concerns about the CRO’s independence directly with the Chair and CEO where necessary.
The CRO’s Relationship with the Risk Committee
The Risk Committee is the primary governance body through which the board maintains oversight of the firm’s risk management. The CRO’s relationship with the Risk Committee Chair (SMF10) is one of the most important governance relationships in a regulated firm, and its quality directly affects the board’s ability to perform its regulatory oversight function. A Risk Committee Chair who does not engage proactively with the CRO between meetings — who receives the CRO’s formal committee report without prior discussion, without context, and without the informal briefings that allow genuine engagement with the issues — is not performing the oversight function the board requires.
Best practice for the CRO-Risk Committee Chair relationship includes: regular bilateral meetings between the CRO and the SMF10 Chair outside the formal committee cycle; the CRO’s involvement in setting the committee’s agenda, including the right to raise matters for the committee’s attention without the CEO’s prior approval; private sessions at Risk Committee meetings where the CRO can discuss the risk environment with NEDs without management present; and an agreed escalation protocol for material risk events that gives the CRO a direct path to the committee Chair when immediate governance attention is required.
SMF4 Approval: What the FCA Assesses
The FCA’s assessment of an SMF4 applicant focuses specifically on the individual’s understanding of the risk management obligations of the role and their capability to exercise genuine independence in a commercial environment that may create pressure to minimise risk concerns. The regulatory interview, which is more likely for CRO appointments at complex or higher-risk firms, typically explores: the candidate’s understanding of the firm’s specific risk profile; their approach to managing the tension between risk oversight and commercial relationships; their experience of situations where they have provided challenge that was unwelcome but necessary; and their understanding of the personal regulatory accountability the SMF4 designation carries.
A CRO candidate who cannot describe a specific situation in which they provided material challenge to a business decision — whose risk oversight track record is characterised by alignment with business line conclusions rather than independent assessment — will leave a regulatory interview with a poor impression that affects both the approval decision and the ongoing supervisory relationship. Boards should assess their preferred CRO candidate against this dimension specifically, rather than assuming that technical risk expertise and a positive professional reputation are sufficient to navigate the FCA approval process.
The CRO’s Statement of Responsibilities
The Statement of Responsibilities for an SMF4 holder requires particular care to ensure it accurately reflects the genuine scope of the CRO’s authority and oversight, not simply the formal risk management responsibilities that appear in the job description. A CRO who is accountable for the firm’s risk appetite framework but who does not have the authority to challenge business decisions that threaten to exceed that appetite without CEO approval has a governance accountability that outstrips their actual authority — and an SoR that describes the accountability without reflecting the authority gap creates personal regulatory risk for the individual.
Boards should review the CRO’s Statement of Responsibilities specifically against the question of whether the governance authority documented is consistent with the governance authority actually exercised. Where a gap exists, the resolution is either to expand the CRO’s authority to match the documented accountability, or to revise the SoR to accurately reflect the actual scope of the CRO’s governance role. An SoR that describes accountability beyond the individual’s real authority is not a safeguard — it is a regulatory risk.
Working with Exec Capital
Exec Capital places Chief Risk Officers at FCA-regulated firms — permanent, interim and fractional — including SMF4 approval support and governance positioning advice as part of every assignment. We advise on the CRO’s reporting line structure, Statement of Responsibilities scope, and the regulatory interview preparation process. Call Adrian Lawrence FCA on 0203 834 9616.
The CRO’s Authority to Challenge Business Decisions
One of the most consequential questions in structuring the CRO’s board-level governance positioning is the extent of their formal authority to challenge and, where necessary, block or escalate business decisions that carry risk exceeding the firm’s appetite. At firms with mature risk governance, this authority is typically documented in the risk governance framework and the CRO’s terms of reference — the CRO can formally object to a business decision, require it to be escalated to the Risk Committee, and in extremis to the full board, before it is executed. This formal escalation right is what makes the CRO’s independence meaningful rather than advisory.
At challenger banks and growth-stage regulated firms, the CRO’s formal authority is often less clearly defined — not because the regulatory requirement for independence is absent, but because the governance framework is still being developed and the cultural norms around executive challenge are still being established. A CRO at a growth-stage regulated firm who does not have a documented escalation right — whose ability to challenge a credit or underwriting decision depends on their personal relationship with the CEO rather than on a formal governance mechanism — is in a structurally weaker position than the regulatory framework intends, regardless of how strong their personal risk judgment is.
Boards making a CRO appointment at an early-stage regulated firm should consider the governance positioning question as part of the appointment process — confirming that the risk governance framework is adequate before the CRO takes the role, rather than asking the incoming CRO to negotiate their own governance authority after they arrive. An incoming CRO who must negotiate the terms of their independence with the CEO is not starting the role from the position of strength the SMF4 designation requires.
Interim CRO Coverage at Regulated Firms
When a CRO vacancy arises at a regulated firm — whether through resignation, departure or performance management — the firm faces an immediate regulatory exposure. The CRO function cannot remain unfilled for an extended period without the FCA and PRA (where applicable) taking notice, and the temporary appointment provisions of SUP 10A have a twelve-week maximum that may not accommodate a full permanent search and approval process at a complex regulated firm. Interim CRO coverage from an experienced individual who has previously held the SMF4 designation is frequently the most effective bridge solution — allowing the permanent search to be conducted properly without operational and regulatory pressure.
Exec Capital maintains relationships with experienced risk executives who have held SMF4 designations and who can provide genuine interim CRO coverage at regulated firms. These individuals bring the regulatory credibility and technical risk expertise to engage substantively with the FCA or PRA during the interim period — not simply holding a designation on paper while the permanent search progresses, but providing real risk governance oversight while it does so. Boards that structure the CRO role properly from the outset — with clear reporting lines, documented escalation rights, a genuine secondary reporting line to the board, and a Risk Committee Chair who actively manages the CRO relationship — create the governance conditions in which a strong CRO can succeed. Those that treat the CRO appointment as filling a regulatory requirement without creating the structural authority the function needs will find that even an excellent candidate cannot deliver effective risk governance against a structurally compromised mandate.
About the Author
Adrian Lawrence FCA is the founder and managing director of Exec Capital, an ICAEW-Registered Practice. Verified at find.icaew.com. Companies House: 15037964.
Related Services and Further Reading
Discuss Your CRO Search
Exec Capital places Chief Risk Officers at FCA-regulated firms — permanent, interim and fractional — with SMF4 approval support. Led by Adrian Lawrence FCA.
Related posts:
Chair of Risk Committee (SMF10) Appointments at FCA Firms
CRO Recruitment at Challenger Banks and Dual-Regulated Firms
Chair Recruitment for FCA-Regulated Firms: The SMF9 Brief and What Boards Should Look For
Wealth Management Executive Director Hiring
Senior Board Appointments at Challenger Banks: SMCR, PRA Expectations and the Talent Pool
Executive Director Appointments at FCA-Regulated Firms: The SMF3 Brief
Adrian Lawrence FCA is the founder of Exec Capital. He is a Chartered Accountant and holds an ICAEW practising certificate in his own name with over 25 years’ experience operating at C-suite level, Adrian brings direct executive experience to senior search. His background spans private equity-backed businesses, owner-managed companies, and listed environments, giving Exec Capital a practitioner’s understanding of what leadership hires actually require.