Wikipedia correctly informs us that "The chief risk officer (CRO) or chief risk management officer (CRMO) of a corporation is the executive accountable for enabling the efficient and effective governance of significant risks, and related opportunities, to a business and its various segments. ... The position became more common after the Basel Accord, the Sarbanes-Oxley Act, the Turnbull Report," not to mention the financial crisis of 2007-08, and Dodd-Frank.
An interesting recent study (Prakash, Puneet, Gupta, Manu and Rangan, Nanda K., Governance and Shareholder Response to Appointment of a Chief Risk Officer (March, 22 2012). Available at SSRN: http://ssrn.com/abstract=2027677) tells us that:
We find that the market is more likely to react positively to an appointment of a CRO the weaker a firm’s corporate governance. In particular, [the] lower the proportion of outside directors the greater is the likelihood of a positive market reaction to the appointment of a CRO, suggesting the shareholders associate the position with better future governance. Finally, firms with higher tax and product risk also experience increases in stock prices when they appoint CROs. [Ed.: My emphasis.]
To my mind, their central finding suggests that the market sees the CRO as a substitute for a board that is not doing its job. Where the board is inactive and insider-dominated board, appointment of a CRO suggests that there will be at least some improvement in the firm's risk management. If you have an active, independent board in place, however, risk management presumably is viewed by the market as already being adequately policied, which is why appointment of a CRO has a lesser market impact in such firms.
My research on board dynamics (see, e.g., Why a Board? Group Decisionmaking in Corporate Governance. Vanderbilt Law Review, Vol. 55, pp. 1-55, 2002. Available at SSRN: http://ssrn.com/abstract=266683), suggests that:
In mixed status groups, higher status persons talk more than lower status members. Managers, for example, talk more than subordinates in business meetings. Such disparities result in higher status group members being more inclined to propound initiatives and having greater influence over the group’s ultimate decision.
One function of the board of directors thus is providing a set of status equals for top managers. As such, corporate law’s insistence on the superiority of the board to management begins to make sense. To the extent law shapes social norms, admittedly a contested proposition, corporate law may empower the board to constrain top management more effectively by creating a de jure status relationship favoring the board.
Accordingly, monitoring risk management by an active independent board should be a more effective contraint on risk taking by the top management team than would monitoring by a member of that team.