A look inside the CFO and chief risk officer symbiosis

These days, being a CFO means a lot more than staring at spreadsheets and crunching budget numbers. Among other non-financial duties, most CFOs are asked to lead enterprise risk management (ERM) initiatives, a recent Gartner survey found.

Finance leaders “bridge the gap” between risk owners and leadership in their organizations where there would otherwise be a disconnect, according to a 2024 KPMG report on the CFO’s role in ERM. Being a link between the two groups means CFOs help ensure “risks are prioritized, capital is allocated, and informed decisions by leadership are made,” the report continues.

Kristen Peed, chief risk officer at HR software and services company Sequoia and board president at risk managers’ society RIMS, said she works closely with the CFO and other senior leaders “to create that strategic vision for the company” around risk management.

CFO Brew recently spoke with Peed about her relationship with the CFO, the finance leader’s critical role in setting risk management strategy, and how organizations can be risk management virtuosos.

This interview has been edited for length and clarity.

How are organizations thinking differently about risk management than they may have in the past?

The successful organizations are actually thinking about it differently, and they’re using risk management as a tool to become more proactive about opportunities and risks they see, rather than just reacting in the moment. I think that’s critical for a company to grow and succeed is to become more proactive, and risk managers are able to use things like predictive analytics and frameworks to help guide their decision-making process and make recommendations to the C-suite, the founders, [and] the board of directors.

Where do chiefs of risk management fit into leadership in those successful organizations?

I was reporting to our CFO [Bob Lawson]…but I was elevated [to chief risk officer] and I report directly now to the CEO. I think the role of chief risk officer is being viewed as one that is critical. That doesn’t mean that I don’t work closely with the CFO on day-to-day tasks, but we’re working collaboratively together to create that strategic vision for the company. The other stakeholders I work with a ton are our chief legal officer, especially when it comes to risks that have already happened, and our CISO.

How do risk management leaders typically work with the CFO?

You have to define—and your CFO is going to really help you define this—what your risk appetite is. They can help frame it for the CEO as well, about which levers need to be pulled, when there’s a certain threshold.

When we were setting up our framework around frequency and severity, it was really critical that we all collaborated together to understand the financial impact that different risks or opportunities could have on the business, where we want to invest our money, and how [that could] lead to a better outcome. The CFO is somebody who really speaks that language and can help interpret the dollars into your risk factors as well.

What strategies work in creating a risk management-centered mentality in organizations?

You really shouldn’t stop at leadership. You have to have a risk-aware culture that permeates all the way down so that the entire company views themselves as a risk owner. I’ll give you a great example for Sequoia. We take our privacy and security super duper seriously. In my less than two years, I’ve had more training around that than I probably had in the prior 10 years at other companies all combined. We have two phishing email attempts every single week for every single team member, and they are using AI to create these simulated emails, and so they’re really smart…

It really creates a risk-aware culture on something that we see as one of the most critical things for us to protect. And by training and practicing every single week, I think it empowers our team members to be able to recognize the real attacks when they come.