Author
Manage risk with confidence.
Book a call with one of our team to arrange a 30 minute demo.
The biggest misconception in risk leadership isn't held by boards - it's the one the industry carries about itself.
Ask most people what a Chief Risk Officer does, and they'll say something like: "They control risk." It's a reasonable assumption. It's also fundamentally wrong.
That distinction - subtle on the surface, significant in practice - is at the heart of a conversation we had with Paul Gill, CRO at Mortgage Advice Bureau and a board member since March 2025. With over 30 years in financial services, Paul has seen the CRO role evolve from a compliance function into something far more strategically valuable.
So what does the role actually look like today?
Want the full conversation? The complete episode with Paul Gill is available exclusively to members of the RiskSmart community. Book a demo to find out more.
It's not about owning risk. It's about improving decisions.
The old model was simple: the CRO owned the risk framework, monitored the metrics, and kept the board informed. Clean. Contained. And, increasingly, not enough.
"The real value of the role is improving the quality of the decisions that are made under uncertainty. Risk leadership is really about making trade-offs visible - between growth, return, and resilience."
— Paul Gill, CRO, Mortgage Advice Bureau
That reframe changes everything. It means the CRO isn't sitting at the end of the decision chain, reviewing what the business has already decided. They're embedded in the process: stress-testing assumptions, surfacing what could go wrong, and helping the business find better paths to the same destination.
The shift from hindsight to foresight
Boards used to want a rearview mirror. Now they want a windscreen.
Paul describes how board conversations have shifted over the last five or six years - driven by pandemic shocks, geopolitical instability, regulatory expansion, and AI disruption. The backwards-looking question ("did our controls work?") hasn't disappeared. But it's no longer the dominant one.
"The board asks: what's coming down the track in 3, 6, 12 months? The growth has definitely been in the 'what are we walking towards, and how do we prepare for that.'"
— Paul Gill
For a CRO, that means being proactive rather than reactive. It means bringing strategic foresight to every board conversation - not just compliance updates.
The "no" problem
Here's where many risk leaders go wrong: they become the person who says no.
It feels like the job. The business wants to do something risky, and you stop it. But Paul's view is that if you're regularly saying no, you've already failed - because you've let the conversation get to a point where no is the only available answer.
The better approach? Ask why and what. Why do you want to do this? What are you trying to achieve? Then work together to find a path that gets there with less unnecessary risk attached.
That's not softening the CRO's role. That's making it more effective.
Boards want clarity, not volume
One of the most practical insights Paul shares is about how information reaches the board - and how much of it is actually useful.
Thick board packs full of metrics aren't the same as insight. Boards don't need everything. They need to know what matters, why it matters, and what's being done about it.
"Boards definitely prefer fewer critical insights than large volumes of reporting. What are you worried about? What do we need to worry about? So what? I use 'so what' with my team a lot."
— Paul Gill
The "so what" test is a simple but powerful filter. If a piece of information doesn't lead to a decision, an action, or a changed view, it probably doesn't belong in front of the board.
Hear Paul's full thinking on board communication - and every other episode in the series - inside the RiskSmart community. Members get exclusive access.
What this means for risk leaders
The CRO role has never been more strategically important or more demanding. It requires commercial literacy, relationship management, calm judgment under pressure, and the ability to communicate complex risk in simple, actionable terms.
But at the core of all of it is one shift in mindset: from risk controller to decision architect.
Not blocking the business from taking risk. Helping it take the right risks, in the right way, with the right information on the table.