BarnOwl Info Sharing Insight: The Evolving Role of the CRO to Power Business Performance with Mark Victor & Christopher Palm

August 20, 2021

BarnOwl Info Sharing session: 29 July 2021

The evolving role of the CRO to Power Business Performance

Presented by: Mark Victor, Partner – Deloitte Risk Advisory Africa,
Christopher Palm, Chief Risk Advisor – Institute of Risk Management South Africa (IRMSA)
Facilitated by: Jonathan Crisp, Director – BarnOwl


The pandemic has heightened the importance of proactive risk management in the first line, and executives have challenged the current mandate and functioning of risk functions to proactively drive risk management processes and activities that ensure risk powers business performance, beyond compliance.

This is evident through increased risk uncertainty, the need for organisations to revisit their operating models and ways of work, the increased impact of emerging external risks and the increased demand for risk intelligence to help support decision making.

Risk functions need to reimagine their approach and how they can adopt more agile risk management techniques, by leveraging digital risk solutions and insights and playing a more strategic risk advisory role to business.
Thank you very much Mark and Chris for presenting at our info-sharing event held on 29th July 2021. We had a great turn out. Thank you to all those who attended.

Risk powers performance: from compliance to competitive advantage

In the past, risk management was often an exercise in fear and avoidance, with organisations focused primarily on completing necessary, compliance driven activities. But that’s changing. Many leaders are now viewing risks in terms of their potential to power performance and value.

In Mark’s experience, over the past 24 months, there is a greater focus on the agenda of risk in the Exco. There is an increased determination in understanding the impact of risk, not just from an inside-out view but from an outside-in view and understanding the landscape.

Risk needs to power performance and be at the heart strategy. There is a direct intersect between strategy and risk and yet we still see a disconnect in that risk is either not part of the strategic conversation or is a separate conversation or worse still ad hoc. The strategic conversation is not about a traditional risk process; it’s actually about understanding the current macro-economic and external environments, where is our business going, where is the industry going, having a long-term view of the industry, having an understanding of the geographic and geopolitical context and how this speaks to the global markets and translating this into a synthesized view of the risks and opportunities linked to the business drivers.

For risk transformation to occur, a comprehensive framework needs to be applied to align the risk strategy to how the organisation is managed. Managing risk is about steps to enhance value while meeting core business needs.

The conversation around risk and strategic risk at an exco level, needs to be fundamentally different and must be about outcomes and performance and how this translates into what are we doing from a risk perspective, what are we measuring and how this translates into the impact on strategic objectives, business drivers, value, etc. As Mark mentions, “Whilst this is not a new concept, strategic risk conversations are still too operational. We need to talk to the CEO about strategy; is it right, what needs to change, what are the drivers, implications, taking it further. Do we, as a risk function, have enough of an understanding of the strategy, is the CRO involved in the conversations, do we have an outside-in view?” In addition, we see the increased importance of scenario modelling capability, which in theory is part of the risk management capability but is often done as part of strategy setting in isolation to risk management.

Another consideration is whether we have the right level of maturity for our current and future strategy and what capability and operating model do we need? What needs to be in place to run at an optimal level without being over controlled or over engineered, but still run efficiently. Look at the risks and opportunities and connect them back to capability.

The culture of the organisation is a critical element, however, in Mark’s experience, accountability and ownership is not embedded well enough and the risk function needs to help people understand the risks that they are running and for the business to take responsibility. We still find that the risk function does the work for the business instead of promoting accountability and playing the advisory role.

Chris mentioned the need for us risk professionals to challenge the quality of our conversation at board. We walk away too quickly from understanding our stakeholders, which is the first big job we need to do and to get the conversation with the board to the right level of granularity so that we make sense, and that we link and impact the performance of the organisation.

Evolving risk operating models

‘Thick’ or ‘thin’ risk functions can be considered in two dimensions; firstly, the allocation of responsibilities to the 1st or 2nd line of defense and secondly the allocation of responsibilities between 2nd line group and business level risk functions.

Mark spoke about various lines of defense and the role of the risk function. The risk function is not a validation role and not a directing role. We need to move beyond risk champions with a deeper view and greater level of maturity so that risk takes on the advisory and challenging role. We need an operating model, which supports an agile approach driving accountability, performance and structure and enabling the business to make calls and decisions. Chris mentioned, ‘less hard work on the risk registers and more smart work on intelligence’. We need to be relevant, deliver timeous insight including scenario building and alternative futures, to inform business decision making in complex environments.

Digital risk solutions – the next generation of GRC

Designing and deploying focused digital tools, enables the organisation to be better equipped to Anticipate, Advise and Assure, with a more proactive and predictive response to risk.
Mark mentioned that one of the biggest challenges is that business acumen is lacking in risk functions; the risk function needs to understand the business at a real level of detail, understand the stakeholders, business drivers, have a holistic view of things including an external lens. The risk function requires a digital focus and to leverage digital assets (social media) and to stop focusing all our effort gathering information but rather interpreting the data.

The fundamentals have not changed but the depth of detail needs to change from a superficial level to a detailed level. We need to deliver leading intelligence and foresight, understand the ops models, business value chain, culture, brand, and reputation and drive predictive capability to help business make informed decisions.

The risk function needs to move beyond compliance and inform business decision-making, drive insights right up front rather than after the affect. The risk function must provide insight which helps inform a decision, and rather than focusing on why we should not do something, we should focus on what we should be doing and what controls and balances need to be in place. A proactive view of emerging risks is critical, exemplified by Donald Rumsfeld’s statement regarding known knowns, known unknowns, and unknown unknowns.

External risk sensing and internal risk monitoring

Leveraging external and internal risk data to provide more continuous Risk Intelligence and enable proactive risk management and decision making.
Digital tools and solutions are required to able to focus on specific parts of the business and understand dynamically and continuously what risk exposures are doing and how they affect the value chain. Digital tools provide continuous dynamic insights, pattern recognition and real time insights e.g., lost customers, incorrect products, inventory holding / losses, pricing etc. It is important to understand the risk and level of risk exposure and to link and monitor key risk indicators and key performance indicators on a real-time basis.

From an external context, digital tools for monitoring social media, security ops centres, external sensing capabilities are no longer a ‘nice to have’. This also cannot be manual, as the business requires rapid and up to date insight. Risk sensing is a critical capability.

Building a more capable and resilient organisation.

We need to challenge the extent to which the current organisational capabilities support the strategy, taking into consideration the current levels of maturity of core business components and required maturity levels to deliver sustainable performance.

Do we have the right level of maturity for our current and future strategy and what capability and operating model do we need, taking into account, governance & organisation, systems & data, people & performance and process?

In summary

In summary, risk powers performance. There is an evolving move to properly measure and monitor the full risk universe (internal and external) informed by real-time indicators, understand the connectedness of risks, synthesize this, and understand the impact on strategic objectives and how we grow and protect our business.

Presentation and video links

Please see attached Deloitte presentation here, and the info sharing recording here

Useful and associated links

Contact us
Mark Victor
Christopher Palm
Jonathan Crisp
Cheryl Keller

Thank you

Once again thank you Mark and Christopher for your time and for your informative presentation and thank you to all those who attended our info sharing session. We look forward to seeing you at our next info sharing session. Please keep a look out for our upcoming events at:
Kind regards
Jonathan Crisp
Director – BarnOwl GRC and Audit software

About Mark Victor

Mark is a Partner within Risk Advisory at Deloitte and leads the Enterprise Risk Management Market offering for the Africa firm. Mark has a service line focus on Governance, Strategic Risk and Sustainability. Mark has deep practical experience providing assurance and advisory solutions to clients across the Financial Services, TMT and ERI industries, with a focus on business transformation solutions to Governance and Risk and Internal Audit functions.

Mark has been responsible for developing a number of business lines within Deloitte including Regulatory implementation, Business Risk and Financial Services Internal Audit. Mark qualified as a Chartered Accountant in 1995, and has spent time at Deloitte in Vancouver and Boston, working on a variety of publicly listed and multi-national clients. In addition to serving numerous large listed clients, Mark leads the Risk Advisory TMT sector and is the client leader for one of Deloitte Africa’s Tier 1 clients in the Consumer industry.

About Christopher Palm

Christopher’s passion is to collaborate with risk professionals and other key role players both locally and globally to transform risk management into a key component of excellent decision-making.

Christopher believes that a solid enterprise risk management capability within an entity, supported by a risk-mature leadership, will lead to decisions that will effectively respond to both threats and opportunities facing the business world today and well into the future.

Christopher spent 27 years with a South African Power Utility, of which the last 18 were at senior executive level – from Group Audit Manager and Head of Forensics to Head of Enterprise Risk where he established the Utility’s integrated risk management capability in 2008. His most valuable experience throughout his time was the gaining of world-class risk and resilience knowledge, experience and exposure and how it is challenged in practise.

Christopher’s educational background includes a Bachelor Degree – majoring in Accounting, Management Accounting, Commercial Law, Business Economics and Economics. He also obtained an Honours Degree in Business Economics and Management Accounting. He complimented the above by completing the Executive Leadership Development Programme at Wits Business School.
As the founding Chairman of the IRMSA Risk Intelligence Committee, one highlight was the pioneering of the IRMSA Risk Intelligence Report for South Africa, first published in 2015 and now it is seventh edition.

Currently Christopher focusses on working with risk practitioners, C-Suites and Boards to enhance risk maturity and address the more complex elements of risk management such as integrating strategy, risk and resilience and developing applied risk appetite frameworks. Also, the use of big data resulting in risk intelligence through predictive capabilities, systems thinking and scenario development and analysis.

About Jonathan Crisp

Jonathan Crisp has a BSc Honours in Computer Science, as well a Risk-Based Internal Auditing certification. Jonathan has over 30 years’ experience in the IT industry and is one of the founding directors of IDI Technology Solutions, who are the owners and software developers of the BarnOwl GRC and Audit software solution.
Jonathan is an active member of the Risk Intelligence Committee at IRMSA (Institute of Risk Management SA) and is a member of the IIA (Institute of Internal Audit SA).
You can find more information about BarnOwl at or contact Jonathan at

About BarnOwl:

BarnOwl is a fully integrated governance, risk management, compliance and audit software solution used by close to 200 organisations in Africa, Australasia and the UK. BarnOwl is a locally developed software solution and is the preferred risk management solution for the South African public sector supporting the National Treasury risk framework.

Please see for more information.