An interview conducted by Maarten Bolk
This is a pre-event interview in the run-up to the Leaders in Finance Risk Event 2025 on 30 October.
Good morning, Owen Strijland, Managing Director at Protiviti. Thank you for taking the time to talk to us in the run-up to the Leaders in Finance Risk Event on October 30th. Could you start by introducing yourself and telling us a bit about what you do daily?
I connect the consultancy organization where I work with the financial sector. I started my career at the former SNS Reaal (now known as ASN) and I’ve always worked at the intersection of digital, risk and compliance. Together with my team at Protiviti, we try to make life a little easier for everyone involved in the CRO agenda and for those working in the broader CRO domain across financial services. That means I spend a lot of time reaching out to clients, helping them connect with each other, and supporting them in organizing and improving governance within their organizations. I’ve been doing this for quite some time now — 22 years.
So you work closely with CROs across the financial sector, from payments to banking and beyond. At this event the focus will be on the CRO role, which will be the central theme. In your view, where does the CRO role stand today, and why is it such an important position at this moment in time?
Very good question. I’ve been talking with CROs with this event in mind since 2024, when I was working with a CRO at one of the Dutch banks. That’s when I started reflecting on how the CRO role has evolved over the past 25 years. It used to be very much focused on credit risk and economic capital, but it has since become what I like to call the guardian — not of the Galaxy, but of all the different types of risk that a financial institution faces.
I believe the CRO role is perhaps the one that comes closest to that of the CEO. You work with data from the past, but your job is also to look ahead. You need to act as a dealmaker within the board, balancing what the organization wants (whether that’s driven by market, geography, clients or products) and aligning it with IT, commerce, and technology. At the same time, you have to deal with regulators, investors and the market.
All those risks eventually converge in the CRO’s domain. Within the board, the CRO must defend the decisions that have been made and guide the ones that still lie ahead. The role also requires building consensus, although compliance isn’t always about consensus. Sometimes it’s simply “comply or die” as we’ve said for many years.
In many organizations, compliance reports directly to the CRO, which makes balancing risk management and compliance even more important. I’m particularly interested to hear the story of Saskia from ASN, for example, because in her case the CRO also oversees compliance. In my view, managing that balance between risk, compliance, and strategy, is one of the biggest challenges for any CRO today.
Last week we met at College Leaders in Finance with Christine Lagarde, where she spoke about the importance of focusing on geopolitical risks as part of the European Central Bank’s policy mandate. I imagine that’s also something top of mind for CROs, who have traditionally focused more on credit and market risks, as you said. How do you see CROs balancing those more traditional risks with emerging ones like cyber, climate, or geopolitical risk?
As I mentioned, I think that balance is exactly the challenge. We all know about DORA, some people even wake up at night thinking about it! It made one thing very clear: the system is deeply interconnected. The financial crisis has already shown us that it is never just one bank or one currency. Whenever something happens in one part of the world, it sends ripple effects everywhere.
Christine mentioned this as well when she spoke about the tensions between Russia and Europe. It is no longer just about one country, instead it is Russia and Europe, Russia and the US, the dollar versus the euro etc. As a CRO, you need to have that systemic view. Like Christine said, it is crucial to understand where the debt of the euro sits and who owns it, where the debt of the dollar sits and who owns that, and how many transactions are being made in each currency to understand the broader risks in the EU and beyond.
But for your own organization, you need to know where you spend most of your money and which third parties are most critical, if something happens in their geography or market. How will AI affect your vendors, not just your own organization? These are the kinds of questions CROs need to ask themselves.
It’s a broad topic, but the CRO’s role is really about understanding those external signals while also assessing your organization’s maturity. How ready are you to adapt to DORA, to integrate AI, and to work with vendors that are already ahead in that journey? Choosing the right partners matters. If a partner is not ready, you risk losing them, and that could jeopardize your own services.
The same applies to clients. Where does your biggest revenue stream come from? Who are your key clients, and in which markets do they operate? How are those markets being affected? The risk map today is no longer like a city map; it’s more like a galaxy map. You need strong informants within your organization from all these different areas to advise you as a CRO, so you can make the right decisions and guide your board on what makes sense given your risk appetite, your strategy, and the regulators you deal with. In that sense, the CRO really becomes the ultimate dealmaker.
Since you mentioned AI, I’m curious to know to what extent you see technology, and AI in particular, as a threat or rather as a tool that helps people become more effective in their work?
AI is a great help in my life. I’m not particularly good at being very structured, and AI really helps me with that. It acts as an assistant. When an email comes in, or when I return from holiday, it helps me go through my inbox quickly and shows me what was most important over the past two weeks. If you look at my inbox, AI handles that perfectly. I’ve been using it since I got Co-Pilot, and it really makes a difference.
For the industry, I think AI will have an impact like what the internet once had. I still remember my first personal computer, a Tulip of course, not connected to the internet and with only a matrix printer. Even that small step already made my studies so much easier. Then came autocorrect, then the internet, and communication suddenly became much faster. AI will accelerate this even further.
We already see it happening. It can transcribe meetings in Teams effortlessly – we’re using it right now. You no longer need someone to take notes because AI can do it better. A lot of technologies will eventually disappear as AI takes over those tasks.
I really liked the remark Christine made. She said that personal qualities such as empathy, connection, and, as she called it, love, remain essential. People work with people. People work for people. People do not work for AI, and AI does not work for people. Maybe at first it feels like that, but we’ll quickly realize it’s just another machine.
If I can give one recommendation, watch the movie Simone with Al Pacino. It shows where AI might take us, or already is?
That’s interesting, especially the comparison you make with the early days of the internet. Of course, the internet also turned out to have a darker side, as we’ve seen in recent years with misinformation. Do you see specific risks in AI as well, particularly when it’s applied on a large scale within financial institutions?
The good thing about AI is that it can handle very unstructured data incredibly quickly, and that’s a huge advantage. Within financial institutions, for example in transaction monitoring, client onboarding, or reviewing large volumes of documentation, AI can process all of that with remarkable speed. But when something goes wrong, even a small issue, and many of those small issues start going wrong simultaneously without being noticed, the overall impact can become significant.
I don’t think AI will cause the next black swan event, but it might create a lot of little ducklings– smaller issues that, within our interconnected systems of data, payments, and markets, can multiply and escalate very fast without being detected. And once that happens, repairing the damage can be extremely difficult.
It’s a bit like what was mentioned yesterday about anti-money-laundering regulations. If you monitor thousands of transactions a day and rely on AI to flag irregularities or suspicious patterns, it can be highly efficient. But if somewhere in the model it starts to hallucinate or miss something, you’re still accountable. You can’t tell the regulator, the market, or your investors, “Sorry, it was the AI model that made the mistake.” Similarly, you can’t simply say, “It was our vendor’s fault; they built it, and it was supposed to be reliable.” That won’t work.
You’re responsible yourself, so you have to be able to explain it, right?
Exactly. You have to be able to explain the decisions the AI made based on the data you provided– that’s crucial. You need to be aware of that risk, especially when AI starts trading on the market or if AI is making decisions for us. However, this is already happening.
I often compare it to waves on the ocean. When two currents meet, they can either clash or, if they move in the same direction, merge and create much bigger waves. The same can happen when AI models start interacting or synchronizing with each other. The effects can amplify and become much larger than anyone expected.
Coming back to what we talked about earlier, about how the role of the CRO has evolved, I’d love to ask you about the future. Over the next five to ten years, what do you see as the biggest challenges and opportunities for CROs in this field?
I think the role of the Chief Risk Officer needs a new definition. The CRO position started as a credit safeguarding role on the board – a counterpart, a different voice, a challenging voice on financial risk. Back then, financial risk was the main concern, and yet it didn’t stop the financial crisis from happening.
I think the pandemic showed that the sector has become quite resilient. If the CRO’s job is to safeguard, educate, and guide the organization from a risk perspective, then that includes all kinds of risk – not just financial, but also environmental, technological, AI-related, and climate risks. These have become just as significant. The CRO should focus more on these broader areas of risk. At the same time, combining that with responsibility for regulation is, in my view, too much.
In large organizations, you often see a CRO and a Chief Compliance Officer working side by side, but in smaller financial institutions, those roles are often merged. The balance between strategic risk – which comes from your products, your geography, your clients, and how you serve them – and regulatory compliance, which is much more black and white, is hard to maintain. Some people may say regulation isn’t black and white but compared to strategic risk it is. Risk, after all, is closely tied to strategy. I don’t think those two roles combine well within one person on a board.
That’s why we need to redefine what the CRO role should be, especially for smaller institutions. It also needs to be a people first role. As digitalization continues to change how we work, a CRO needs to understand who sits on the board, who the key influencers are, and how to work with them – to help them see the risks they are taking and make better decisions because of it.
Is that going to be the most important skill a future orientated CRO needs to have?
Being a dealmaker, yes. But first and foremost, you need to understand the technical side of the job. You need to understand risk management, forward-looking assessment, and horizon scanning. You need to know how to use them yourself, but also how to discuss them with your teams and peers, and how to translate that knowledge for the board.
Within the board, you deal with very different kinds of people. There are owner-founders who you sometimes need to challenge, but you need to know how to do that effectively. There are supervisory boards to whom you may need to explain that something might not be the smartest move to make. And how many former CROs actually sit on supervisory boards themselves? I honestly don’t know. But often, I get the impression that the CRO is the only one who truly understands what risk management is and how it should be governed.
CROs need to be a people person. You need to know how to explain complex ideas to your employees, to your executive colleagues, and to your supervisory board. There is a huge reliance on people skills to do this effectively.
At the Leaders in Finance Risk Event, you’ll be moderating a panel with CROs from Rabobank, Mollie, ABN AMRO, and ICS. What are you hoping to learn from them, and what do you want the audience to take away from that discussion?
It’s interesting when I speak with CROs from clearing banks, from payments, or from larger institutions, they all tend to say they’re unique. One CRO I worked with in 2024, from a large financial institution, said: “If the CRO event only attracts banking CROs, I’m not that interested.” Another one from clearing said, “No, no, we’re too different.”
But I don’t think they’re that different. The role itself, being the guardian of all kinds of risks – and don’t take me too literally on “guardian” – is fundamentally the same. If you can’t clearly explain to the board what the risks are, you’ll inevitably face unforeseen ones. In that sense, every CRO is the guardian, at least of the information needed to take risks responsibly. So when CROs from banks, investment managers, pension funds, or clearing institutions only meet within their own circles, I think they miss out on a big opportunity. They can learn so much from each other: one might be more focused on products, another on ESG, but those perspectives are complementary.
The CRO role is still relatively young, maybe twenty years in the Netherlands, so building a community that brings together all these different experiences is incredibly valuable. From the CRO of Mollie, I can learn completely different things than from the CRO of a big bank. Yet I also see similar interests, similar approaches, and similar challenges, whether in dealing with the board, supervisors, or internal teams.
That’s why I’m looking forward to bringing them all together in one room. I want to ask questions not about their institutions, but about how they see and shape their role as CROs.
We’re creating an opportunity for CROs to learn from each other across different parts of the financial sector.
I hope so. There will be CROs attending from government-owned and government-controlled banks, as well as from payment institutions and larger financial organizations. This is the first dedicated CRO event of its size, and I truly hope we can organize another one next year and attract even more participants perhaps also including other parts of Europe. The role is still relatively new, and in today’s complex market, it’s a very challenging one which makes it essential to learn from one another. A CRO from a payments company can learn from a CRO at a large financial institution–and even more so the other way around.
I think that’s a perfect note to end on. Thank you, Owen Strijland, for taking the time to speak with us ahead of the Leaders in Finance Risk Event on October 30. I’m really looking forward to it.
Uniting the financial sector by discussing pressing topics and enhancing cooperation. That’s what we love to do at Leaders in Finance. By listening, learning, and connecting with others, we accelerate the sharing of ideas, thus powering (upcoming) leaders and organizations to shape the future of financial services.
Each part of the Leaders in Finance Group – Podcasts, Events, Lunches, Academy – has its unique approach. Want to explore how we can benefit your organizational goals? We’re happy to meet and discuss opportunities.
We’d love to keep you informed on the next iterations of this event. Please enter your details below, and we’ll keep you posted!