My name is Evgeny Telenkov; I have worked in risk management for over 15 years — in technology companies, industry and banking. For a time I built a risk management system in one of the Sber group companies and saw up close how risk management works at the head bank. It is not box-ticking and policies on a shelf, but a living, working system. Below are its three pillars.
1. Operational risk and fraud — by the numbers, not by words
The first thing that surprised me was the depth of work with operational risk, in particular fraudulent transactions. The bank does not just "fight fraudsters." Fraud risk is assessed quantitatively, and protective measures are justified through risk management: here is how big the losses would be without this system — so the investment in it is justified.
The calculation includes not only direct financial losses but also reputational risk and customer safety — the situation is assessed as a whole, not as a single line in a report. And the system works with real incidents: data on fraud cases is gathered including from independent sources, and if a risk materialises, a chain is triggered: "root-cause analysis → reporting → strict monitoring of how the team implemented fixes and reduced the risk."
2. The CRO's role — risk management as an equal business partner
In many companies risk is a function inside the finance block, reporting to the CFO. At Sber it is different: the Chief Risk Officer (CRO) reports directly to the CEO. This means risk is not a support function "after the business" but an equal voice at the decision-making table.
Behind the CRO is a large team (around a thousand people work on risk across the group) and the full spectrum: credit, market, operational, model and ESG risks. The high status allows influence over strategy, deals, processes and products — but the CRO also has their own accountability and KPIs. Crucially, they say "yes" or "no" not because "the methodology says so", but because they understand how the decision will affect resilience and profit.
3. Cyber risk — managed at every level
For cyber risk there are quantitative metrics and a risk-appetite statement — clear boundaries that must not be crossed. This means not fighting every threat blindly but acting within a strategy. Cyber risk measures are built by product teams directly into products, and the effectiveness of protection is checked by independent auditors and regular tests — internal and with external experts.
If an incident does occur, it is documented and investigated, and the results are reported to the highest level — the audit and risk committee. Responsibility for cybersecurity is assigned to every employee, from intern to board member.
What an ordinary business can borrow
The scale of a mid-sized business is different, but the principles transfer one to one:
- Risk is a participant in decisions, not a "brake". Give risk a voice at the top-management level, do not hide it in the finance department.
- Count risk in money. Justify protective measures through losses prevented — that is a language owners understand.
- Set a risk appetite. Define the boundaries within which you are willing to take risk, so you do not react to everything.
- Analyse incidents. Every failure is root-cause analysis and control of fixes, not a reason to "sweep it under the rug".
Mature risk management is not bureaucracy but an environment in which both stability and growth are possible.
See how resilient your business really is
13 questions, 5 minutes, free — results on screen and by email.
FAQ
Who is the CRO and how do they differ from the CFO?
The CRO (Chief Risk Officer) leads risk. In a mature model they report directly to the CEO and are responsible for all types of risk, not only financial, and take part in strategic decisions on equal terms with the business.
What is risk appetite?
It is the predefined boundaries within which a company is willing to take risk to reach its goals. A risk-appetite statement helps prioritise rather than react blindly to every threat.
Does this apply to small and mid-sized business?
Yes, in a simplified form. You do not need a thousand people — you need the principles: a voice for risk in decisions, risk valued in money, clear risk boundaries and incident analysis.
