In 1993 James Lam became chief risk officer (CRO) at the firm of GE Capital. It is widely accepted that Lam was the first to hold a formal role with that title, taking his lead from parallels between the position of the chief information officer and the management of organizational risk more generally (Lam 2000; Hanley 2002). The following decade saw a conspicuous growth of discussion about the role (e.g. Conference Board of Canada 2001: 2) and a number of large companies have established a CRO post or its functional equivalent. These positions signify an organizational commitment to a broad conception of risk management in which the CRO assumes responsibility for the oversight of a wide range of risk management and internal assurance activities, operating in a much broader framework than the purchase of insurance (Dickinson 2001; Lam 2003).

Understanding the CRO as an emergent occupational category within the management and regulation of risk requires that ‘analyses of regulation and the sociology of professions can no longer continue to co-exist in ignorance of one another …’ (Dezalay 1995: 6). CROs are both a potential new occupational class and internal regulatory agents or ‘merchants of norms’ in the competitive field of corporate governance, a field in which internal auditors, insurance specialists, credit controllers and others vie for precedence.