> But just because a company has appointed a CRO doesn’t necessarily mean that it has made risk management a high priority.

Priority or not, it suggests the company doesn't understand risk. In a company that doesn't look at risk-adjusted rates of return as a natural part of how they do things a CRO is mild bad sign.

An analogy might be helpful. Testing code is, with some squinting, a form of institutionalised risk management. Any particular test doesn't necessarily do anything useful, but they apply a certain level of pressure that means the code in general fails less and force people to think more about how they're writing their functions. If a company tells you that it has a special pool of coders who add tests, separate from the ones that write the actual code, that is a bad sign that they know how to do testing. A huge chunk of the value is forcing the person who makes the front line decisions to think about what they are doing. Not to say a dedicated testing team doesn't sometimes make sense in some unusual companies, but it is an exception to the rule. Risk management isn't the type of responsibility that should be separated out into a separate role for most companies because that is much less valuable than the people doing the work being part of a management chain that understands risk.