Risk Strategy
In-House or Outsourced: Who Should Own Risk at a Mid-Market Company?
Hire, build, or outsource? A practical build-vs-buy guide to owning enterprise risk at a mid-market company, and what each option actually costs.
By Eric Kennedy · Tue Jun 16 2026 · 8 min read
TL;DR: Outsourced risk management means running some or all of your enterprise risk program through an outside partner instead of a full-time internal hire. For most mid-market companies, the real decision is not which consultant to pick. It is whether to hire a risk leader, build the program with the people you already have, or outsource it on an ongoing basis. For companies in the $50M to $500M range, the honest answer is usually a blend, because the workload is too real to keep ignoring and too small to justify a full-time chief risk officer. This guide lays out the three options, what each one actually costs, and how to decide.
There is a version of this question that gets all the attention: once you have decided to bring in outside help, how do you choose the right firm. That matters, and it has its own answer. But it is the second question. The first one, the one most mid-market CFOs are actually sitting with, is more basic and more consequential: should we hire someone to own risk, build the capability ourselves, or bring in outside help at all.
Get that decision wrong and the firm-selection question never comes up, because either you have overspent on a full-time seat the workload does not support, or you have quietly defaulted to the option nobody chose on purpose: piling risk onto the CFO's plate and hoping it gets handled between everything else. That default is the most common outcome in the mid-market, and it is the one that fails most often.
Who owns risk in the mid-market right now
In most companies, the answer is the CFO, by default. Surveys of finance leaders consistently find that CFOs are now expected to lead or co-lead enterprise risk, and KPMG's research on private-company CFOs describes the same pattern: the CFO is increasingly the one asked to bridge the gap between the functional risk owners and the board. The dedicated chief risk officer role exists, but it has historically been concentrated in financial services and larger organizations, and it is only slowly expanding beyond them. Most mid-market companies do not have one, and most do not need a full one.
So the work lands on the CFO. The problem is that "the CFO will handle it" is an intention, not a program. The actual work is specific: a real risk assessment, a risk appetite the board has agreed to, a quarterly reporting cadence, and a register that stays alive instead of going stale the week after it is built. That is a risk program, not a risk document, and it needs an owner with time and method. The build-versus-buy question is really a question about who that owner is going to be.
The three ways to own it
There are three honest options. Most of the confusion in the mid-market comes from treating them as one.
Option 1: Hire a full-time risk leader. Bring on a chief risk officer or director of risk who owns the program end to end. This is the right call when the risk profile is genuinely complex, when you operate in a regulated environment that demands a dedicated seat, or when you are scaling fast enough that the workload will be full-time and sustained, such as a company moving deliberately toward an IPO. It is the wrong call for most of the mid-market, because the workload does not stay full-time. You end up paying a senior, year-round salary for a job that is busy four times a year and quiet in between.
Option 2: Build with the team you have. Keep ownership inside the company. The CFO, controller, or general counsel sponsors the program, a small cross-functional group does the work, and often an outside consultant is brought in to stand the program up and then hand it off. This fits when budgets are lean, the risk profile is manageable, and you have a capable bench with actual capacity. The failure mode is predictable: the designated owner has a day job, the program competes with it and loses, and within a year the register is out of date and the cadence has quietly stopped.
Option 3: Outsource on an ongoing basis. Engage an outside risk leader on a retainer who runs the program and the board cadence without the cost of a full-time hire. This is the fractional model that finance already knows from the fractional CFO, applied to risk. It fits the most common mid-market situation: a workload that is real but part-time, an expertise gap you cannot fill internally, and a need for continuity without committing to a permanent senior salary.
The build-versus-buy math
The reason this decision trips people up is that they compare the wrong things. The instinct is to compare total cost, so the full-time hire looks expensive and the do-it-yourself option looks free. Neither read is right, because the real variable is not how much each option costs. It is whether the shape of the cost matches the shape of the work.
Mid-market risk work is spiky. It clusters around board quarters, insurance renewals, audit cycles, and diligence events, and it goes quiet in between. A full-time risk leader is the opposite: a fixed, year-round cost. Public compensation data puts a chief risk officer's base salary anywhere from the high five figures into the mid six figures depending on company size, industry, and location, and that is before the fully loaded cost. A common rule of thumb is that benefits, bonus, and payroll taxes add another 25 to 40 percent on top of base. Add ramp time before the new hire is productive, and a full-time seat is a large, permanent commitment against a workload that, at most mid-market companies, is not permanent in size.
The do-it-yourself option is not free either. Its cost is just hidden in the opportunity cost of the CFO's time and in the price of the program decaying when attention runs out. Project consulting carries a one-time fee for a defined build. Ongoing fractional or advisory support is a monthly cost that scales to the actual workload and typically lands well below a full-time hire. The point of the comparison is not to find the cheapest line. It is to stop paying for a full-time cost structure to cover a part-time need, or to stop pretending an unstaffed program is free.
How to decide
A few factors separate the companies that should hire from the companies that should outsource or build. Run your situation against them honestly.
Workload. If risk work is genuinely full-time and continuous, hire. If it is real but concentrated in a few periods a year, a full-time seat is overkill and a fractional or built model fits better.
Expertise on hand. If you already have someone who has stood up a real program before and has the time to run it, building internally is viable. If you would be asking a capable but inexperienced owner to learn the discipline on the job, outside help shortens the path and avoids expensive false starts.
Regulatory and diligence pressure. If you are private-equity backed, moving toward a transaction, or in an environment where a board or an acquirer will test your risk program, the bar is higher and the case for dedicated expertise, hired or outsourced, gets stronger.
Continuity. A program that runs on one internal person is one resignation away from starting over. If continuity matters and you are not ready to hire for it, an ongoing outside partner is the way to get it without the headcount.
The blend that usually wins for the mid-market
For most companies between $50M and $500M, the answer is not a single box. It is a sequence. Bring in outside help to build the program correctly the first time, so the assessment, the appetite, and the reporting are sound. Name an internal owner to run the day-to-day, so the program lives inside the business rather than outside it. Keep a fractional or advisory relationship in place to maintain the cadence, prepare the board materials, and keep the whole thing honest as the business changes.
That blend solves the two failures the pure options run into. It avoids the decay of the do-it-yourself approach, because someone outside is accountable for keeping it current. And it avoids the overspend of the full-time hire, because you are paying for the workload you actually have. It also builds internal capability instead of permanent dependency, which is the difference between a healthy outside relationship and an expensive one.
Once you have decided that outside help is part of the answer, the second question finally becomes the right one to ask, and choosing the firm well matters as much as deciding to engage one. That is its own evaluation, and it is worth doing carefully, which is exactly what the buyer's guide to selecting an ERM consulting firm walks through.
The bottom line
The expensive mistake in mid-market risk management is not picking the wrong model. It is never picking one, and letting risk stay an unowned line on the CFO's overflowing plate until a surprise, a diligence request, or a hard board question forces the issue. Decide on purpose. Hire it, build it, outsource it, or run the blend most mid-market companies should. Match the cost of the answer to the real shape of the work. The company that owns its risk deliberately is the one that handles its next bad day without scrambling to explain who was supposed to be watching for it.
Where to Start
Before you decide whether to hire, build, or outsource, it helps to know how mature your risk program is right now. The KRG Board-Ready Risk Reporting Scorecard gives you a tier-level read in about six minutes, with no email required to see your score. If you want an independent, practitioner-level assessment of where your program stands and what it would take to close the gaps, the ERM Program Diagnostic is a one-to-two-week engagement built for mid-market organizations.
Take the ERM Scorecard{.cta-primary} Explore the ERM Diagnostic{.cta-secondary}
Frequently Asked Questions
Does a mid-market company need a chief risk officer?
Usually not a full-time one. Most companies under $500M in revenue run enterprise risk through the CFO or another designated owner rather than a dedicated chief risk officer, a role that has historically been concentrated in financial services and larger organizations. A full-time CRO is typically justified by genuine regulatory complexity, large scale, or a fast trajectory toward going public, not by mid-market size alone.
What is the difference between a fractional chief risk officer and a risk consultant?
A project consultant is engaged to build or fix something specific, deliver it, and leave. A fractional chief risk officer stays on an ongoing basis to run the program and the board cadence at a fraction of a full-time cost. The difference is shape: one is a one-time build, the other is continuous ownership without a full-time hire.
How much does outsourced risk management cost compared to a full-time hire?
A full-time risk leader is a six-figure base salary plus benefits, bonus, and payroll taxes, where a common rule of thumb adds 25 to 40 percent on top of base for fully loaded cost, and it is a year-round commitment. Project consulting is a one-time fee for a defined scope. Ongoing fractional or advisory support is a monthly cost that scales to the actual workload and typically lands well below a full-time hire, which is why it fits the part-time-shaped workload most mid-market companies have.
Can't the CFO just handle risk management?
The CFO usually does own it by default and is the right executive sponsor for the program. But owning it in name is not the same as running it. The work needs dedicated time and a repeatable method, and most CFOs do not have the bandwidth to build and run a real program alone on top of the finance function. That is why the practical question is who supports the CFO, not whether the CFO is involved.
When should we build risk management internally versus outsource it?
Build or hire when the workload is large and sustained, the risk profile is complex or regulated, and you have budget for a dedicated senior seat and someone capable to fill it. Outsource when the workload is real but part-time, you need expertise you do not have in-house, or you want continuity without a permanent salary. Most mid-market companies land on a blend: outside help to build it, an internal owner to run it, and ongoing advisory support to keep it current.