If Blue Wood Chocolate and Kilgore Custom Milling are to develop a risk management framework, who should lead the process at each company? Should a Chief Risk Officer (CRO) be appointed? If so, to whom should he/she report and have access to? How could smaller companies without the resources for a dedicated CRO deal with ERM? What is the role for the board in such a process?