Attempts to professionalise risk management through certification schemes have reopened discussions about the evolving role of the chief risk officer. Asa Gibson reports