Given the current regulatory environment and the resulting changes going on in the industry today, the chief risk officer has become the most important person in the financial institution.
WolfPAC Solutions Group Director Michael Cohn interviewed chief risk officers at financial institutions across the country to find out how they became a CRO, what skills and experience they bring to the role, and what is expected of them now.
The Role of the Chief Risk Officer Why You are the Most Important Person in Your Financial Institution
1. You have been in banking for a long time
and most likely been at your current
institution for many years. From your role,
you probably know the financial institution
better than anyone else. One day the call
came in, the CEO is asking you to take on
the role of chief risk officer (CRO). Or, you
saw an opportunity and lobbied for the
position knowing you had the skills and
your financial institution had the need. In
any case, the institution needed its first CRO
and you are it. Now what?
That is exactly the question I asked a
number of CROs across the country that I
work with and their answers and insights are
captured in this piece.
Given the current environment and changes
in the industry, the CRO has become the
most important person in the financial
institution today. That is because
community-based financial institutions are
increasingly becoming more risk-oriented in
their strategic and operational focus.
In May 2012, the Comptroller of the
Currency, Thomas Curry, in a speech said
that operational risk now outweighs credit
risk as a major concern for financial
institutions and regulators. "Operational
risks for institutions of all sizes can arise...
from flawed risk assessment and risk
management systems in the institution,” said
Curry. “For community institutions with
credit concentrations, a flawed assessment
of risk can lead to inadequate controls and
insufficient risk management systems.”
Curry continues to focus on the areas of risk
affecting financial institutions today when
he said more recently, “Effective vendor
management programs are not only a
regulatory expectation; they are necessary
components of effective enterprise risk
management.”
The CRO is the key player who makes the
enterprise risk management (ERM) program
take root and operate effectively. That is
why you, as the CRO, are the most
important person in a financial institution
today.
What is causing you and the position you
hold to be needed today more than ever
before? There are number forces at play that
led to the creation of the CRO role you now
2. inhabit. There are the internal forces in your
institution that come from the CEO and the
Board, and then there are the external forces
that come in the form of increasing business
complexity and changing regulation.
There are internal forces at your institution
that are calling on the expertise and
knowledge of the institution that you’ve
gained over years of service perhaps in
operations, audit, credit, or IT. These forces
are the result of your institution now looking
to build and implement an ERM program to
be more competitive and financially secure,
which has created new needs from the CEO
and Board. As the CRO, when you put in
place the systems to meet these needs, you
are actually fulfilling the three attributes in
building an ERM program.
Your CEO needs greater insight over all
elements of risk and compliance
The number and frequency of risk
assessment analyses grow every day, mostly
spurred on from regulatory expectations. It
is obvious that the executives and examiners
who review these assessments observe a
lack of consistency in the process to
complete and report the results, and a lack of
integration with the results themselves.
Central management and oversight by a risk
manager should improve consistency, which
will in turn increase efficiency. With more
integrated technology systems, greater
reliance on third parties, and continued
earnings pressures, better information at a
lower cost is required today.
Your Board Requires a Holistic View of all
Risks
As the institution takes on more risk with the
introduction of new products and services,
your Board will demand from you a holistic
view of all the risks present in the
institution, and the level at which they
present a danger. To be fully informed, the
Board may also require an analysis on the
sufficiency of current spending on risk
management. As CRO, you can provide this
information by taking stock in the current
activities and organizing them along the
functional risk areas. One of the CROs I
interviewed for this piece said, “My goal as
CRO is to help management and the Board
see a global view of risk”.
The CEO and Board Need a Process to Vet
Risks of New Strategies
Your CEO and Board will begin to turn to
you as CRO to provide the process to vet the
risks inherent in new products and business
strategies for the institution. You need not
be the executive of “no” but rather
contribute a process to vet the merit of new
business initiatives. The CEO or possibly
another executive will likely be the sponsor
of the new initiative. As CRO, your
obligation is to tease out the key threats that,
if they were to occur, would threaten the
viability of the franchise.
3. There are also significant external forces
that are causing you to be needed by the
institution. These forces are pushing
institutions to be more risk-focused than
ever before, which in turn, raises the
responsibilities on the CRO.
Becoming a $1 Billion Institution
Many community-based institutions have
seen steady growth in deposits and assets
over the past few years as customers leave
regional and money center banks for the
community based banks and credit unions.
Many small community banks are
approaching $1 billion in assets and
therefore facing the increased compliance
costs associated with FDICIA compliance.
The effort to build this FDICIA program by
itself is not so expansive, but, in many cases,
it serves as the tipping point for the addition
of a risk management position to oversee
this and the growing list of new compliance
initiatives.
Increasing Regulatory Expectation
Increasing regulatory pressures on
community-based institutions are another
force causing the institution to establish and
formalize the role of the CRO. With
continued growth there is likely an increase
in operational complexity. To manage the
complexity and maintain an adequate level
of safety and soundness, regulatory
expectations are growing for the creation of
the risk management function and the role of
a CRO in the institution. As CRO, you must
be able to design sustainable processes to
mitigate risk, frame the breadth and depth of
control testing, evaluate business operations,
and participate in the evaluation of new
products and business opportunities. New
regulations are also causing institution to
rethink their management structure and add
a CRO. The newly positioned CRO of an
institution with a little more than half a
billion in assets said to me, “We had an
internal audit and compliance person and
that was all. The Dodd-Frank Act was the
wake-up call for more structure and
resources.”
New Lines of Business
Whether the objective is to put new deposit
balances to work, compensate for lower fee
income due to reductions in overdraft and
interchange fees, or offer more competitive
products, your institution is likely growing
the number and types of product offerings.
These activities increase and broaden the
spectrum of risk taken on by the institution.
A majority of institutions believe they are
conservative in their business practices. The
process of change plus the introduction of
new products gives rise to a risk shift. You
must be able to articulate the level and
impact of change to the institutions risk
DNA, and ensure all governance bodies
accept the changes.
4. When these external and internal forces
align with the capabilities of an individual
who has the qualities needed in a CRO,
smart and forward-looking leaders will
realize the imperative to create the role of
CRO. Your position was created out of a
powerful combination of needs and the skills
to fulfill those needs, which makes you the
most important person in the institution
today.
There’s no such thing as a chief risk officer
school and the CROs I spoke with say that
they are often the first in their peer group to
have this role and therefor have not been
mentored or taught how to be a CRO. So,
what qualifies a person to be a CRO? The
answer lies in the experience you already
possess.
After speaking with the CROs, I heard a
number of common traits that they say
prepared them for the role.
A Long Tenure at the Financial Institution
Having a long tenure at the institution is a
major asset for being a successful CRO.
You know the institution inside and out, top
to bottom. You have been instrumental in
putting in place or advising on a number of
initiatives and business lines. You also
know well the people who need to be
encouraged to embrace a more risk-based
approach to their work. And, you are
respected by the staff, C-suite, and Board,
which is crucial because they will look to
you for answers and guidance.
A Holistic View of the Institution Gained
from Previous Roles
Having a holistic view of the institution is
absolutely crucial to being an effective CRO
because it is essential in creating and
overseeing an enterprise-wide management
program. It is extremely hard to walk into
an institution and gain this perspective.
Instead, it comes from holding positions in
the institution in which you must have both
an up-close and enterprise-wide view of the
business. One of the CROs I spoke with
said, “I came from IT security. It’s where
risk management was first practiced….I
understand the role of the CRO and ERM
from my time overseeing IT risk.” This is
why CROs who come from positions in
credit, operations, audit, IT, or compliance
are most effective.
Being Seen as Having Good Judgment and
Integrity
The “c” in CRO means you are now part of
the executive team. To be effective and add
value at the c-level, a CRO must have
excellent judgment and integrity. The other
executives, who you may have served in the
past, are now turning to you for guidance on
business strategy and counting on your
sound judgment. In your role as CRO, your
reputation for integrity will help you
5. persuade everyone in the institution, from
junior associates to Board members, that
they must embrace a risk-focused view of
their work and trust you when you tell them
that you have the institution’s best interest in
mind when proposing changes to their work.
Because of the combination of external
forces, internal needs, and the qualities you
possess, your institution came to an
important decision and now you are the
CRO.
You are now the most important person in
your institution because you are in charge of
the most crucial management practice: Risk
Management. The institution’s financial
well-being, its ability to improve delivery of
products and services, and its survival in an
increasingly competitive and regulated
environment depends on how well it
manages and mitigates risk.
To manage risk effectively and efficiently,
you must create, implement, and maintain a
robust enterprise risk management program
that is adopted by the entire institution.
Practicing ERM well help you manage the
internal and external forces that led to you
becoming a CRO. Your success will be
determined by how you create and execute
the ERM programs and processes for the
institution, which will be made clear in a
positive way by your institution’s ability to
successfully avoid excessive risk, or in a
negative way if your institution experiences
losses due to risk.
Through discussion with CRO’s of various
tenure, it became apparent that the
institution will likely adopt one of three
operating models for the risk management
program. These stages are characterized as
Compliance ERM, Integrated ERM, and
Top-to-Bottom ERM. It is not necessary for
the institution to pass through each stage
successively, nor is it necessary to be at the
third stage for the institution to receive
significant benefit from it efforts and
resource commitment. By understanding the
strengths and minimum resource
commitment at each stage you send the
institution can select an operating model that
aligns with its business goals.
Compliance ERM
This stage is characterized by the desire and
management practice to organize the various
operational risk and compliance programs
under a single manager. The manager takes
stock in what measures are in place, and
begins to oversee the tools being used,
which are typically documents and
spreadsheets as well as single purpose
business software applications. There may
not be significant changes to the risk
assessment or communications processes
beyond easy to implement ideas. The credit,
interest rate, and asset-liability management
6. activities continue largely untouched and
remain outside the oversight of the
operations/compliance risk manager. The
compliance, security, and other corporate
service managers that contribute to the risk
assessments and risk processes may or may
not be organized under the operational risk
manager. The business objective here is to
initiate the alignment and oversight of
existing operational risk requirements and
common management activities with a
single manager.
Integrated ERM
This stage is characterized by the desire to
create a more integrated, holistic view of
risks and threats. Risk assessment processes
begin to standardize, the number and variety
of tools tends to reduce, and risk
management activities, monitoring, and
audit programs become more tightly
integrated. Risk management silos start to
break down and governance structures align
into operational risk and credit risk bodies.
Although there may be two risk committees
(i.e., operations and credit), they likely share
a significant number of committee members.
The Board will likely create a risk
committee or mandate an existing
committee take responsibility for risk
management. It is unlikely that a
sustainable risk management program at this
stage can be created without the investment
in a CRO.
Top-to-Bottom ERM
This stage is characterized with the CRO
leading both the operational and credit risk
activities. Risk assessment, risk monitoring,
and risk reporting are centrally managed in
this model. Software tools are multipurpose
and used in several functional risk areas, and
reporting is consolidated to reduce risk silos
and illustrate the interdependency of
business activities and interrelatedness of
threat scenarios. A management risk
committee is active and chaired by the CRO.
They key to the CRO’s success is engaging
the Board with the results of the risk
management program. The CRO also serves
as the voice of reason to vet significant new
business initiatives with management and
the Board to identify significant threats to
capital, earnings, and reputation.
Having a risk management program will not
be effective if you as the CRO are the only
one who believes in its value and practices
it. As part of your duties, you must
evangelize ERM and get everyone in the
institution – from the chair of the Board to
the teller in the farthest branch to embrace it
as a practice. Having the title of CRO can
help with this according to one CRO I
interviewed who said, “When you are
promoted to CRO, it’s easier to change the
culture of the institution to be more risk
aware.”
7. Daily risk management activities are crucial
as well and it is important that you develop
the techniques or buy the tools to develop a
sustainable process for ERM.
With a strong ERM program in place as
your foundation, you as the CRO are
integral to the future of your institution.
When you can use your ERM program to
help your institution rise above silos and the
degree of threat it poses, it can then be a
powerful tool to develop the institution’s
business strategy and fulfill its business
goals.
One of the CROs said to me, “Risk
management is not just housekeeping, it’s
thinking ahead of the issues”. When a CRO
can create a clear and accurate analysis of
the current situation in their institution from
the strength of their ERM program and look
forward strategically, they have truly
become the most important person in the
institution. Another said, “This will be
known as a definitive era in banking with
the CRO in place and enterprise risk
management being practiced”.