Evolution of the CRO
Role of chief risk officer has changed. Enhanced duties require expanded skill set.
- |
- Written by John Walsh, partner, Ernst & Young LLP, Financial Services Office. (212) 773-8286, [email protected].
“CRO” may not be a newly conceived title in banking, but post-crisis challenges-- including heightened risk requirements, an increasingly volatile macroeconomic landscape and an energized regulatory environment--mean that responsibilities have grown considerably for this officer. Failure to impose adequate control mechanisms over a spectrum of risks invites a loss of confidence among regulators, shareholders, counterparties, and customers.
In many ways, the desired “personality profile” for a CRO has changed. Today’s CRO serves as the voice of the risk function both within and outside a company--which represents a dramatic paradigm shift. The CRO now works with multiple masters, and must have the management and diplomatic skills to successfully work across many more groups within the bank. In short, the executive must be dynamic, charismatic, and confident.
Prime among the new complexities facing CROs is the heightened involvement and expectations of the board of directors. This has required the CRO to build a stronger linkage between the board, CEO, front office, and the risk committee. And this has also prompted the CRO to play a larger role in the eyes of shareholders and other external audiences.
In many ways, the desired “personality profile” for a CRO has changed. Today’s CRO serves as the voice of the risk function both within and outside a company--which represents a dramatic paradigm shift. The CRO now works with multiple masters, and must have the management and diplomatic skills to successfully work across many more groups within the bank. In short, the executive must be dynamic, charismatic, and confident.
Prime among the new complexities facing CROs is the heightened involvement and expectations of the board of directors. This has required the CRO to build a stronger linkage between the board, CEO, front office, and the risk committee. And this has also prompted the CRO to play a larger role in the eyes of shareholders and other external audiences.
Building risk awareness into your culture
Revenue growth was traditionally an autonomous goal. But today profit hopes must be matched against risk appetite across all functional groups. Risk appetite is a board-level issue, and must flow down to all business areas. Thus, the CRO must be intimately involved from the top down in defining and setting a firm’s risk appetite; disseminating it throughout the organization; and making it consistent with the organization’s overall strategy. Accomplishing this means the CRO must facilitate consistent communication of risk appetites, sanctioned by the board and the risk committee, throughout the organization.
Today’s CRO must also set the tone for risk governance and accountability. The CRO must maintain the sense of focus on two key questions: Who must be kept aware of risk management issues? Who can and should approve decisions? This movement toward more information sharing and greater accountability requires the CRO’s constant vigilance.
Not surprisingly, effecting such a shift can require a CRO to employ a nuanced delivery coupled with the right combination of charisma and leadership skills on all fronts: board, senior management, and, even the public domain, at times.
Moreover, as part of the risk governance process, a CRO must be able to converse fluently with employees from all areas of the bank. This will help the CRO not only build relationships, but also enhances credibility when it becomes necessary to question a decision made at the business-line level.
Revenue growth was traditionally an autonomous goal. But today profit hopes must be matched against risk appetite across all functional groups. Risk appetite is a board-level issue, and must flow down to all business areas. Thus, the CRO must be intimately involved from the top down in defining and setting a firm’s risk appetite; disseminating it throughout the organization; and making it consistent with the organization’s overall strategy. Accomplishing this means the CRO must facilitate consistent communication of risk appetites, sanctioned by the board and the risk committee, throughout the organization.
Today’s CRO must also set the tone for risk governance and accountability. The CRO must maintain the sense of focus on two key questions: Who must be kept aware of risk management issues? Who can and should approve decisions? This movement toward more information sharing and greater accountability requires the CRO’s constant vigilance.
Not surprisingly, effecting such a shift can require a CRO to employ a nuanced delivery coupled with the right combination of charisma and leadership skills on all fronts: board, senior management, and, even the public domain, at times.
Moreover, as part of the risk governance process, a CRO must be able to converse fluently with employees from all areas of the bank. This will help the CRO not only build relationships, but also enhances credibility when it becomes necessary to question a decision made at the business-line level.
New data management requirements
The uptick in interaction among different internal stakeholders and committees is invariably a two-way exchange. While the CRO ensures compliance requirements are met and all relevant issues are brought to light, the CRO, in turn, leverages the knowledge of multiple senior executives to solicit views on risk appetite. The CRO’s office then decides how to best spread understanding of that risk appetite across the corporation. Increased cross-pollination of information is intrinsic to the new order, and reliable enterprise data is the foundation for this information.
Many CROs are charged with the responsibility for creating a consistent set of risk data to be used across the enterprise--no small task when very few firms have a single set of source data. This data is used for financial, regulatory and risk disclosures, and to run such critical processes as stress testing and scenario analyses, upon which the risk committee relies. But if the source data is not consistent firm-wide, this could lead to disparities in analyses and conclusions about risk.
The onus falls on the CRO’s office to ensure that all stakeholders can make informed decisions.
Further exacerbating the problem, many institutions that have been formed through mergers and acquisitions often find themselves working with entirely different technology platforms. In these cases, a CRO needs to work with the CEO and other internal constituents to execute strategies for creating unified systems and data sources.
The uptick in interaction among different internal stakeholders and committees is invariably a two-way exchange. While the CRO ensures compliance requirements are met and all relevant issues are brought to light, the CRO, in turn, leverages the knowledge of multiple senior executives to solicit views on risk appetite. The CRO’s office then decides how to best spread understanding of that risk appetite across the corporation. Increased cross-pollination of information is intrinsic to the new order, and reliable enterprise data is the foundation for this information.
Many CROs are charged with the responsibility for creating a consistent set of risk data to be used across the enterprise--no small task when very few firms have a single set of source data. This data is used for financial, regulatory and risk disclosures, and to run such critical processes as stress testing and scenario analyses, upon which the risk committee relies. But if the source data is not consistent firm-wide, this could lead to disparities in analyses and conclusions about risk.
The onus falls on the CRO’s office to ensure that all stakeholders can make informed decisions.
Further exacerbating the problem, many institutions that have been formed through mergers and acquisitions often find themselves working with entirely different technology platforms. In these cases, a CRO needs to work with the CEO and other internal constituents to execute strategies for creating unified systems and data sources.
Guardian of the public image
The CRO’s job undeniably involves facilitating internal communication and studying compliance controls. But there are other tasks that require today’s CRO to take a much wider view of an organization’s risk exposure.
A key area that many CROs formerly didn’t prioritize is reputational risk. But the recent market turbulence has shown that reputation and image can affect many areas of an institution’s business. For example, the strategy of entering or exiting any business carries with it reputational risk, and CROs are also ultimately responsible for forecasting how company decisions such as these may affect public opinion. For example, how will investors and the public react if the firm enters a market or a sovereign entity with a questionable political profile?
The CRO’s job undeniably involves facilitating internal communication and studying compliance controls. But there are other tasks that require today’s CRO to take a much wider view of an organization’s risk exposure.
A key area that many CROs formerly didn’t prioritize is reputational risk. But the recent market turbulence has shown that reputation and image can affect many areas of an institution’s business. For example, the strategy of entering or exiting any business carries with it reputational risk, and CROs are also ultimately responsible for forecasting how company decisions such as these may affect public opinion. For example, how will investors and the public react if the firm enters a market or a sovereign entity with a questionable political profile?
Granted, some CROs are uncomfortable managing this abstract, subjective portion of the risk spectrum. While outside opinion can certainly be measured, creating a cause-and-effect relationship between reputation and quantifiable business performance can seem a daunting task. CROs must keep reputational risk in mind, and realize that making good decisions requires both keen intuition and an ear to the ground—which means actively seeking and monitoring opinions from outside the organization.
Mitigating risk while remaining profitable
The CRO’s role in mitigating risk amid the new Basel capital standards and regulatory reform requirements can best be accomplished by a multi-pronged approach, which can not only ensure compliance checkpoints are met, but can also have the positive ancillary effect of ultimately buoying profits. Key moves that CROs can make:
• Think globally, act locally. The pace of the regulatory change is essentially mapped out by the G-20, as well as most local regulatory bodies in the U.S. However, timetables for the implementation process vary from country to country. Therefore CROs can benefit by observing institutions in other nations that are further along in the process, and leverage lessons already learned.
• Know the current business landscape and how it’s likely to be affected by emerging risk regulations, while maintaining focus on risk/return and the best allocation approach to accomplish this. This doesn’t mean the CRO must study volumes of reports. But it does mean having robust dialogue with department heads to help the firm-wide risk committee pull through and grow the franchise.
• Maintain/Develop fluid information systems, with regard to financial reporting, regulatory reporting, and risk reporting. Banks that have the most efficient, scalable, and cost-neutral information and reporting systems will be well-positioned to respond to the increasingly competitive, lower-margin environment.
The CRO’s role in mitigating risk amid the new Basel capital standards and regulatory reform requirements can best be accomplished by a multi-pronged approach, which can not only ensure compliance checkpoints are met, but can also have the positive ancillary effect of ultimately buoying profits. Key moves that CROs can make:
• Think globally, act locally. The pace of the regulatory change is essentially mapped out by the G-20, as well as most local regulatory bodies in the U.S. However, timetables for the implementation process vary from country to country. Therefore CROs can benefit by observing institutions in other nations that are further along in the process, and leverage lessons already learned.
• Know the current business landscape and how it’s likely to be affected by emerging risk regulations, while maintaining focus on risk/return and the best allocation approach to accomplish this. This doesn’t mean the CRO must study volumes of reports. But it does mean having robust dialogue with department heads to help the firm-wide risk committee pull through and grow the franchise.
• Maintain/Develop fluid information systems, with regard to financial reporting, regulatory reporting, and risk reporting. Banks that have the most efficient, scalable, and cost-neutral information and reporting systems will be well-positioned to respond to the increasingly competitive, lower-margin environment.
How this is working out in practice
The banking industry is very aware of the lessons of the crisis: the importance of managing liquidity; the need to strengthen and institutionalize an appropriate risk culture; and the imperative to always be prepared for the unexpected. Accordingly, much of the responsibility has fallen squarely on the CRO’s shoulders.
But these efforts haven’t resulted in a seamless adoption of the concepts discussed. In a recent survey conducted by Ernst & Young and the Institute of International Finance (IIF), the respondents--62 CROs and senior risk executives--were asked to identify gaps and barriers faced by firms as they work to navigate through the evolving regulatory environment.
The primary improvements they observed include stronger management; increased control of liquidity risk; and refined monitoring and reporting systems.
However, progress seems to have stalled in other areas. These include integration of more holistic and enterprise-wide stress testing and scenario analysis, as well as firm-wide adoption of shared risk-control responsibilities. While more than 70% of interviewees are making progress in their efforts to promote a risk-aware culture, only 23% believe they are nearing the end of the process.
What’s delaying things? The majority of respondents are very cognizant of the obstacles they must overcome before a meaningful risk mindset can truly take hold. Among the major hurdles they cited:
• Decentralization of resources and decision making
• Lack of integrated data management and delivery
• Organizational silos
• Inherent complexities of global operation
The banking industry is very aware of the lessons of the crisis: the importance of managing liquidity; the need to strengthen and institutionalize an appropriate risk culture; and the imperative to always be prepared for the unexpected. Accordingly, much of the responsibility has fallen squarely on the CRO’s shoulders.
But these efforts haven’t resulted in a seamless adoption of the concepts discussed. In a recent survey conducted by Ernst & Young and the Institute of International Finance (IIF), the respondents--62 CROs and senior risk executives--were asked to identify gaps and barriers faced by firms as they work to navigate through the evolving regulatory environment.
The primary improvements they observed include stronger management; increased control of liquidity risk; and refined monitoring and reporting systems.
However, progress seems to have stalled in other areas. These include integration of more holistic and enterprise-wide stress testing and scenario analysis, as well as firm-wide adoption of shared risk-control responsibilities. While more than 70% of interviewees are making progress in their efforts to promote a risk-aware culture, only 23% believe they are nearing the end of the process.
What’s delaying things? The majority of respondents are very cognizant of the obstacles they must overcome before a meaningful risk mindset can truly take hold. Among the major hurdles they cited:
• Decentralization of resources and decision making
• Lack of integrated data management and delivery
• Organizational silos
• Inherent complexities of global operation
Tagged under Risk Management,
