Chief information officers complain that no one else in the business, least of all CEOs, realises that information is a core risk for a bank and must be managed. The best way is with the co-operation of the chief risk officer, says Chris Skinner.
Recently, we have seen the emergence and recognition of the role of chief risk officer (CRO). Generally, a CRO appears to be the person who has to assess all strategic, operational, financial or compliance-related risks that a business may be exposed to.
Now, I always thought in banking that ‘risk’ was to do with market risk, credit risk and operational risk – but the bank CROs I meet tend only to be concerned with the latter. That is why the general conversations with them focus on things such as pandemics and catastrophes.
Yet the real risks in banking lie with the vulnerabilities of technology, which is why I believe risk and information are the same thing, and the CRO has the same responsibilities as the CIO (chief information officer).
For example, I recently spent a day with a group of CROs and CIOs. One CRO was giving a presentation about the role of risk in a major bank and one of his slides looked at the relationship between risk management and the business functions. His conclusion was that there needs to be more of a business orientation of the risk function, and more of a risk orientation of the business. In other words, risk management is a culture, not a function.
Information risk issues
Funnily enough, you could say the same about technology these days and so, when I went into a separate conversation with CIOs focused upon information vulnerability, business continuity, phishing attacks and so forth, it was interesting that nearly all these issues are risk issues.
CIOs lamented the fact that many people in the business did not understand the risk of data loss or that taking a laptop home could be a serious data breach, as it might hold customer data. They complained that CEOs do not implement a standardised policy across the board and often apply data management policies more stringently for some than others (for example, branch staff can’t take information home while many head office staff can and do). CEOs need to take a single data risk policy across the business and apply that policy to every person in the same way.
The real message that came out from the CIOs is that information is a core risk for a bank, and needs both the CEO and the enterprise to understand and manage these risks.
This reminded me of the CRO’s message that there needs to be a business orientation of the risk function, and a risk orientation of the business. The CIO’s message is a business understanding of information, and an information understanding of risk.
The CIO’s message is a difficult one though – ask any senior representative of a bank about the data risks of their Blackberry or laptop and you get a pretty offensive response. There needs to be a major cultural shift to get to a world where risk and information become synonymous. In fact, the only way we will get there is if CROs and CIOs work together to make it happen.
Chris Skinner is an independent financial commentator (www.balatroltd.com)
