With an ever-expanding remit and shouldering more strategic responsibility, the chief risk officer’s job is arguably the most difficult in the C-suite. Joy Macknight reports.
The pivotal role that an organisation’s chief risk officer (CRO) plays was underscored when it came to light that Silicon Valley Bank (SVB) had been without one for nine months before its collapse. While not everyone agrees that this was the main contributor to SVB’s downfall, clearly not having someone in such a key position meant the difficult questions that should have been asked weren’t asked.
Recent events have also shone a spotlight on the job’s growing complexity and rapidly expanding remit. While the CRO’s traditional focus was mainly on financial risks, such as credit, liquidity and market risk, they are now expected to have detailed insights into various non-financial risks, including cyber, culture, talent, geopolitical, climate change, reputation, digitisation, regulation … the list goes on, with almost all increasing in urgency.
“Today, the CRO has to know everything about everything at a fairly granular level,” says Mahesh Aditya, group CRO at Banco Santander. “We are now required to understand operations better, what’s going on under the hood and in the trenches of the business, as well as determine what to do about it.”
But they also need to understand how these risks collide. “Over the past three years, we have been simultaneously facing three global crises: a once-in-a-century global public health crisis, a geopolitical crisis — the war in Ukraine, with a likelihood of occurring once every 75 years — and an unprecedented global climate crisis,” says Evgueni Ivantsov, chairman of the European Risk Management Council.
“These three global risks interact with each other and with traditional risks. For example, climate change risk becomes a significant driver of credit risk. The CRO faces the challenging task of managing a wide spectrum of traditional and emerging risks that interplay with each other, creating a unique and dynamic risk landscape.”
Geopolitical risk is certainly top of mind for Annemarie Straathof, vice-president of risk and compliance and CRO at the European Bank for Reconstruction and Development (EBRD), given the impact of Russia’s war in Ukraine on the multilateral development bank’s (MDB’s) countries of operations. But she also highlights the risks associated with climate change.
“MDBs continue to increase their efforts to help clients manage and mitigate these risks,” says Ms Straathof. “Climate change-related risks are, in turn, closely interlinked with the cost-of-living crisis that is a direct consequence of the Covid-19 pandemic.” Within months of joining the EBRD in December 2019, she was leading the Covid-19 crisis management team, which managed the institutional response throughout the pandemic.
Risk and resilience
According to the 12th annual EY and Institute of International Finance global risk management survey, published in January, cyber risk is seen as the top risk priority for the next 12 months, followed by credit and climate risk.
Stefanie Coleman, partner/principal of US people advisory services and financial services at EY, makes the point that the research took place prior to the recent liquidity crisis. “If we were running the survey today, I expect that liquidity risk would feature more prominently. This highlights the fact that the CRO needs to be nimble, agile and able to pivot at any given moment, because the environment is volatile and emerging risks can be unpredictable,” she says.
the CRO needs to be nimble, agile and able to pivot at any given moment
Marc Chiapolino, partner in McKinsey’s Paris office, highlights the need for resilience in the face of these existential crises, so risk organisations can better prepare for such challenges. He says: “There is a need for banks to react quickly and handle new crises for which they have not specifically prioritised.”
Also emphasising the need to build resilience, Jeroen Van Doorsselaere, vice-president of global product and platform management, finance, risk and regulatory reporting at Wolters Kluwer, adds: “CROs need to have the mindset of a problem-solver, preparing for when the next crisis hits. Finding the right risk/reward [balance] for banks is also vital in these times of uncertainty, given increasingly stringent regulatory frameworks for financial institutions.”
Strategic adviser
In tandem with the wide-ranging breadth of risk disciplines that the CRO is expected to understand and manage, the role also has gained a greater strategic importance, according to Karina McTeague, currently a non-executive director and risk adviser, and former CRO at Visa Europe and Lloyds Banking Group, North America, as well as a former Financial Conduct Authority supervision director. She pinpoints the shift in influence as occurring in the aftermath of the global financial crisis (GFC) in 2007–09.
Mr Aditya agrees. “A big change happened following the GFC, when the CRO became much more powerful, and began having free and unfettered access to the board and risk committee,” he says. “The second line of defence was more clearly articulated in businesses and it became clear that the risk manager needed to have a seat at the table.”
Being a strategic partner now needs to become “embedded in their DNA” and part of their daily process, according to Ryan Rasske, senior vice-president of risk and compliance markets at the American Bankers Association. “So much is happening, and so quickly that the senior leadership and the board will need to rely on the CRO to understand the potential impact,” he says.
Has the role become so strategic that the CRO should sit on the board, alongside the CEO and chief financial officer (CFO)? This question is subject to much debate in the industry.
Read more
According to Paul Ford, CEO of risk analytics at the intelligence firm Acin, bank boards are missing something by not having the CRO at the table. “The rate of change, in terms of volume and breadth, as well as the pace of change has increased significantly. Organisations are being shaken in a way that they haven’t been before, and CROs are dealing with a raft of new risks, such as climate risk and generative artificial intelligence (AI),” he says.
“Many are starting to look at the CEO, CFO and CRO as a triumvirate,” he continues. “That’s how I see the role of the CRO evolving. Independent non-executive directors need to know not just how the bank is performing now, but also the outlook and risk it is taking.”
Mr Ivantsov is also an advocate and argues that not only should CROs be board members, but that they should also maintain independence from the CEO’s executive power. He explains: “Similar to audits, CROs should ideally report directly to the board to ensure this independence. This is crucial because many banking failures, such as the case of SVB, occur when charismatic CEOs dominate the business and CROs lack the power to effectively challenge their strategic decisions. Thus, I strongly believe that CROs should be board members.”
However, others do not agree that a CRO’s place is on the board. “I don’t think the CFO or the CRO should sit on the board because we need to fulfil our day job, while directors have a different and powerful role to play,” says Nigel Williams, group CRO at Commonwealth Bank of Australia (CBA). “I have access to the board, but I don’t think I should be a board director. I should play my role as a CRO — that way they can hold me to account.”
Likewise, Mr Aditya is not convinced. Yet both recommend having risk expertise on the board. “Banks definitely need to have one or two risk experts on the board, who have been through the peaks and troughs, as well a couple of credit cycles,” says Mr Aditya. “Without keeping abreast of current risk issues, you could be in a situation where the board doesn’t ask the right questions.”
Essential qualities
To address their wide-ranging remit, CROs need to acquire new skills. Mr Ivantsov says, “Currently, CROs are facing a steep learning curve due to the broad range of skills and knowledge required to manage top and emerging risks. This includes proficiency in areas such as fintech, data protection, geopolitical trends and climate-related legislation. Despite all challenges, I believe that a CRO role is the most interesting role in banking, but at the same time it might be a nightmare role.”
In addition to new skills, a modern CRO needs to have certain key characteristics. One is the ability to quickly determine which issues require getting into the details versus what can be delegated, according to Mr Aditya, which also means having a strong team in place. “In my career, I’ve learned that the more smart people you have around you with subject matter depth in particular areas, the better off you will be. This is because the old idea that you could be an all-rounder doesn’t really work anymore.”
According to Ms Straathof, the modern CRO needs to be forward-looking to have a long-term vision, due to the nature of these emerging risks. “The CRO needs to be agile to anticipate risks and to act in a timely manner, even if some of the mitigation effects might be delayed,” she says. “In order to be a good risk manager today, the CRO in an MDB also needs to be a finance professional, a scientist (including natural and political) and even a philosopher, if you will. Last, but not least, in terms of emotional intelligence, the CRO needs to be resilient, collaborative and compassionate more than ever before.”
There is a real benefit in having a CRO who has come through the ranks and understands the business deeply
Mr Williams, who views risk through the lens of customer trust, says that CROs need an understanding of customer expectations and be curious with an open mind. “The idea of holding strong opinions lightly is important – we need to take on board different perspectives. While something might be fashionable at the moment, the CRO should always be questioning whether it is worth doing,” he says.
Having deep business acumen is essential, according to Ms Coleman, to help CROs effectively manage risks in a contextualised manner. Plus, she believes that they need a level of digital fluency, as many bank CROs are looking to build an agile risk organisation. “This will provide the ability to anticipate how digital disruptors are going to affect the bank, including how the risk organisation is run, as well as identify and deploy digital tools to support the work within the risk organisation as well,” she says.
Similarly, Mr Chiapolino argues that bank CROs need to become technology leaders, not only followers and users, when it comes to AI, etc. “It’s a perfect area to be leading the bank in exploring those new technologies,” he says.
Mr Williams adds that CROs need to empower experimentation. CBA’s controlled experiments with cryptocurrencies, for example, “informed our customer understanding, as well as our understanding around financial crime. If we had not done those experiments, we would not have learned in the same way,” he says.
“At the end of the trials, we decided not to pursue new products in this area. However, it’s important to determine where the boundaries are and then make a decision, rather than not do anything, which would have been the traditional risk approach 10 years ago.”
The talent pool
But what can a bank do if it finds itself, as SVB did, without a CRO? Is there a pool of external CROs, or ‘guns for hire’, out there to fill in on an interim basis?
According to Mr Ivantsov, it uncommon for a bank’s CRO role to be temporary or interim. “I believe this is due to the fact that the role is complex and demanding, and it takes several months before a new CRO can fully comprehend the organisation and perform at their highest capacity. Additionally, the CRO is now involved in critical strategic decisions and is not merely a technical expert, but a strategic decision-maker,” he says.
Mr Rasske says, “I’m not aware of too many institutions that hire an external interim CRO, which could come with its own set of challenges. But it’s better than nothing, at least you have someone at the table that could ask questions and challenge decisions, to a limited extent.”
Beyond whether it is a good idea or not, it is actually quite difficult to hire an interim CRO, according to Ms McTeague, as the chances are something bad is happening at the bank. She says, “But the first hurdle is having a pool of interim CROs who have the toolkit needed to work in a bank. The second is whether there is an interim CRO who’s prepared to lend their brand, because they would be going in for six to nine months to deal with a problem that they don’t yet know the scale and impact of.”
However, as Mr Rasske highlights, a bank should not be without a CRO for long given the criticality of the role. “An institution without a CRO would be better off looking at someone with a CFO or chief operating officer profile, and then provide them with proper coaching and training, rather than leaving it unattended and trying to find someone that might not exist or want to take the role,” says Jan Bellens, global banking and capital markets sector leader at EY.
The obvious solution is ensuring that a strong team and succession planning is in place; however, this area is not as mature as it needs to be. “Something which I don’t see happening very often, and believe needs to be developed quickly, is to foster the role of the deputy CRO — not just for succession planning, but also to build a talent pool for the benefit of the wider risk community,” Ms McTeague adds.
The CRO should be known as that person in the room who will not let something go unnoticed
Recruiting a CRO from outside the organisation is one option; however, from the point of view of a culture that values and retains good people, banks should aim to develop talent internally, says Ms McTeague. “There is a real benefit in having a CRO who has come through the ranks and understands the business deeply,” she says.
But do they need to be a risk professional? Mr Ivantsov believes so. “Two decades ago, individuals outside of the risk management field could become the heads of risk (they weren’t yet called CROs), as the role was not as complex and strategic as it is today. Back then, the head of risk role was commonly regarded as a business support position,” he says. “However, in today’s context, the best path to becoming a CRO is to dedicate a significant portion of one’s career to risk management, as it has become an intricate area that demands specialised knowledge and training.”
While it is possible to recruit a CRO who’s worked in other parts of the business, according to Mr Aditya, they need to have the innate skills and intuition that raises a red flag when there is an oncoming risk. “Such skills are usually acquired early on from risk management training,” he adds. “CROs cannot be afraid of asking questions, no matter how senior they are in the organisation. If either your ego is too big or you’re too shy to ask ‘stupid’ questions, you will just flame out. The CRO should be known as that person in the room who will not let something go unnoticed.”
In Mr Williams’ opinion, one of the key deliverables of a CRO should be to ensure a pipeline of successors. “Not just one successor because the skill set needed at any given time will be contextual,” he says. “At CBA, we rotate our risk teams, so people are developing different skill sets. Today, we’re going to need a broader skill set, including technology, cyber, market, credit, understanding the customers and more. The only person that can build their successors in a rounded way is the CRO themselves.”
