While banking digs out of an abyss largely considered to be self created, the executives in charge of abyss-avoidance are feeling the heat of the spotlight, and seeing many aspects of their jobs re-imagined as the industry is remade. And that's just the risk officers that have survived - many haven't. "As a former chief risk officer myself, I think that as a risk profession, we need to do a soul search as to what went wrong, and what changes need to be made," says James Lam, a risk management consultant and former chief risk officer at Fidelity Investments who's regarded as one of financial services' first CROs.
That strategic soul-searching is going on in bank boardrooms and executive suites, but it's the chief risk officers that must carry out the emerging marching orders to accurately asses all forms of risk, and ensure that risk posture is in line with the institution's appetite. CROs are being charged with a broader swath of IT-related risk management, including deeper vendor due diligence and supervision, reconciliations of financial risk reporting among disparate and sometimes feuding bank departments, cross-enterprise data management, and merger conversions that in some cases involve target institutions with troubled risk profiles.
"The job should go beyond technical risk management skills, and also include much broader risk management and strategy, change management, and technology risks," Lam says. "The job has really become a broader executive role."
Since identifying a proper level of fiscal restraint across the enterprise is now in vogue, the CRO also increasingly has the ears of the bank's top executives and board members. "During the boom period, with a lot of focus on pursuing revenue, the authority of the CRO was not as strong," says Ed Hida, a partner with Deloitte, who says that's obviously changed. The seniority of risk managers is increasing - the percentage of CROs at banks reporting to the board of directors approached 80 percent in Deloitte's latest risk management survey. "The authority of the CRO to influence risk decisions has increased significantly."
Shane McGriff, a vp of enterprise risk service for CapGemini's financial services business information unit, categorizes this mashup of management, IT, communication, legal and financial skills as a movement towards an "enterprise risk office." "You need the ability to master the information it takes to monitor risk at the top of the house," he says. "It's a big integration challenge, and the CRO is more active today than ever before in shaping IT strategy."
Cross-Enterprise Collaboration is the New Black
For John Ericksen, chief operating risk officer at PNC, a dose of humility is helpful for the CRO trying to navigate today's complex stew of IT, credit, governance and operational risk.
"If you don't understand something, you better understand that you don't understand," says Ericksen, a 16-year PNC veteran who's been in his current position for the past six years. "You have to be focused on not only the risk/reward ratio, but focused on understanding what that means in aggregate for your company."
Ericksen wears a closetful of hats in his job - he's responsible for overseeing risks as varied as operational risk governance, data analysis, external events, strategic risk elements, information security, privacy, business resilience, and financial intelligence. What's changed dramatically in the past 16 months, Ericksen says, is the responsibility to forge a view of these risks that transcends the bank's individual departments to enable quick decisions based on an enterprise-wide view of exposures.
The magic clay to meld these enhanced responsibilities together is understanding data: how it's collected, its integrity, what it's being used for, its accuracy and making sure the right data management systems and technology are in place to make informed decisions based on portfolio, geographic and customer views. "Are you able to add the right nuances to the information so you can have a thoughtful conversation about it with other staff?" he says, adding the pressures to accumulate more accurate data are enhanced by the need for information that's more regularly updated.
The data-focused strategy has led the bank to invest in advanced enterprise information architecture to bolster financial and risk reporting. "This capability is driven by the requirement to provide more timely access to current and accurate information, supporting immediate decision-making as well as serving as a foundation for risk management analysis," Ericksen says, adding the architecture also plays a role in PNC's BASEL II compliance by enabling risk assessments, scenario planning and analytic requirements.