In 2006, Rodney Sloan was charged with running his bank's enterprise risk management program. First, he had to build one.
"The CEO I worked for at the time said, 'I've been reading about this and hearing it's something companies may want to do, are you interested?'" said Sloan, who has since moved on to fill the chief risk officer title at another bank, the $6.5 billion-asset Heartland Financial in Dubuque, Iowa. "I said, 'I'm interested but I don't know anything about it.'"
But Sloan got the ball rolling. Then, the global financial crisis of 2008 threw a wrench in his plans, as it did for other bank CROs in that period.
"It became much more about crisis management for a period of time than it was about building a forward-looking enterprise risk management system," he said.
"We were so busy simply trying to deal with the aftermath of the economic crisis that the idea of saying, 'Let's prepare for something we're not sure is going to happen' was definitely on the back burner."
Nearly a decade later, developing sophisticated approaches to deal with troubles yet to come a mission shaped in large part by the crisis is very much on the front burner for CROs and other risk managers.
Under regulatory reforms, the biggest banks are now required to have a CRO reporting directly to board members. Even at smaller companies, a CRO's typical duties assessing risks across an institution and linkages between risk areas; overseeing how employees throughout the bank incorporate risk management in their daily jobs; and advising boards and CEOs about key risks are seen as essential.
A role many people did not understand less than a decade ago has become integral to how banks navigate a new set of postcrisis hazards. Those include the potential for regulatory problems as well as operational dangers such as a cyberattack. At the same time, CROs are front and center as institutions look for new ways to grow.
"The lessons from the financial crisis are that institutions really need someone at the executive level where their primary focus is on risk," said Parrish Little, executive vice president and chief risk officer at the $2.6 billion-asset HomeTrust Bank in Asheville, N.C. "It's very much a lasting type of role."
But as much as the job has evolved, executives say the CRO position a relatively new addition to the corporate suite is still being defined against the backdrop of constantly shifting risks.
Enterprise risk management is "still more of an ongoing journey than it is having reached a destination," said Sloan. "I anticipate that's going to be probably a fairly permanent thing. I don't think that in ERM you could ever say that it's a completed task."
CRO? 'What's That?'
The CRO's origins date to the 1970s and 1980s when policymakers rolled back restrictions on banks setting deposit rates.
At that time, risk management still focused mostly on credit risk, and banks traditionally had a chief credit officer. But the added flexibility on deposit yields led to the hiring of asset-liability managers. In the 1990s, mortgage banking and other fee businesses led banks to think more about operational risk as well. Large banks considered establishing a central risk management office.
"As we thought about it more, it made sense that we pulled all of these risk functions into something like a chief risk officer," said former Federal Reserve Board Gov. Susan Bies, who at the time was at First Tennessee National Corp., which is now First Horizon National Corp.
Bies, now a member of Bank of America's board, became First Tennessee's first chief risk officer in 1995 after filling other positions at the bank, including chief financial officer. But the CRO role was more limited than today.
"We focused mostly on operational risk even though we were called chief risk officers, as the chief credit officer and asset/liability manager reported elsewhere in the organization," Bies said. "We also were developing the enterprise risk management framework."
The largest banks were the first to create the new position. More midsize firms followed in the early to mid-2000s.
But as recently as 2008, many bankers still did not understand what a CRO did and how it was different from positions such as chief credit officer and chief compliance officer.
"I had to educate a lot of people about what it meant, inside and outside the firm," said Nancy Foster, who was the first chief risk officer at CIT Group from 2007 to 2009.
The crisis helped spread awareness of the role, said Foster, now the CRO at Park Sterling Corp., a $2.4 billion-asset institution in Charlotte, N.C., chartered in 2006.
"When you say you're a chief risk officer, people understand that. They don't say, 'What's that?'" she said.
Early on, many CROs came from credit backgrounds and still do. But operational, regulatory and other kinds of non-credit risks now receive more attention in risk management and the backgrounds of chief risk officers tend to vary, including experience in compliance, auditing and consulting.
"Fifteen years ago, the main thing many banks had to worry about was credit risk. The unstated, natural job succession for those banks was chief credit officer to CRO," said Susan Krause Bell, managing director at Promontory Financial Group, a consulting firm. "The CRO in that case would be most knowledgeable on credit and had to supplement to deal with market risk and other categories. Now, risks are more diverse and the overall cost of compliance has gone way up. It takes a lot of resources to do this right."
Direct Line to the Board
If expansion of bank business lines before the crisis introduced institutions to enterprise risk management, the fallout from poor risk decisions made during the crisis advanced the idea further.
A key oversight leading up to the meltdown, CROs say, was underestimating the effects of linkages between risk categories. For example, human errors, typically an operational risk, can lead to compliance lapses or bad credit decisions. A big enforcement action a direct result of regulatory risk endangers the bank's reputation.
"In the last cycle, even people who were in the CRO role failed to correlate how one risk either layered or increased risk or had an impact on other risks in the company," said Edward Schreiber, chief risk officer at the $57 billion-asset Zions Bancorp., and formerly the CRO at TD Bank. "Thus, in an aggregate perspective, people misjudged the risk profile of that company and thought it was lower than it actually was."
The lessons of the crisis led more institutions that lacked risk management departments to hire CROs and some that already had risk officers to start fresh. Indeed the turmoil saw notable examples of large banks replacing their CROs as they attempted to correct problems tied to the crisis. Meanwhile, in other instances, CROs said they were not listened to enough in the period leading up to the meltdown.
Following the Dodd-Frank Act, the Federal Reserve Board implementing one of the law's provisions required institutions with more than $50 billion in assets to have a CRO. The Office of the Comptroller of the Currency issued a similar requirement.
"There was a fair amount of turnover of those positions during and after the financial crisis," said Edward Hida, Deloitte's global risk and capital management leader.
Today, bank risk officers focus much more on risk-layering, and a direct reporting line between the CRO and boards or board committees is ingrained, especially at the biggest banks. While CROs developed risk frameworks and had some influence before the crisis, their opinion has become a more crucial factor in whether an institution will proceed with a business decision.
"A lot of boards were criticized in the early part of the crisis about, 'Where were you, board, in overseeing management's risk-taking?' The boards turned around and said, 'We need someone focused on this' because they were feeling the pressure," said Mark Beasley, who teaches enterprise risk management and directs the ERM Initiative at North Carolina State University.
"What we're seeing is that banks are not only creating the chief risk officer position but they're ensuring that that CRO has either a dotted line or direct line of reporting to either the audit committee or the risk committee of the board of directors," he said.
Jason Painley, the CRO at The Park National Bank, a $7 billion-asset institution in Newark, Ohio, said the biggest change has been the "visibility of the position."
"The role and the responsibility of the chief risk officer have escalated tremendously since the credit crisis," said Painley, who joined the bank in 2011 and was formerly a Fed examiner.
Previously, Painley said, CROs were assessing risk and advocating for prudent behavior, but the process now is more formal.
"Chief risk officers have always been asking, 'What's the risk?', and always been pushing for practices to be safe and sound and in compliance with laws and regulations," he said. "Probably what has been a fundamental change since [the crisis] is to make sure we document it."
Everyone's a Risk Manager
Following the crisis, Sloan, like other CROs, had to put on hold the work of building risk management infrastructures. The banks were hunkering down to clean up balance sheets, and assessing the prudence of taking new risks was a lower priority.
"I was the chief risk officer but I also had other responsibilities," he said. "A lot of time was being spent on credit risk management, stress-testing, making sure capital was going to hold up."
Since then, risk managers have begun applying the lessons of the crisis to institutions' strategies for moving forward.
"Now that we have had some distance from that cycle, with some education from what the crisis taught us," Sloan said, the objective is "how do we position better to make sure that we don't have something happen to us again?"
Measuring the potential for unknown or unforeseen risks from new ventures rather than limiting the damage from past crises has taken on greater importance.
"What has evolved with enterprise risk management is a forward-looking context of risk," Painley said. "It's not testing how well we complied with expectations historically. Now we're trying to be more forward-looking: What are we potentially going to engage in that could expose our organization to risk that we might not otherwise be exposed to?"
Steven Deaton, the enterprise risk officer at the $3.3 billion-asset State Bank Financial Corp. in Atlanta, said the crisis proved the importance of understanding "the risk associated with whatever product" a bank offers.
"Being a chief risk officer in the past was more compliance and regulatory driven," Deaton said. "Today the chief risk officer's primary goal is marrying our strategic objectives to our risk tolerances, and how to grow and achieve the returns we need in a manner with acceptable levels of risk that we understand."
Many CROs agree that success in their job is not managed by how well a top-line executive manages risk, but rather how well a risk officer's message leads to effective risk management by employees across the institution.
Speaking on a panel with other CROs at an American Bankers Association event this year, Deaton said his bank's strategy has included sending the message to personnel that "every employee of the organization is a risk manager."
"It became an education," he said. "A lot of our folks did not realize that their job was risk management and risk mitigation. They thought their job was only, 'I need to open as many accounts as I can possibly open.'"
Bies agreed. "It isn't the duty of the CRO to manage risk," she said. "It's the duty of every person in the organization to manage risk."