While banking digs out of an abyss largely considered to be self created, the executives in charge of abyss-avoidance are feeling the heat of the spotlight, and seeing many aspects of their jobs re-imagined as the industry is remade. And that's just the risk officers that have survived - many haven't. "As a former chief risk officer myself, I think that as a risk profession, we need to do a soul search as to what went wrong, and what changes need to be made," says James Lam, a risk management consultant and former chief risk officer at Fidelity Investments who's regarded as one of financial services' first CROs.
That strategic soul-searching is going on in bank boardrooms and executive suites, but it's the chief risk officers that must carry out the emerging marching orders to accurately asses all forms of risk, and ensure that risk posture is in line with the institution's appetite. CROs are being charged with a broader swath of IT-related risk management, including deeper vendor due diligence and supervision, reconciliations of financial risk reporting among disparate and sometimes feuding bank departments, cross-enterprise data management, and merger conversions that in some cases involve target institutions with troubled risk profiles.
"The job should go beyond technical risk management skills, and also include much broader risk management and strategy, change management, and technology risks," Lam says. "The job has really become a broader executive role."
Since identifying a proper level of fiscal restraint across the enterprise is now in vogue, the CRO also increasingly has the ears of the bank's top executives and board members. "During the boom period, with a lot of focus on pursuing revenue, the authority of the CRO was not as strong," says Ed Hida, a partner with Deloitte, who says that's obviously changed. The seniority of risk managers is increasing - the percentage of CROs at banks reporting to the board of directors approached 80 percent in Deloitte's latest risk management survey. "The authority of the CRO to influence risk decisions has increased significantly."
Shane McGriff, a vp of enterprise risk service for CapGemini's financial services business information unit, categorizes this mashup of management, IT, communication, legal and financial skills as a movement towards an "enterprise risk office." "You need the ability to master the information it takes to monitor risk at the top of the house," he says. "It's a big integration challenge, and the CRO is more active today than ever before in shaping IT strategy."
Cross-Enterprise Collaboration is the New Black
For John Ericksen, chief operating risk officer at PNC, a dose of humility is helpful for the CRO trying to navigate today's complex stew of IT, credit, governance and operational risk.
"If you don't understand something, you better understand that you don't understand," says Ericksen, a 16-year PNC veteran who's been in his current position for the past six years. "You have to be focused on not only the risk/reward ratio, but focused on understanding what that means in aggregate for your company."
Ericksen wears a closetful of hats in his job - he's responsible for overseeing risks as varied as operational risk governance, data analysis, external events, strategic risk elements, information security, privacy, business resilience, and financial intelligence. What's changed dramatically in the past 16 months, Ericksen says, is the responsibility to forge a view of these risks that transcends the bank's individual departments to enable quick decisions based on an enterprise-wide view of exposures.
The magic clay to meld these enhanced responsibilities together is understanding data: how it's collected, its integrity, what it's being used for, its accuracy and making sure the right data management systems and technology are in place to make informed decisions based on portfolio, geographic and customer views. "Are you able to add the right nuances to the information so you can have a thoughtful conversation about it with other staff?" he says, adding the pressures to accumulate more accurate data are enhanced by the need for information that's more regularly updated.
The data-focused strategy has led the bank to invest in advanced enterprise information architecture to bolster financial and risk reporting. "This capability is driven by the requirement to provide more timely access to current and accurate information, supporting immediate decision-making as well as serving as a foundation for risk management analysis," Ericksen says, adding the architecture also plays a role in PNC's BASEL II compliance by enabling risk assessments, scenario planning and analytic requirements.
In an environment with heavy IT collaboration, Ericksen says it's not necessarily vital to know how service oriented architecture (SOA), cloud computing, virtualization and other data management and general tech tools work on a nuts-and-bolts level - but it is important to know why this innovation is necessary, and how a broader set of operational, credit and security risks are served by open architectures and other advancements. "You have to understand what [the CIO] needs and understand the requirements of the business line as well," Ericksen says. "There's a lot of benefits to that; not only the risk profile but the ability to develop products based off of customer behaviors, reactions and experiences."
Wringing the Risk from Counterparties
Many of the risks banks miscalculated in recent years originated in quantitative mistakes and lax oversight in assessing counterparties. That includes outsourcers and other service providers, which expose banks to third party risk.
The risk will only increase in the future, since outsourcing is getting more complicated: new deals include responsibilities up to and including rudimentary decision-making for tech projects, a far cry from the traditional labor-intensive outsourcing model. "In the past risk management of outsourcing was involved only at the time that a supplier was being onboarded," says Atul Vashistha, chairman and CEO of NeoGroup, an outsourcing consultant, who says vetting outsourcers will require emerging risk management tools and techniques outside the traditional job duties of most CIOs and CROs. "Now risk management for outsourced projects is an ongoing activity because the work is more complex. You want domain expertise, and people who have global experience...who know how work gets done in places like China. You have to know the legal environment in various locales."
It's not just outsourcing partners that are gaining renewed scrutiny, vendor partners of all stripes are under the magnifying glass. Dave Kling's a 42-year veteran of the banking industry, but his first year in the CRO's chair at UMB Financial Corp. in Kansas City has brought a few surprises when it comes to partner risk.
"What many of us didn't envision in the past year was the impact of the economy on service providers, and the fact that these providers also have providers that can run into trouble," says Kling, who previously worked in the bank's control audit and operations units. "So we now have to look at change that's happening downstream and how that can affect us."
Like many banks, UMB is placing a special emphasis on managing the operational and financial risks of its IT counterparties, and is focusing on all links of the supply chain. Beyond yearly inspections of suppliers, UMB will also enhance cross-department policies to track contracts, monitor project performance and inspect the financial viability of all third-party suppliers.
"We want to make sure we know of the risks that are arising as a project is underway, and where we might have issues," says Kling, whose bank has deployed Archer, Emtoris Contracts Management and SAP general ledger platform as part of its strategy to categorize and control hardware and software. "By working with the tech team closely, we can determine whether to change vendors or add new software...to an initiative."
Career Risk, Reward
CROs are stepping into a brighter spotlight, but they won't have to do it on the cheap: Most analysts interviewed said risk management budgets, staffing and technology at banks was holding steady or actually being expanded rather than downsized in the recession - a recent Aite Group survey of 700 community banks found that 57 percent of respondents said operations risk and related tech investment was a "strong consideration" or a "strong priority" for 2009, says Christine Barry, research director at Aite.
But a higher profile and budget means more probability for blame, and less opportunity for CROs to claim they weren't being listened to; or that there wasn't adequate independence between the risk management function and business line objectives - both common sanctuaries for risk departments to skirt blame for the current crisis.
"I know of places where the risk managers warned of issues before the crisis. But in those organizations, the risk department is being seen as playing a game of 'It was not my fault,'" says Jadev Iyer, managing director at the Global Association or Risk Professionals (GARP). "And on the other side, the risk management department is being told 'You guys in risk management had the resources and technology and the investment in people, and you didn't play a meaningful enough role in stopping the crisis.'"
What should happen, Iyer says, is an evolution toward subjectivity in risk management. He says risk management strategy and related technology projects should be used to provide a business case to upper management to move beyond the reliance on quarterly financial statements that has dominated bank strategy for years.
"Most risk managers understand that we need to get away form a blind reliance on models, for example, with a better use of stress testing," Iyer says. "An enlightened risk manger will make the case that it's time to go beyond return on equity and short-term earnings focus to a focus in which returns are adjusted for risk."
Jack of All Trades
The new paradigm's apparent to John Blakeney, who's responsible for managing IT risks at Missouri's Commerce Bank, a post that now includes tasks that on the surface have little to do with technology, such as managing regulatory risks tied to healthcare payments. Even some of the more ubiquitous bank IT plays, such as automating payments, come with a complex array of new risks as regulations rapidly change - necessitating cooperation with other departments and more sophisticated information gathering. "With HIPAA as an example, there's a lot of new regulatory risk that we have to manage," says Blakeney, who has been in his position for five years.
Even in Blakeney's more traditional role managing security risks, the game has also changed rapidly. Blakeney says he's been learning more about social networking tools as a means to fight against security risks that include deft attacks against databases by increasingly skilled criminals. Blakeney suggests that identifying and controlling these risks requires growing beyond proprietary protective measures. "It's become more important to have contacts with other banks and security companies to know what's going on in terms of Internet crime and what's being done," he says.
Given the myriad and disparate job responsibilities CROs face, it's not surprising that there's no current background or specific skills regarded as the standard "CRO toolkit." But there are some general skills that should be on any CRO's resume. Deloitte's Hida says to handle broader job scope, organizations are looking for seasoned executives that have risk management experience and broader management skills, such as previously running a business line, or making decisions on staffing, delegation and allocation of resources.
"It's critical to have experience in the business of the company, so we're seeing situations where people who have business management experience and a good understanding of risk and being brought into the risk function because of their business experience, Hida says.
And like a commander drawing intelligence from different departments in order to make decisions that ensure the safety and soundness of those departments, a CRO will require at least a working knowledge of almost all business units.
Says CapGemini's McGriff, "[The current environment] puts a higher burden on CROs to have a much stronger business outlook in order to really engage with line of business leaders at a level that's far beyond the 'regulatory' outlook that we've seen in the past."
The Age of ERM
Deloitte's sixth annual Global Risk Survey demonstrates the expanding role of the chief risk officer, but it also reveals there's still lots of room for growth when it comes to enterprise-wide risk assessment programs.
The firm, which polled 111 international financial institutions with combined assets totaling more than $79 billion, found that 78 percent of CROs report to the board of directors and/or the bank's CEO. In 2006, only 42 percent reported to the CEO, while 37 percent reported to the Board of Directors. And 63 percent of institutions have adopted a formal statement of risk appetite. "With the magnitude of the credit crisis and the ultimate losses, boards (of directors) are questioning a number of areas for responsibility - the senior management, finance and risk functions," says Deloitte's Ed Hida. "At the same time the focus has been to strengthen the risk function."
However, the research firm found that only 36 percent of the institutions had an enterprise risk management program, although 23 percent were in the process of creating one. There's incentive to create an ERM program - 85 percent of the institutions that have adopted ERM programs reported the total value derived from the program exceeded the cost.