The Next Big Challenge for Bank Chief Risk Officers
A role many people did not understand less than a decade ago has become integral to how banks navigate a new set of postcrisis hazards.
Cyber threats or fraud may present bigger direct risks to banks, but many chief risk officers spend enormous amounts of time on the more tangible concern of keeping up with ever-growing regulatory expectations and requirements.
While hiring a chief risk officer is a given at the big banks, smaller institutions must weigh several factors and options in determining the risk leadership model that works for them.
The banking industry would scarcely need systemic risk regulation today if it had given the role of the chief risk officer its due in the years before the financial crisis.
As Joe Adler reports in American Banker's latest C-Suite report, the CRO has become a formidable role, one that the most progressive-minded boards and executive teams have leveraged to strategic advantage in the postcrisis period. It's a far cry from the years when risk managers were derided as "business prevention officers" and relegated to bystanders at many institutions.
The CRO position is a relatively new role in the structure of financial institutions, coming into its own in the last two decades with the Basel Accord, supervisory guidance and various regulatory compliance efforts. Looking back, the job description of the CRO varied widely depending on the needs and understanding of the role at the bank.
At some firms, the CRO performed a specialized type of audit function, monitoring the activities of the business for quality of risk controls, processes and risk outcomes. Other companies had the CRO establishing the risk "rules of the road" for the business and then monitoring risk outcomes accordingly. Still others had the CRO more directly involved in strategic business decisions. And in some cases, both corporate and business risk functions existed within an institution.
Over time, as markets began heating up and regulatory authorities adopted a less-is-more strategy of engagement with firms, the CRO position came to an important crossroads. For a number of firms that are now no longer in business, the CRO's stature, reporting line and board engagement were severely limited. In many of these cases (Lehman Brothers and MF Global, for example), the CRO's input was largely ignored if it cut against the grain of senior management preferences.
The meltdown of 2008 changed everything. If, as they say, there are "no atheists in foxholes during war," then during the crisis risk-takers were few and far between. The CRO came out of the shadows and assumed a mantle of responsibility unlike anything experienced by risk managers before. Today, the chief risk officer no longer suffers from an identity crisis.
For one thing, the air cover for risk managers that was lacking for many years from bank regulators is more robust than it was in the precrisis period. Requirements for the largest institutions are much more rigorous in specifying risk governance expectations than ever before (the Office of the Comptroller of the Currency's heightened expectations are a good example of this strengthened focus on risk governance practices). At most large banks today, the CRO in most cases reports in to the CEO or board of directors, has executive sessions with the board and is involved in strategic decisions including recommendations about the firm's risk appetite. More broadly, the regulatory environment, for better or for worse, is vastly more restrictive than it was before 2010, when the landmark Dodd-Frank Act was passed.
While necessity and regulation forced a change in the CRO role at many institutions, it also carried a heavy price. Following the crisis, many CROs were spending more time with regulators than with their business colleagues and while this has abated somewhat, a good portion of a CRO's time remains taken up with regulatory matters. This unfortunately comes at the expense of building the business and draws attention away from efforts to further enhance risk management controls and processes.
The extra regulatory scrutiny of risk-taking is significantly beneficial to banking and risk management by bringing balance to the industry between risk and return. But at times the government has overplayed its hand by forcing risk governance on firms via regulation rather than through financial incentives such as risk-based deposit insurance premiums.
Banks either have strong risk governance as part of their corporate DNA or they don't. Imposing specific rules on risk governance ensures a minimal structure is in place, but the effectiveness of these requirements is only as good as the board and CEOs want them to be.
Eventually, we'll find out how good that is. The true test of the CRO's new influence will come during the next market expansion. As competition heats up, margins thin and market share is on the line, risk-taking will naturally rise. The age-old tensions will emerge as they always have between achieving business goals and prudently managing risk-taking.
If CROs emerge unscathed in this tug-of-war, it will be a turning point for the position and one that will have lasting benefits for banks and the industry.
Clifford Rossi is a Professor-of-the-Practice and Executive-in-Residence at the Robert H. Smith School of Business, the chief economist at Radian Group and a former CRO at several large financial institutions.