Across the country, community banks are adopting risk management practices to mitigate losses and become more efficient and competitive. While some banks are conducting the risk management function by committee, others are choosing to hire their first chief risk officer. There is no hard and fast rule as to how a small bank should run its risk management department, but there are external and internal factors that can influence a bank's decision on whether or not to go the CRO route.
The first internal factor involves the mindset of the bank's existing executive team. As a financial firm grows, becomes more complex, and draws increasing scrutiny from regulators, a CEO may feel he or she needs a CRO. The CEO will want that CRO to improve the risk management process and make it more consistent, efficient and centrally managed.
The board of directors may also decide it needs a CRO to be the point person in providing a central view of the banks' mounting threats and their relative level of danger. The board will want answers on whether the current spending on risk management is effective and if it's getting results. The CRO would be on hand to provide a cost analysis by measuring risk management activities and organizing them along functional risk areas.
Together, the CEO and the board may need a CRO to centralize the internal risk management processes and identify and measure the relative inherent risks when they look to implement new products and business strategies. The CRO could be the trusted voice that tells the C-suite and the board what the key risks are and how they will threaten the bank.
There are also external forces that are driving community banks to consider investing in their first CRO. Competitive pressures to introduce new products and the adoption of new technologies raise a bank's risk profile. In fact, our experience suggests that an increase in the number of products and services has a larger impact on the banks' risk profile than adding customer usage of existing products.
Banks expanding their product lines may find that a CRO is needed to articulate to all managers the shift in risk profiles that will occur. A CRO could be on hand to ensure control and monitoring procedures keep service quality high and losses low.
Reaching the billion dollar mark requires a community bank to become compliant with the Federal Deposit Insurance Corporation Improvement Act. This need often prompts a bank to install a CRO to oversee this and other important compliance initiatives.
As the bank continues to grow and becomes more complex, so does the regulatory expectation that its risk management function is formalized. There is also the increasing expectation that a CRO be present to create and sustain the processes to mitigate risk and frame the extent of monitoring and control testing.
There are also positive outcomes associated with having a C-level executive lead the risk management function. For instance, a CRO can manage, lead and advise the bank across three dimensions that make up enterprise risk management.
The first dimension is risk management operations where a CRO can help break down silos around functional risk areas to create the holistic, enterprisewide view of risks, threats and controls.
The second is improving risk management financing. A CRO can create a system to measure the cost of risk management to then make it cost less by accurately measuring the threat level and effectively allocating the right amount of money to each risk.
The third dimension is risk management and oversight where, as the bank grows, the CRO can manage and initiate the risk management governance process as it matures from compliance risk oversight to alignment with strategic planning and development.
Every bank must assess its needs, strategy and vision for the future when weighing whether to install a CRO or continue to practice risk management by committee. By assessing its internal needs, planning how to deal effectively with the external pressures and weighing the value of a good CRO, banks can make an informed decision on who guides their risk management program.
Michael Cohn is the director of the WolfPAC Solutions Group at Wolf & Co. PC. He is responsible for the strategic direction of the group and provides enterprise risk management (ERM) advisory services and board training to community-based financial institutions.