Risky Business
While the challenges that chief risk officers have to be aware of are apparent, their specific roles within their organisations are often less known. Two industry experts to shed light on current best practices.
by by 
By Chartered Banker Institute
The chief risk officer (CRO) role is by no means a well-established one. In fact, it’s widely believed that James Lam became the first person to formerly hold this title at GE Capital just over 30 years ago. And since its incarnation, this position has evolved from solely monitoring risk to having the ability to veto strategic decisions. Today, to say that CROs are of the upmost importance is somewhat of an understatement. Take Silicon Valley Bank (SVB), which folded last year and had been without one for eight months prior to its shock collapse.
Laura Izurieta stepped down from her role as CRO of SVB Financial Group in April 2022, and formally left the company in October. Her permanent successor, Kim Olson, did not join until 4 January 2023, a mere matter of months before the bank failed. It is unclear how the bank managed risks between the departure of one CRO and appointment of another, and this fact formed part of the Federal Reserve’s investigation into the bank’s demise.
Alan Greenspan, the American economist who served as the 13th Chairman of the Federal Reserve from 1987 to 2006, went as far as to state that better risk management may be the only truly necessary element of success in banking. But what exactly does the function entail? How, for example, are emerging risks tracked and cascaded throughout the organisation?
Three Lines
David Coleman, Vice President, CRO, European Bank for Reconstruction and Development (EBRD), initially looks to answer this question by introducing a 30-year-old concept – the three lines of defence, now known just as ‘three lines’.
The first line of defence, he explains, is everyone. “All of the people in an organisation have to accept that they have a role to play in identifying, reporting, managing and mitigating risks,” he says. “But because many people are given business goals linked to bonuses, that leads to a slight bias away from reporting risk.
“Then we have a second line. These are people who are not rewarded by the business for goals and objectives but are recognised for providing an objective view through an independent reporting line to the CRO.”
The third and final line of defence is the internal audit function. “Here,” Coleman continues, “we have a very small risk assessment team that carries out sample checks and sample audits of the second and first lines of defence to make sure they’re conforming with the policies and are doing what they’re meant to.”
Coleman emphasises that it’s vital to remember that the first line has culture and leadership at its heart. “The first line is the part we are really tackling, and this means that when managing, promoting and rewarding people, their goals and objectives should have a component of risk management.
“And this needs to extend beyond, ‘I have to tell the truth’, and instead it should include how a department and team are run, if rules are being followed in terms of how payments are arranged, how they record bookings and are four-eye controls being exercised? It should be all-encompassing and should feature incentives and recognition.”
An All-important Piece of the Jigsaw
Greg Jones, CRO, Europe and Asia Region, TD Securities, shines a light on the structural and minimum standard policies and procedures that risk follows. “These are called risk and control self-assessments (RCSA),” he explains, “and they are the scheduled, structured frameworks and policies we follow – they are essentially the basic level that we should be working with. Think top and emerging risk reviews, reactions to operational events, assessment lessons learnt and avoidance of repetitive events.
“These are carried out to ensure that we meet standard regulatory expectations for risk identification, risk assessment and risk management, and they are growing considerably.” Echoing Coleman, Jones explains that there’s a definite focus on making sure that awareness and attention are key from the start of any contact with a client or a business, all the way through to second-line controls and management, through to third-line assessment and checking.
“These are very much established and are the responsibilities that must be performed,” Coleman emphasises. “They are the window through which a regulator looks into a bank.
“Then there’s being reactive. Some banks will call this horizon scanning, and I think that’s where you get the true value.” Jones stresses that in order to succeed here, firms have to have a risk management function that has the capacity, resources, skills and the commercial awareness to look at what is coming ahead – as well as the ability to discuss it with the business.
“The business might tell you that they want to be big in a certain client sector – for example chip manufacturing,” says Jones.
“And the risk function might come back and say, “That’s great, but have you considered that this particular chip manufacturer is in the tornado zone in the US?”. You might also have to point out that the weather is getting worse, which means they’ll face physical environmental, social, and governance risks.
“That’s the extra piece [of the puzzle] that’s needed with risk – considering what could potentially go wrong. The risk manager’s job is to look ahead and identify where there might be exposure that might not have otherwise triggered a concern within the business. The function’s ability to do this depends upon the commercial awareness within the team.
“Risk needs to be close to the business and challenging the business. Discussions should be taking place at a commercial level, too. It’s not just about performing the regulator-required tasks.”
Consequences, Resilience and Fielding Threats
Coleman, meanwhile, believes that a key aspect of effective risk management is ensuring that that the CRO and the risk team do not become excessively focused on the running of the organisation.
“The inward-looking issues should not be their main focus,” he advises. “Instead, they should have the time, the space and the resource to be looking outwards, networking, intelligence-gathering and future-gazing. This role isn’t about excessive brainstorming, it’s about thinking about the consequences of certain events, and whether the company is prepared.
“Members of the risk team should ask themselves if the firm is prepared for a change of US government, or a change of the national government where the firm is based. Is the firm prepared for the new regulations or for the impact that a war could have on food and energy and inflation?”
Coleman states that the CRO role also has much to do with the resilience of an organisation. “We used to have an office building in central London, in the City,” he recalls. “And that building was of vital importance. We had all of our services and provision of support in that building, including two-thirds of our workforce and a data centre. “Clearly, we can look back and say that that was not a particularly resilient business model. Nor was it necessarily the most effective, given the fact that many others had already started outsourcing.”
Today, the EBRD has a more complicated business model. “We have a significant reliance on external suppliers for services, including some of them around IT,” explains Coleman. “Our data centre is no longer part of the main building, which is a good idea.
“We’ve also placed some of our support services into our branch network rather than having them in our headquarters. This makes it more efficient but it does mean complications in our business model. We’ve been through a pandemic where we had to learn to operate the entire business model from home, which was something we’d never conceived of prior to Covid.”
What this means, he explains, is that business resilience has taken on a whole new level of complexity. “And although some of the challenges that we went through, including outsourcing and offshoring and having separate data centres, are factors that other companies had been dealing with for many, many years, we all still had to learn how to deal with a pandemic.
“Some people will have regretted where or to whom they outsourced because the world has changed and continues to do so. And just because a firm has outsourced to a major supplier, it doesn’t mean that they will be there every day. These are internal threats, but businesses still need to think about them.”
Eyes on the Horizon
How can businesses ensure that early identification is a priority within the risk function? According to Jones, this starts with the inherent threats that encircle the business. “What controls do we have against those inherent risks? And then, how are those controls performing? What’s emerging and what might need additional controls? That’s a formulaic piece.
“We have business economists and strategists,” he continues. “They’re looking forward. They’re looking at what’s on the horizon, what’s going to affect their portfolios and what their decision is going to be for forthcoming business objectives. But what’s needed is getting that feedback loop into your risk assessment process.”
Capturing and quantifying the risk, he says, is of the utmost importance. “Every bank faces operational risks in terms of resilience, tech platforms and modernisation. Is your company, for example, missing updates? Truth be told, even the biggest banks with the largest budgets probably struggle to keep a resource pool sufficient to continually evolve.”
Banks, he believes, operate best when they push the right level of authority down through the business. “If we suck all authority up to the top, then the processes aren’t efficient. We need – throughout the business – commercial awareness, knowledge, competence, and confidence. And confidence leads to independence, which in turn leads to good control.
“Then those foundation blocks of confidence and independence control enable more authority to be pushed out, and more discretion to move lower down into the organisation. All of this means more effective and more timely responses to the business. This should also ensure that information flows up.”
Ultimately, this means that if the right blend of capabilities doesn’t exist on the lower levels, more processes fall to the mid and high levels, which therefore have to be higher touch. “If this happens,” says Jones, “there will be senior people looking at granular data when they shouldn’t be. Instead, they should be looking at the core consideration operations around the business.
“The lower tiers should be the confident, independent and informed controllers ‘at the bottom’, and they should know what information needs to go up.”
Placing the Last Piece of the Puzzle
“We have access to the business, commercial awareness and access to management – and that leaves one missing piece of the puzzle, which is networking,” says Jones.
“We have to promote networking. We shouldn’t assume that our bank is doing everything in the best possible way. The chances are it isn’t. We also have to push our risk controllers to get a flavour for risk management across the whole market. And you become aware of market standards by networking – by sharing with peers and other banks. You don’t have to try to have facetime with J.P Morgan. There are other banks that have been through the mill with the US regulators.”
Coleman agrees: “For the risk team to function at its best, time and effort must be devoted to networking. It is vital to have people whose job it is to spend some of their time looking at what others are doing and reflecting on that. They must also think about what’s coming in terms of law, regulation and market developments. They should be looking at what’s happening with clients, from a climate perspective and from a technology perspective – from all perspectives, in fact. Because these factors will change your business model and the business model of your clients.”
Jones concludes: “Some of what your peers do will be world-class and ahead of the game because the regulator will have pushed them to reach that standard. But you don’t just have to talk to the Premiership – there’s plenty that can be gleaned from the Championship and the lower divisions as well.”
This article previously appeared in Issue 2 2024 of Chartered Banker, UK.