The chief risk officer: it’s not just about managing risk costs anymore

COPYING AND DISTRIBUTING ARE PROHIBITED WITHOUT PERMISSION OF THE PUBLISHER: CHUNT@EUROMONEY.COM

By:
Graham Bippart
Published on:

As many banks CEOs, especially in Europe, are still struggling to make their institutions profitable, could it be that turning to the chief risk officer can be part of the solution?

GB-banner-600 no section

Risk: for such a sexy word – and one that serves as the very engine of financial markets – the role of chief risk officer (CRO), on the face of it, doesn’t sound exciting.

However, the position of CRO has changed significantly in the past two decades, and CROs are now playing a fundamental, money-making role at the world’s big banks.

Keeping fines and potentially even criminal investigations at bay might be critical to a bank’s bottom line. So, too, is modelling and monitoring credit and market risks.

But risk departments, in particular CROs, have taken on more and more responsibilities over the years, especially in the wake of the financial crisis.

“Twenty years ago, CROs were generally responsible for credit and market risk,” Paul Ingram, CRO of Credit Suisse International, tells Euromoney.

That list has since grown exponentially, especially since the implementation of Basel II in the noughties. Operational risk developed was yanked from a vague set of largely unquantifiable “other” risks and turned into a discipline – one carrying with it quantifiable consequences in the form of capital requirements and fines for non-compliance.

Cyber risk

Cyber risk has become a notable concern, and one which Ingram says is “creeping in” to the responsibilities of the risk department he oversees. If not a more recent risk discipline, it is certainly a more recently pressing one, as the number of large-scale hacks that wreak havoc on personal lives, livelihoods and even societal infrastructures increases.

For example, the 2012 DDoS attacks on Bank of America, Wells Fargo and others; the 2014 hack of JPMorgan that affected some 80 million customers; the 2016 Swift hack that was a mere typo away from threatening the entire global network of banks.

The risks don’t stop there.

“What is called ‘operational resilience’ has spun out of business continuity and operational risk, financial crime, technology and outsourcing risk – anything with risk in the title, somehow there is an expectation that it will gravitate to risk management as their responsibility,” says Ingram.

Those include: risk appetite, regulatory compliance, risk controls, regulatory capital management, liquidity risk, stress-test strategy, reputational risk, economic capital allocation, risk transparency, counterparty risk and even compensation. That’s not an exhaustive list.

The list of responsibilities has grown so much that it’s virtually impossible for a CRO not to be on the board of directors. Within each risk sub-discipline, the breadth of responsibility has also expanded.

“It was about containment of risks [20 or so years ago],” says Ingram. “Now, CROs are much more involved in the determination of strategy and how it should be executed.”

That includes making sure that the limits on capital utilization set out to the board aren’t exceeded, Ingram says, but also “making sure you aren’t under-utilizing the capital your strategy sets out”.

Risk officers are, in part, responsible for making sure the bank is adhering to its own strategy. 


Since the crisis, CROs have had their hands full implementing a vast amount of regulation. But now that regulation has likely reached its peak, they can use their expertise to help the bank gain a competitive advantage 
 - Gerold Grasshoff, BCG

Indeed, a 2016 survey by EY found 62% of bank respondents thought the key role of risk departments is to link strategy with risk appetite – a fundamental aspect of running a large bank.

“There’s been an elevation of the CRO role within the senior management framework,” says Ingram. “CROs used to report to the finance director, for instance. Now, CROs are on the board.

“I think today, if a regulator or auditor came in and did not find a CRO in the boardroom, it would be something of a faux pas.”

In a recent Boston Consulting Group (BCG) paper, the firm advised that CROs should do even more not just to contain risks, but also to help add value to the business by taking a front-to-back approach to risk across the entire bank.

The globally averaged economic profit – profit adjusted for risk costs – of banks weakened for the first time in five years in 2016, the firm noted, as banks continue to face headwinds such as low interest rates, increased competition (especially from non-banks in some sectors), rising operating costs and digital disruption.

Many of these risks will persist, rendering the role of CRO all the more important to banks’ bottom lines — not just by helping protect institutions from further litigation and by setting appropriate credit and market risk metrics, but by optimizing risk-return profiles and helping direct scarce resources to their most efficient use.

CROs are, or should be by now, masters of bank regulation, having been inundated for years by them. Despite the progress made, that doesn’t show many signs of abating.

Regulatory onslaught

BCG calculates that regulatory revisions – a broad category including “any new local, national, or international policy, ruling, reform, action, law, ban, comment, announcement, publication, or speech that the compliance department of a bank would be expected to note and monitor” – average 200 a day; three times the amount seen in 2011.

But the onslaught of completely new regulations has ebbed considerably, and banks have added resources to their risk and compliance teams. That should help to free up CROs to take a more proactive approach.

“Since the crisis, CROs have had their hands full implementing a vast amount of regulation,” says BCG’s Gerold Grasshoff, a senior partner at the firm. “But now that regulation has likely reached its peak, they can use their expertise to help the bank gain a competitive advantage, leveraging their knowledge to gain more business.”

Regulatory changes have profoundly impacted banks’ business models, and CROs can play a key part in linking up balance sheet and regulatory ratios to P&L management, BCG says, partnering with treasury, finance and business teams to create an integrated framework for balance-sheet management.

They can also partner up with chief financial officers, who sometimes head up data aggregation initiatives set in motion by Basel Committee guidance put out in 2013 (known as BCBS 239) , to grow and unify the oceans of data banks sit on and optimize risk-return profiles, says Grasshoff.

After all, he adds, risk departments were once at the forefront of innovation in credit and market risk modelling, and they can use those methodologies to aid the bank in creating more advanced liquidity, capital and funding consumption metrics.

On the capital front, that will be all the more important as banks begin implementing IFRS 9 accounting rules, which many predict could have a dramatic effect on capital levels when 2018 results are reported.

With their expertise at identifying, monitoring and measuring risks, risk departments can team up with front-office roles to offer risk-based advisory for clients, as well, the BCG report suggests.

The report also suggests collaborating with fintechs and regtechs to create efficiencies in areas such as compliance and reporting and/or digitizing certain risk functions.

It will be the banks with large data pools and the infrastructure to organize and mobilize them that have the leg up in this race. But many banks – particularly in Europe, where it is perhaps needed the most, says BCG – have yet to realise how much their risk departments can add, not just preserve, value. Those that do might well have the edge, especially on the overcrowded continent.