Maybe there never was a golden age when it was easy (and perhaps even fun!) to be the chief risk officer (CRO) of a bank. But if there ever was, then today’s CRO must feel that it was a long, long time ago. The challenges that face a CRO today must sometimes make him or her think that it is almost an impossible job.
How did it get to be so tough? We see five main reasons:
1. Scope of risks
The scope of risks that a CRO must cover keeps on growing. Of course, the familiar core issues are still relevant – credit risk, market risk, liquidity risk, operational risk, capital, stress testing etc. But on top of that, a whole panoply of other risks have been added to the agenda as they become increasingly more prevalent including conduct risk, cyber risk, data integrity, digital and sustainability risks. Significant new challenges requiring new skillsets, new policies and processes, and which may test the boundaries between the traditional risk function and other key areas such as compliance and legal.
2. Greater regulatory complexity
To add to this greater breadth, is greater regulatory complexity. Even the core issues have become more complicated, as the post-crisis regulatory revamp has added new complex requirements, such as detailed stress-testing obligations with varying implementation standards across the globe. Moreover, new regulatory rules are becoming increasingly fragmented, and Brexit and Trump are further diverging, rather than levelling, the playing fields for banking. CROs play a key role in joining all these regulations together, optimising investments for compliance and understanding their impact on business models. So many risks and regulations are now interrelated, and not independent. That has big implications for how risks are measured, modelled and mitigated.
3. Scrutiny of risk management
Regulators are putting all aspects of effective risk management under greater scrutiny. While there is no doubt that the design of risk management has improved across the sector, it is unclear whether risk functions are now better able to cope with the next crisis. Boards, particularly Risk and Audit Committees, are under huge pressure from regulators to continuously demonstrate effective risk management, from a comprehensive risk appetite approved by the Board all the way through to the effectiveness of key controls. Just look at the recent struggles which banks in Europe have gone through: AML failures driven by poor governance and controls; fines for failings to counter cyber risks; intense public scrutiny of the customer impact of operational failures, or distress in emerging market economies.
4. Technology is evolving the banking business model
All this is happening when the business model is changing and under real pressure to generate attractive rates of return. New technology is transforming how banks do business. That means that the first line is changing – with an associated need to refashion front-line processes, and therefore bringing new oversight challenges for risk. But it also means that there are new monitoring possibilities for the second line – with function design, management and resourcing challenges. Lastly, profitability pressures impact on risk functions just as much as other parts of banks, pressing on them to deliver more, and at more efficient levels.
5. Pace of innovation
All this must be done at a rapid pace to promote innovation. At every point along the new customer journey, the CRO must manage large and new data sets to improve decisions. New data analytic methods are required to approve credit faster and risk modelling is adjusting to big data and artificial intelligence techniques. Agile ways of working are being adopted, and even robotics are being considered to automate manual tasks in areas such as mass recoveries. Risk processes need to go digital and industry collaboration platforms are in play (e.g. model validation and development).
An impossible job? It’s certainly a challenging one, but one which it would be impossible for a bank not to have. So, in such difficult context, what is the CRO to do? Here are 5 actions we think every CRO should be taking to shape the way forward, rather than be overwhelmed by it:
Action 1: Spend one-third of your time on emerging risks – i.e. the known but not quantifiable risks, and the currently unknown issues that can hit your institution. Your teams know and can handle traditional risks. But as the world is changing and the business model of banking is transforming, so new risks are constantly emerging that require your attention.
Action 2: Regulation is extensive and can be overwhelming but has a purpose. You don’t need to understand all the details of every single rule. But you must build awareness of the portfolio effect of regulations impacting your bank. Consider integrating the Compliance and Risk Functions – to reap synergies through effective integrated compliance plans across Prudential, Conduct and Digital. Finally, manage regulatory relations strategically and monitor key supervisory themes at least on a monthly basis.
Action 3: Relentlessly focus on the effectiveness of your risk management function and risk culture of your bank. Building new risk processes and controls without ensuring they have teeth is neither effective nor efficient. Assess the effectiveness of your risk management function annually and ensure Risk drives accountability in decision making, challenges business lines and provides insights to their most adequate path for risk-adjusted profitability.
Action 4: Profitability is a challenge for the industry. Risk needs to contribute to the profitability agenda. Find ways to deliver 20-30 percent savings in your cost structure over the next two years. Risk is an ideal position to understand risk/reward trade-offs across business lines. Advise the business on opportunities to optimise the use of capital.
Action 5: Lastly, perhaps the most challenging ask. The industry is transforming, and risk must be a catalyst for change and innovation. CROs are not innovators by design. However, risk represents a major area of opportunity for transforming business models using big data for capturing untapped business, and embracing new ways of doing things using artificial intelligence and robotics. CROs should integrate Risk Technology, Data and Modelling units to address the innovation agenda. Collaboration platform opportunities with competitors in areas such as model validation, development or risk assessments should be pursued.
To find out more about how A&M’s Financial Industry Advisory services team can help, please click here.