By John Hintze
The position of chief risk officer at financial institutions today is not for the faint of heart — not that it ever was. But CRO responsibilities have broadened dramatically, requiring fluency not only in traditional bank risks but nonfinancial risks, that make the position more demanding but also elevate it into corporate leadership.
Years ago, bank CROs focused on credit, market and other financial risks. Cyberattacks and new technology such as artificial intelligence clearly require prioritizing technology. But risk around private credit, climate change, geopolitics and the impact of social media have also risen to the forefront, and the list keeps growing.
“The job of CRO is becoming more demanding because the scope and complexity of risks that must be managed is expanding rapidly,” says Richard Herring, a professor of finance at The Wharton School.
Playing off of Stephen R. Covey’s The 7 Habits of Highly Effective People, McKinsey & Co. recently published its own list of six essential habits — perhaps more accurately described as tactical and strategic competencies — of successful CROs.
While CROs must still focus on financial risks, “a new era emerged in which CROs faced greater nonfinancial risk amid pressure to boost the bottom line,” the McKinsey report notes.
It pointed to social media as an example, given how it accelerated runs on Silicon Valley Bank and other regional institutions, exposed a systemic risk and prompted rethinking of liquidity and interest-rate models.
The consultancy’s six habits tend to be connected, with several highlighting the broader role that financial-institution CROs have taken, especially in the wake of the COVID-19 pandemic when banks faced a range of new risks. One of McKinsey’s essential habits is engaging C-suite leaders and the board to accomplish business, resilience and risk objectives. Another is treating supervisors as partners and a third is integrating insights across the organization to anticipate future threats and strengthen resilience.
“Today’s leading CROs don’t simply inform the board and the CEO; they become a vital member of the executive team and a trusted adviser to the board,” McKinsey notes. “CROs told us they spend up to 56 percent of their time with the executive team and board.”
To integrate into the decision-making process requires a CRO to develop an understanding of the risks banks’ businesses face, such as cybercrime and the potentially accompanying reputation risk.
“There’s a critical need for CROs to grasp a broad set of risk disciplines; that plays into a deeper relationship with C-suite leaders and board,” says Stewart Goldman, co-head of risk and compliance at executive search and management consultant Korn Ferry.
Goldman points out that a deep understanding of credit, market and other traditional financial risks remains essential for CROs. But those who are also proficient in nonfinancial and emerging risks are playing a more strategic role in banks.
That strategic role, interacting with C-suite leaders, is important not only to help the company to identify lurking risks but also potential opportunities. And it can benefit the risk-management function itself. Herring noted that C-suite executives tend to invest in risk management mostly when risks threaten losses — a conflict that better communication between risk management and executive leadership should lessen.
“A primary responsibility of the CRO must be to stabilize the flow of resources to support the risk management function,” Herring said.
The strategic mindset of the CRO needs to extend beyond the risks themselves to their potential business impact, requiring intimate knowledge of the businesses. Consequently, Goldman says, instead of CROs emerging from the organization’s credit or market risk functions, today they often arrive with a broader set of experiences.
“There have been instances when somebody who spends time in a bank’s complex trading business or in finance has been promoted to CRO,” Goldman said.
Operations, technology and even compliance functions can also provide beneficial experience to aspiring CROs, says Robert Iommazzo, global practice leader, enterprise risk and analytics, at ZRG Partners. A strong commercial acumen is a plus, he adds.
“The ability to sit across the table and say ‘When I headed up this marketing or pricing strategy’ will resonate with the business side,” Iommazzo said.
In fact, treating supervisors across the institution as partners has become a necessity for CROs, according to McKinsey, adding that it gives them distinct vantage and visibility into details across the entire organization as well external trends impacting the institution. They can then integrate those insights to anticipate future threats and strengthen resilience.
Lorie Rupp, CRO, First Citizens BancShares, told McKinsey that it is her “accountability at the top of the house” to generate her own independent, fact-based and data-driven analysis of whether the bank is operating according to its risk appetite.
“I’m the only one who can do that,” she says.
Modern CROs’ broader understanding of risk and how the various businesses operate are also essential for creating and empowering the next generation of corporate leadership, in and outside of risk, as well as championing an overall risk-aware culture — two more McKinsey habits.
The consultancy says that today’s increasingly complex risk environment requires building a bench of talent that’s diverse in terms of work experiences. Purposely shifting staff members in and out of the risk function and between the first and second lines of defense is increasingly common today, as is rotating them around the bank’s geographic footprint. A direct, personal touch is also important.
“CROs told us they spend an average of 34 percent of their time with members of the risk function,” McKinsey says.
Building that diverse bench feeds into CROs fostering a riskaware culture in the organization.
“There’s an element of being the Johny Appleseed around risk awareness,” Iommazzo said. “The firm’s risk appetite and strategy is typically set by the board and CEO, and championing that is the CRO’s role.”
The most effective CROs “relentlessly pursue the north star” and evaluate whether the organization is following it, and that requires thinking beyond the traditional focuses of regulatory compliance and safeguarding the bank. A good first step, McKinsey reports, is reflecting on the company’s strategy, how its business model differentiates it, the areas of most importance, stakeholders’ concerns and what success looks like.
“A CRO who regularly helps the risk organization answer these questions can significantly boost institutional awareness and engagement.”
One might argue that the CRO’s job has become so complicated that it should be divided among several different specialists with a deep knowledge, Herring says. But the board and top executives need someone who can present an integrated view and persuasive analysis of these risks and how they might affect the institution.
“That person should be the CRO,” he says.
Given CROs’ broad purview today and the range of risks that can emerge, CROs are no longer the quants managing financial risks, but more often stepping up as leaders in times of crisis. The sixth CRO habit McKinsey points to is continually monitoring personal effectiveness and taking steps to manage time.
“The CROs recognize that running a risk function is a marathon, with occasional sprints,” McKinsey points out, and exemplifying that philosophy is critical. “How a CRO balances work and life and sets boundaries around each is important to motivating a team — and themselves.”
Goldman says that CROs’ drivers or traits today look increasingly like those of other C-Suite leaders.’
“We have definitely evolved into an environment where CROs are not just subject matter experts but part of executive leadership teams,” he says, adding that includes stepping up to provide leadership during crises. “The best CROs are crisis managers, and they’re able to maintain that vision, direction and communication, even through times of volatility.”
Contributing editor John Hintze frequently writes for the ABA Banking Journal.
