A Chief Risk Officer's (CRO) Role in an Increasingly Changing Global Risk Landscape

Risk has evolved and grown along with the complexity of institutions. Large global banks as well as small institutions need to understand how risks are interrelated and how a failure in one part of the bank can impact the enterprise. It is the role of the chief risk officer to oversee a risk organization that takes an integrated approach and an enterprise-wide perspective.

CROs are invaluable for building resilient and risk-aware cultures. They know how to identify, prioritize, and mitigate emerging risks and more importantly, how to build an organization that factors risk into every decision. One of the main differentiators in resilient organizations is that the business of managing risk is considered everyone’s job. With everyone on the lookout for emerging risks and changing conditions, it’s easier to catch issues early. A CRO’s leadership is instrumental in building a culture that spots and responds to early warning signs before they expand into exponentially greater problems.

The CRO takes a higher-level approach than the chief security officer (CSO), who is tasked with overseeing the physical and/or cybersecurity of an organization. The CRO looks at all aspects of risk and how it may affect an organization. This includes physical security and cybersecurity, but also may include financial, insurance, reputational and other risks.

Risk is divided into two main categories: financial and non-financial.The management of financial risks includes credit, market and liquidity risk. These are a risk officer’s bread and butter. Now risk officers also have to cover non-financial risks. These include responsibility for operational, cyber, climate, conduct, compliance, regulatory, reputational, human resources, business disruption, projects, security and financial crime risks among many others. They also decide how much risk a bank is willing to take i.e, what is the bank’s tolerance for risk, and is a particular project inside or outside that range?

COVID-19 has accelerated the need to ensure that risk functions are flexible, agile and adaptable but this trend was well under way before the crisis began, and will outlast it. Digital and data analytics are fundamental in allowing organizations to react to more stringent regulatory requirements without incurring excessive personnel spending and chief risk officers need to be sufficiently 'digitally fluent' to understand the options available to them.

CROs should, for example should be able to:

• Move artificial intelligence and machine learning (AI/ML) to the core of everyday processes such as AML and Know Your Customer (KYC) requirements thereby reducing the overwhelming headcount burden that these processes can pose to organizations.
• Fully leverage the cloud in risk infrastructure to reduce costs and increase flexibility allowing new systems and technologies to be much more readily adopted in the future.
• Deploy advanced analytics techniques to analyze risk across an organization providing executive teams and board with full data-driven risk models, scenario planning and predictive modelling that will enable better decisions on allocation of resources.
• Bring modern data management practices to risk allowing a much more regulator-friendly central source of data on risk factors.

In today's global business environment, risk management must be aligned to business strategy. As companies continue to shift their business models, strategies change and risk management becomes even more important. A company must find the right balance between risk resiliency and risk agility. As the financial industry is becoming increasingly more digital and is using more and more technologies like AI, blockchain, big data, RPA etc., it is critical for CROs and risk management functions to understand technology and to be able to identify and assess the risks and implications related to these technologies.

Furthermore, as financial services institutions become increasingly complex with additional emphasis on efficiency, risk management functions will need to gradually move towards adopting new technologies in their day-to-day activities. This could include incorporating AI and big data in forecasting and stress testing processes, using RPA to automate repetitive tasks (e.g. reporting), making use of cloud and edge computing concepts and better using already existing risk management tools.

Risk management has traditionally been focused more on constraining the business by setting limits and monitoring and reporting risk exposure. In modern risk management, financial institutions should ensure that the risk management function focuses less on constraining the business and more on enabling the business to develop and execute a strategy that is aligned to stakeholder expectations with regards to risk and return.

The objective is not to have the CRO and the risk management function running the business, but rather to make sure that risks the business is or could be facing are properly identified and taken into consideration when taking business decisions. In order to ensure that the risk management function focuses more on supporting the business in the development and execution of its strategy, financial institutions should ensure that CROs have a seat at the “decision making table” (i.e. the Executive Committee or similar) and have easy and quick access to the Board of Directors and/or the Risk Committee of the Board of Directors.

As the global industry deals with emerging challenges, e.g. COVID 19, ESG and geopolitical instability, CROs and their risk management functions will need to significantly enhance their ability to spot future trends in risk exposure. They should incorporate more external data in their reporting and analysis and broaden the scope of data collection to include aspects such as environmental and social impact, geopolitical exposure, risk interconnectedness and public image.

Organisations should also make better use of their own internal data. By employing new technologies such as cloud computing and data processing techniques, financial services institutions should increase the scope of data that they collect and use this to identify trends and future risk exposure.

In a rapidly changing world, it is also fundamentally important for CROs and risk management functions to stay ahead of the curve and understand emerging risks and trends. The use of forward looking risk indicators can help to ensure that institutions have a good understanding of the risks to their business.

Contrary to traditional CRO profiles, modern CROs will need to have a very broad range of skills, e.g. knowledge of emerging risks and IT concepts, awareness of geopolitical trends, deep understanding of strategy. In addition to this, CROs will only be effective in implementing the right risk management framework within an organisation if they are supported by a set of resources that have the appropriate technical knowledge and mindset.

Ensuring that a business stays relevant in rapidly changing times requires constant evolution in business strategy, but also in the way that it identifies and monitors risk exposure. The CRO is at the front line of this analysis and consequently must continually evolve to meet current and future trends. CROs must also take note of broader social movements and public perception relating to the transition to a low-carbon economy, as well as new challenges such as the surge in activity in digital currencies.