Does Every Bank Need a Chief Risk Officer? Maybe Not

Your bank is approaching or has crossed $1 billion in assets. The institution has qualified managers each overseeing a distinct risk category, but there is no bandleader. Should you hire a chief risk officer?

That question is easier for big banks, where complex risks and regulatory pressures make the need for a CRO obvious. But smaller institutions must weigh several factors in determining whether to hire a single risk management leader, and the answer is not always yes.

The CRO is "more embraced in banking, but I don't think it's totally embraced," said Mark Beasley, who teaches about enterprise risk management and directs the ERM Initiative at North Carolina State University.

The concept of hiring a CRO is definitely more popular today than before the crisis. But institutions still follow various paths. Banks looking to grow see the CRO role as essential. Others believe a team of managers, such as the chief compliance officer, can manage risks. Some appoint a CRO who also fills other roles.

"Being that we're a small bank, a lot of us wear different hats and sit on many of the same committees," said Diane Murray, the chief risk officer at the $511 million-asset Empire National Bank in Islandia, N.Y., who also is the bank's deputy compliance officer and serves as the liaison with the bank's external auditor.

Banks' interest in developing "enterprise" risk management frameworks — meaning risks are managed across the institution rather than in individual silos — began to take hold in the 1990s. But ERM, as well as hiring a CRO, did not really emerge at smaller banks until the lead-up to the financial crisis.

While the crisis only reinforced the draw for institutions to manage risk holistically and build out a risk management department, many executives and other observers say it can still be sufficient for some institutions — with stable profiles and limited personnel resources — to manage their risk by committee without hiring a CRO.

"If they have an appropriate governance structure and good communication channels and collaboration amongst the executive team, I don't believe it's absolutely necessary," said Nancy Foster, CRO at the $2.4 billion-asset Park Sterling Corp. in Charlotte, N.C., who chairs the Risk Management Association. "Even between $2 billion and $10 billion there are quite a few banks that do not have chief risk officers."

She noted that while having a CRO has advantages, such as "connecting all of the dots from the board level to policies and procedures at the very bottom," some institutions do not need to expend the resources to have that person in place.

"Some banks have such strong cultures that they're able to do it without that," Foster said.

Growing the 'Right Way'

The CRO role seems tailor-made for a number of institutions facing greater risk as a result of a growth strategy.

Beginning in 2009, State Bank and Trust Co., based in Georgia, has acquired 12 failed banks, two healthy institutions and an insurance company.

"From that very first day, we had a chief risk officer in place," said Steven Deaton, who has been with the institution since its beginnings and now oversees enterprise risk for its Atlanta holding company, State Financial Corp.

Strategic risk "was at the core of what [the bank] was doing," he said.

When Deaton began overseeing enterprise risk for the bank in 2012, the institution had about $1 billion in assets, but its goal was to be closer to $5 billion. (The holding company now has $3.3 billion in assets.)

"In order to do that, our chairman and CEO believed we really had to spend some time and resources and really build out the whole risk infrastructure, and asked me to do that for the organization," he said. "We believed that if we were going to significantly grow our franchise, we need to do it with a strong risk framework in place."

While community banks were slower to develop ERM frameworks, the concept appears to be taking off.

A tipping point, Beasley said, is when institutions pursue risk management strategies beyond traditional areas like credit risk and compliance risk — to cover newer areas like operational risk and the interplay between risk categories.

"They might … think of ERM as, 'That's what the chief credit officer does.' Or, 'That's what the chief compliance officer does.' They don't see the need for it because they think that's already being done," Beasley said. "More and more are beginning to understand that ERM is not just credit and it's not just compliance. It's bigger."

Stephen Phillips, the chief credit and risk officer at the $3 billion-asset First United Bank and Trust Co. in Durant, Okla., said the institution's risk management framework was a key component in executing the bank's growth strategy.

"We wanted to grow the bank the right way," said Phillips, who was previously the bank's chief commercial loan officer. "We understood that we had to have an integrated ERM platform that was aligned with the bank's overall strategic risk appetite. That was the magic for us."

As smaller banks increasingly build enterprise risk programs, many say an all-encompassing approach to managing risks requires someone at the top of the house overseeing it all.

"When a bank crosses the threshold of about $1 billion, that's the time that they ought to be putting in a CRO and an enterprise risk management function," said Edward Schreiber, chief risk officer at the $57 billion-asset Zions Bancorp., and a former official at the Office of the Comptroller of the Currency. "I'm really adamant that you can't just do this by committee. You really need a person who understands it, who communicates well, and who is able to negotiate through everything and raise things to the board or to the CEO, to say, 'Houston, we've got a problem.'"

Deaton says appointing a CRO should be the model for the industry even if it means smaller institutions add that role to what an existing manager is already doing.

"The idea of being able to silo risk and analyze risk in different areas and not have someone that's responsible for looking at it both horizontally and vertically throughout the organization — I don't think … that that's feasible, regardless of your size," he said. "If it's a small bank, they may run a combination of risk and credit. Maybe you have a chief risk officer who also serves as chief credit officer. That means at smaller banks the chief credit officer is going to have to have a broader hat."

Meanwhile, certain risks that are more prevalent at community banks bolster the case to appoint a CRO.

"Vendor risk has really come on strong. When you look at the smaller institutions, a majority of the time they really outsource a lot of their work, whether it's the banking platform or the lending operation," said Ryan Rasske, senior vice president for risk and compliance at the American Bankers Association.

Not for Every Bank

But many community banks are still hesitant to install a single risk leader. Adding the position is costly, the local talent pool is sparse and in many cases a bank with a relatively simple business strategy may deem the hiring of a full-time CRO unnecessary.

Among smaller institutions, the speed with which institutions have installed risk management leaders has varied by bank size. As early as 2012, 60% of banks surveyed with $3 billion to $10 billion in assets had CROs, versus just 12% for those below $250 million, according to the RMA's risk management staffing study.

The cost related to establishing a full-time CRO position is still a challenge, according to experts.

"The challenge for the smaller banks is that [ERM] is moving so quickly that the cost to develop these systems, find the talent who are knowledgeable about these things and educate the line management is very expensive," said former Federal Reserve Board Gov. Susan Bies, who oversaw risk management at First Tennessee in the nineties and now sits on Bank of America's board.

"They can't do everything at once. They need to prioritize how they're evolving toward it. The big banks don't have the luxury of time. They have to get it all done as fast as they can."

Michael Radcliffe, the senior vice president and compliance officer at the $736 million-asset Community Financial Services Bank in Benton, Ky., is part of a team of officers who share risk oversight. Radcliffe focuses on credit risks while others deal with technology-related risks.

The "team framework" works well if there is good communication among team members, he said.

"Everybody is aware of what's going on at any given time on the various committees," Radcliffe said. "In my mind, the danger of having one dedicated person is sometimes your information can get stuck in a silo."

He acknowledged, however, that the bigger the bank gets, the more likely it is to consider changing course.

"As we grow, we might shift to a designated CRO," Radcliffe said. "But I suspect there would always be separation to some extent between technology versus the credit and compliance side, simply because it would be difficult — especially in our area in western Kentucky — to find a qualified individual who has a depth of knowledge on both."

And with resources in short supply, CROs at smaller banks often have other roles.

First United's Phillips said it made sense for him as CRO to still serve as the bank's chief credit officer.

"At most community banks, there are a host of risks that ERM is set up to assess, quantify, make visible and help us make the right decisions on. For us, really credit is at the top of that list," he said. "With my credit and production background, we felt it made sense to keep those together. Over time, they will split out. For right now, it made sense to keep them together."

Murray, of Empire National, said she had retained her former role as chief compliance officer when she became the CRO. The bank later named a new chief compliance officer, but Murray still fulfills a deputy compliance role.

Having a CRO improves the quality of the bank's risk management framework, she said. Sometimes it just helps to have someone leading the discussion among risk managers to make sure the ERM program lacks gaping holes.

"We were doing risk assessments before, but appointing a CRO and bringing all of the assessments together helped us to gauge whether there was anything that we were missing. You need that point person to bring everything together," Murray said. "Each department may be looking at a risk assessment separately, but it's getting bodies together and discussing it and vetting it to make sure that we've not missed anything."

Many Different Paths

Beasley's group at North Carolina State advises state-chartered financial institutions on ERM platforms and has found companies choose from a variety of options for managing the program in-house.

"Some have designated a person … some have not. Some have someone else leading the effort," he said. "In one case, it's the chief operating officer who is leading ERM. In another case, it was the head of internal audit who was coordinating and leading the risk oversight process."

A smaller institution may not immediately see value in creating a new position for overseeing risk management when it already employs managers who are involved in tracking certain risks, such as compliance risk, Beasley said.

"Banks are still trying to figure out: What is the role of the CRO relative to other major risk owners, particularly in banking, where most institutions have a chief credit officer and there might be a chief compliance officer?" he said. "There is still some confusion, if I'm the CRO, 'OK, what's my role relative to these other more established types of risk positions?' "

David Ruffin is the co-founder of Credit Risk Management LLC, a Raleigh, N.C., firm that sells a scorecard tool for community banks to develop an enterprise risk management framework. He said one strategy for institutions is to start simple, and that pursuing a risk management strategy without a CRO avoids turf battles between a new executive and managers already overseeing specific risk areas.

"Our tag line for our product is: It's a process, not a person," Ruffin said. "Unlike financial reporting, enterprise risk doesn't have to be precisely exact. It just needs to be directionally accurate. That's where the trap has been with some of other attempts to get this going at smaller banks — it becomes such a colossus of an exercise that it just buckles before it gets to fruition."

But Beasley said there are steps community banks can take to assign a risk management leader, a decision that brings advantages.

"My recommendation probably initially would be to dual-hat someone. I'm not telling them to add a full-time employee, because I know that will be met with resistance out of the box," he said. "But there is some benefit to have someone owning the process of getting the bank to pull its risk thinking together so that they're considering all major risk drivers, not just the biggies.

"I suggest that they really think about giving someone [the CRO] title but probably working with an existing person for starters until they understand what's needed to be done."

For reprint and licensing requests for this article, click here.
Law and regulation Compliance C-suite Community banking
MORE FROM AMERICAN BANKER