Banks seek new blood to fill evolving CRO role

Chief risk officers are more valuable to CEOs than they have ever been, usually taking a seat at the table when senior executives and boards are contemplating new investments or entry into new business lines or markets. Assessing credit risk is still very much part of the job, but CROs these days also need to be tech savvy, comfortable with strategic planning and unafraid to challenge management.

This growing list of demands could explain why CRO turnover is on the rise.

In a new analysis of the 50 largest U.S. bank holding companies, the executive search firm Second Line Advisors found that in 2018, the average tenure of a CRO had fallen to 3.54 years, from 4.1 years in 2017. Second Line also found that 38% of CROs at banks over $250 billion and 27% of CROs at banks under that mark had served in the role for less than a year.

While a handful of retirements over the last five years have helped to drive down tenure, industry experts say that the changing nature of the CRO role is also pushing banks, particularly regional banks, to bring in new blood. Sometimes they are promoting from within, but often they are raiding rival banks for talent.

AB-070218-CRO (2).png

“The trend for banks … under $250 billion has definitely been looking more on an external basis,” said Daniel Solo, the president and head of client engagement at Second Line Advisors. “With higher standards from a regulatory and compliance perspective and the nature of how the industry is changing, [banks are] looking to their competitors as providing a caliber of experience that can really help move the needle in that function.”

In addition to shorter tenures, Second Line Advisors found that among the CROs it looked at, 18, or 36%, were external hires this year, a slight increase from 17 in the prior year.

Wells Fargo, for instance, recently recruited an outsider, Amanda Norton, as its new CRO. Previously, Norton was the consumer and community banking chief risk officer at JPMorgan Chase.

Norton’s hiring makes her the only woman to hold the role of CRO at a bank with more $250 billion of assets. It also represents the first time “in a long while” that a very large bank has hired a chief risk officer from another organization, Solo said.

Indeed, JPMorgan Chase’s chief risk officer, Ashley Bacon, has been in role since 2013 and had previously been the bank’s deputy CRO and head of market risk for its investment bank. The current CROs at Citigroup, Bank of America, PNC Financial Services Group and U.S. Bancorp also were all promoted from within.

In comparing banks with more than $250 billion in assets to those under that threshold, Second Line found that smaller banks were much more likely to hire external candidates and from a wider variety of backgrounds.

Internal and external candidates have their own unique merits. An internal candidate already knows the organization so there’s less risk that he or she will have difficulty acclimating to the company culture, said Will McKinnon, a consultant in Russell Reynolds Associates’ legal and risk practices.

On the other hand, external candidates offer a different kind of advantage.

“You’re bringing in best practices from another organization, which can only make your risk management practices and methodologies better,” McKinnon said.

He said that banks often see their strongest, second-tier talent poached by the competition. Fifth Third Bancorp, for example, hired its current CRO, Frank Forrest, from Bank of America, where he had worked for 10 years in a variety of risk management roles. Citizens Financial Group’s CRO, Malcolm Griggs, is a former high-ranking risk executive at Citigroup.

Though having a credit or risk background helps, it is no longer a prerequisite for landing a job as a CRO. According to Second Line Advisors, from 2017 to 2018, the number of chief risk officers with a risk, credit or business background, such as capital management or treasury, fell from 44 to 38 of the CROs at the 50 biggest bank holding companies.

“The historical profile of a chief risk officer has been a fantastic credit trained individual,” Solo said. “The evolution from a credit trained person to a broader risk manager has come into light over the last decade.”

Nancy Foster, the president and CEO of the Risk Management Association, said that when the chief risk officer role was first created, sometime around 2000, chief credit officers would typically take on the job, sometimes concurrent with their existing responsibilities. At the time, the job mainly involved expanded oversight of market and operational risk.

“Over time I think it was recognized that overseeing these different risk types requires very different skill sets, and you now commonly see the [chief credit officer] and CRO as peers with different reporting lines up to executive management or the board,” Foster said in an email to American Banker.

McKinnon said there’s a greater emphasis on a chief risk officer’s IT savvy. That means having both the ability to use information technology as a risk management tool and to assess risks, like cyber risk, associated with IT systems.

“The role has become increasingly complex. It spans not just financial risk, but IT risk, business risk, and more. And to add to the complexity, the risk threats and analysis are increasingly global,” he said.

McKinnon also said that he sees the chief risk officer role more frequently carved out as its own independent function that reports directly to the CEO, whereas previously, the chief risk officer might have reported to the CFO.

Diversity may be an area where there’s room for improvement. According to Second Line, 13, or 26%, of CROs are considered to be diverse now, the same as last year. And just six of the chief risk officers at those 50 largest banks are women. Wells Fargo’s appointment of Norton nudged that up from five in 2017.

“The diversity statistics have a very slight improvement" from years past, "but they have a ways to go,” Solo said. “Wells Fargo was a big one for gender diversity.”

For reprint and licensing requests for this article, click here.
Risk Recruiting Information systems Cyber security Credit C-suite JPMorgan Chase Wells Fargo Citigroup Bank of America Fifth Third Bancorp Citizens Financial
MORE FROM AMERICAN BANKER