Chief risk officers are rapidly becoming ubiquitous in the banking industry as banks react to pressure from regulators and corporate governance watchdogs who view the absence of a CRO as a bright red flag. According to a recent survey of bank chief executives conducted by Grant Thornton and Bank Director magazine, 71 percent of publicly traded banks and thrifts now have chief risk officers, up from 40 percent just three years ago.
There are many misconceptions, though, about what a CRO can and should do. Having a CRO for the wrong reasons may actually increase the odds of getting into serious trouble, as many banks discovered in the financial crisis.
The most serious misconception is that the chief risk officer really is the chief risk officer. The CEO is ultimately the chief risk officer because enterprise risk management is a fundamental leadership responsibility that cannot be fully delegated to anyone else. As Warren Buffet said in his latest letter to Berkshire Hathaway shareholders: "I believe that a CEO must not delegate risk control. It's simply too important. ... If Berkshire ever gets in trouble, it will be my fault. It will not be because of misjudgments made by a risk committee or chief risk officer."
This does not mean the CEO has to become a risk geek. Buffet says that he is responsible for managing his firm's derivatives book but he probably gets help with the math. Many specialized tasks can and should be delegated to others. But delegation can only go so far because there are three critical risk management responsibilities that rest with the CEO, not the CRO or others.
First, the CEO is directly responsible for thoroughly understanding and signing off on all significant risks embedded in the bank's business strategy. For example, is the corporate lending business structured, positioned and priced to offer attractive returns over time on the credit risks being taken? Is the consumer banking business providing all that it should to the bank's structural liquidity reserves? Many people, including the CRO, will help the CEO come to informed judgments on which strategic risks the bank should take but the CEO makes the final decision and owns the risks as well as the profits.
Second, the CEO is directly responsible for protecting the bank's franchise against excessive or inappropriate risks that could derail the business strategy or damage the bank's reputation and access to capital. The bank's CRO can play a vital role in helping the CEO do this but cannot be solely responsible for identifying and defending against unprecedented or newly emergent risks—such as fundamental changes in regulation or other seismic shifts in the banking environment. It is up to the CEO, working with the management team, to apply forward-looking business judgment to identify and respond to the most serious threats confronting the bank. Looking through the rear-view mirror is not enough.
Third, and most important, the CEO is directly responsible for creating a strong risk culture across the entire bank that promotes the taking of well-calculated risks without providing incentives for excessive or inappropriate risks. For example, if a bank rewards its people for generating loan volume with scant regard to credit risk, it has a weak risk culture and is courting disaster. Building a strong risk culture requires significant changes in the bank's management disciplines and value system that are beyond the reach of a CRO acting alone. It is simply not possible to have a strong risk culture unless the CEO makes it happen through forceful leadership.
The CRO cannot be expected to do what only the CEO can do—which is to take the lead in strategic risk-taking, protecting the franchise and building a strong risk culture. But if the CEO takes on these fundamental risk management responsibilities, the CRO can be an effective and valuable contributor to the bank's success. The CRO helps the CEO and the board implement a credible, consistent risk management framework to govern the bank's risk-taking across all businesses; provides expert, unbiased advice on risk issues; and offers constructive ideas that use smarter risk management to unlock new business opportunities.
Handing off full responsibility for the bank's enterprise risk management is the wrong reason to have a CRO. The result is likely to be an expensive compliance bureaucracy that creates a false sense of security. The CRO becomes merely an actor in a diverting farce that presents the façade of risk management without the reality of risk management. As many banks discovered in the financial crisis, this farce can turn into a tragedy when the music stops.