The extended absence of a chief risk officer at Silicon Valley Bank, in the months before it failed, underscored the position’s significance — especially as risk chiefs have gained prominence at banks over the past 15 years.
SVB’s March 2023 collapse offered a stark reminder “of the cost of not managing risk effectively on an ongoing basis,” said James Lam, a risk management consultant.
SVB, a $212 billion-asset bank, didn’t have a chief risk officer for much of 2022. The lender, which had a high proportion of uninsured deposits, experienced a bank run after rising interest rates affected its investment securities portfolio. That SVB didn’t confront rising risks before its downfall has served as a profound risk management reminder to banks.
Banks have always been in the business of managing risk, from credit and interest rate risk to operational risk, said Lam, who served as a CRO as early as the 1990s for companies such as Fidelity Investments and GE Capital Market Services.
Prudent risk management can be a point of pride for banks. Take, for example, PNC’s recent advertising campaign, where the lender embraces being “brilliantly boring.”
Regulatory requirements related to the amount of capital banks must hold, their liquidity buffers and bank examinations all underscore the importance of risk for financial institutions.
“When banks do forget, they get reminded in a very strong and powerful way,” Lam said.
A raft of changes over the past 20 years, following the Sept. 11, 2001 attack, the Great Recession and the COVID-19 pandemic, brought new risks to the fore and bolstered the CRO role’s prominence.
The last decade has seen the emergence of the strategic CRO, with the role becoming increasingly complex and multilayered, said Ellen Yaffe, a director in the financial services sector at leadership advisory firm Russell Reynolds Associates.
“Whatever the issues are, the CRO has to be right at the table, right from the beginning,” she said.
How has the role evolved?
Early on, the CRO role was focused on financial risk and the integration of credit, interest rate and market risks, Lam said. Operational risks came into the fold in the mid-1990s, following high-profile occurrences of rogue traders and trading errors.
Today, risks have become more digitized and complex, as the industry grapples with concerns about cybersecurity, artificial intelligence and quantum computing.
Over time, the CRO’s purview has expanded, from a narrower focus on credit risk and the portfolio of assets, to now being involved in more strategic decisions and influencing organizational culture and decision-making.
Today’s CRO has to have a far more strategic view of capital planning and “the fine line” between a commercial opportunity and a business risk, Yaffe said.
“A lot of financial services organizations would say that the No. 1 partnership to the CFO in a financial institution right now is their chief risk officer,” she said.
Chief risk officer isn’t a one-size-fits-all role for banks. Whether a bank should have one depends on its size — those with $50 billion in assets or more are required to — and the activities it’s involved in. Banks engaging in “complex” services and activities, such as working with fintechs, “need one now,” said Eric Holmquist, managing principal with consulting firm Capco.
The role has come into its own in the past 15 years, partly due to heightened standards the Office of the Comptroller of the Currency issued in 2014.
The CRO’s two primary responsibilities, Holmquist said, are building the bank’s risk management program and framework, and providing an effective challenge to business leaders making decisions around risk-taking.
The “ultimate challenge” for CROs is influencing decision-making so that managers and executives are making their own intelligent risk-taking decisions around risks to accept, risks to mitigate, pricing for risk or transferring risk the bank doesn’t want, Lam said.
The CRO once was seen as a role carrying veto authority, but the industry has reconsidered that.
“The contemporary thinking is that the CRO should lead by influence, not by authority,” Holmquist said.
While serving as chief risk officer at Customers Bank, Holmquist “built up some credibility where I could say, ‘Gosh, this just really feels like it's not lined up with our strategy, our risk appetite. It’s going to have a regulatory trigger.’ And management gets there and goes, ‘Yeah, that's kind of where we were at.’”
There won’t be a policy or process for every risk the bank might face, so CROs need to affect a bank’s culture, using training or tools, so that employees act with integrity and consider the best interests of the bank and its customers, Lam said.
At large banks, in particular, it’s crucial that the CRO weigh in on strategy.
When banks and other companies in the S&P 500 suffer a major decline in market value, it’s most often due to strategic risk, such as a failed acquisition or product launch, rather than operational or financial risk, Lam said.
Other key challenges for CROs at large banks: giving feedback on risk-adjusted pricing for products and relationships; ensuring the bank is incorporating risk into strategic planning and execution; and influencing thinking about incentives, so that CEO and C-suite performance evaluations take risk management and compliance into consideration.
“If you look at best-practice banks, they generally have very strong risk cultures,” Lam said.
What experience, skills and understanding are crucial to the role?
There’s no set path to becoming chief risk officer. Some hail from the operations side of the bank, which comes with an emphasis on enabling processes necessary for the business to thrive, Holmquist said.
Others have legal, compliance or auditing backgrounds, or were former regulators. Gale Simons-Poole, the CRO at nonbank lender BHG Financial, said her 25 years at the Federal Deposit Insurance Corp. gave her exposure to a variety of risk management programs and skills at different banks.
But industry consultants agreed that having the courage to take an opposing view within the executive suite is a crucial quality.
The CRO has to “be strong enough to stand up and go toe-to-toe with senior management and ask hard questions,” Holmquist said.
Leading through influence is pivotal.
“Sometimes the chief risk officer is the one who says, ‘I don’t see it that way, everybody, and here’s why.’ You really have to be able to have that strength and confidence to say, ‘Let’s think of it a different way,’” Simons-Poole said. “Are you always going to win? No. But I think it’s the way to make everybody think more broadly.”
To that end, CROs must understand “the organizational DNA,” Simons-Poole said. A bank’s risk culture can drive how workers are motivated and how a CRO will get the job done, and some banks are more open to risk than others.
Independence is vital to the CRO role, particularly if risk-taking is excessive or there’s unethical behavior.
While he was chair of the risk committee at E*Trade Bank, Lam sought to formalize the CRO’s independence by putting in writing that the CEO couldn’t hire, fire or change the CRO’s compensation without the risk committee’s approval.
At SVB, a strong, independent CRO was missing, Lam said. The lender had greater strategic risk, given its startup focus. That concentration led to elevated interest rate and liquidity risk, compounded by a digital bank run.
The biggest risks at a bank will depend on its business model and risk profile. When those are mapped against the capabilities of the bank’s risk management program, it can spotlight the skills that would be most beneficial in the next CRO, Lam said.
“You really have to be the right CRO for the moment,” he said.
Today’s boards and CEOs are looking for CROs with not just financial risk experience, but also strong operational and cybersecurity skills, and strategic and business backgrounds, observers said. That might be someone who’s run a large business or worked in an international market.
Analytical and communication skills, the ability to flexibly problem-solve and the capacity to build key relationships with regulators and board members are also essential. And at larger banks with bigger teams, CRO is “a much bigger leadership with capital L role,” Yaffe noted.
When it comes to leadership development, risk leaders are most commonly looking to obtain breadth of experience, as that expectation has emerged, Yaffe said. That, in turn, is positioning CROs for other C-suite roles.
In recent years, a number of CROs have become CEOs, including Barclays CEO C.S. Venkatakrishnan. CROs now may see a path to CFO or CEO, “which was not necessarily a conversation people were having before,” Yaffe said.
What does the future of the role look like?
Last year’s regional banking crisis emphasized the importance of CROs, and smaller banks, too, have made the role more pivotal among executive ranks, observers said.
Additionally, since spring 2023, relationships with bank examiners, and alignment with those regulatory officials, have become more important, Lam said.
Ongoing technological advancements will keep CROs on their toes, analysts said. Artificial intelligence will “be both a risk management challenge, but also a risk management power for CROs,” Lam said.
Banks have been eager to assess how they can employ AI to the greatest effect. But the CRO role could never be replaced by AI, just as strategy wouldn’t, Holmquist said. AI may benefit risk management, serving as a “virtual smoke alarm” because it can see subtle patterns, he said.
Using AI, a bank could build a risk model of the future — a kind of digital twin of the bank, connected to external variables such as interest rates, credit defaults, cyberattacks or geopolitical risks — that’s updated continuously, and use that to understand how certain factors relate to a bank’s risk appetite, Lam said.
