There’s probably a very good anecdote about a host of castle architects being given the axe by their liege lords because they couldn’t build fortifications strong enough and quickly enough to counter the fresh structural challenges of cannon technology. The modern equivalent may well be that of the chief risk officer (CRO). Just as the castle architects would have protested the nigh on impossibility of countering gunpowder just with stone defences, so too has the CRO had to adapt and evolve to meet new risk management challenges that are becoming increasingly difficult to predict and counteract.
As the mitigator of risk, the CRO must be able to identify, assess and manage those risks using a variety of processes all while complying with increasingly stringent regulation. And where IT infrastructure and the emergence of technologies including AI and big data have made their job easier, it has also created a host of problems, not least for the internal operational risk concerns, but also the increasing and evolving threat of cyberattacks.
Indeed, risk is a very small word for a very large responsibility. This article will look at how the role of the CRO has changed over the years and where 2018 fits into the evolutionary trajectory.
What will the CRO of 2018 look like?
Changing times and shifting responsibilities
The 1990s saw the first wave of CROs creating and implementing enterprise risk management (ERM) as well as a variety of risk models. This framework sought to define different risk functions and quantify their capability, before coordinating and integrating the risk output. In short, the ERM was there to identify, assess, manage, monitor and report risks under different circumstances, and have a contingency plan on how to mitigate should those risks arise.
A successful ERM programme firstly set a solid foundation for implementation. Risk alignment was first and foremost the priority, as a standardised glossary of risk was established to understand the company’s risk appetite (of what it was prepared to risk et cetera) whilst also allowing for a ranking of risk priority. CROs were also required to keep on top of regulatory compliance in the form of Solvency I for Insurance companies, and Basel I, and later II, for banks. Lastly, the ERM was to seamlessly integrate with the business as a whole.
Post-crisis CRO: a new enemy and more regulation
In many regards, the CRO was chief implementer with a fairly low degree of seniority and wholly focused on the technical aspects of ERM and the consequences of dealing with risk fallout detected therein. Chief implementer soon evolved into chief assessor, building on the CRO’s formerly technically focused duties with wider business considerations. ERM now expanded to cover a variety of other business related risks, such as new legislation, reinsurance coverage (for insurance), and asset liability management, until the ERM and CRO were well situated in the business decision making. Indeed, the CRO role, for all its onboarding of additional risk and the breadth of that risk function, saw a rise in its status post-crisis a decade or so ago.
After the dust settled following the financial crisis and the flurry of regulations became clearer, the subsequent tech boom enabled a dramatic explosion of fintech challengers reaching an all-time high for investment in 2015-2016. Whilst the boom prompted innovation in financial services, security lagged behind, largely due to the volume, volatility and unpredictable nature of modern cyberattacks. If cyber risk hadn’t captured the serious attention of CROs before the ‘Wannacry’ ransomware attacks on legacy infrastructures like the NHS systems, then the slew of industry cyber breaches certainly did. Indeed, as many as 46% of UK companies registered an attack in 2016, with Tesco Bank and Three Mobile the most prominent, losing sensitive customer data and millions of pounds as a result. With General Data Protection Regulations (GDPR) coming in May next year, many CROs are currently reviewing ERMs and models, and consequently arguing for more IT budget spend to firm up potential breaches and keep the walls defensible.
And that increasingly led to the formation of a new job description for the modern CRO, and a position that now ranked a few rungs more senior in the company’s hierarchy; chief integrator of a diverse and dynamic range of risks, more on the front line of the business than as the passive risk manager. CROs were becoming, for all intents and purposes, a risk-oriented CEO, further embedded in the company as a business, and more vocal in the boardroom.
They needed to take ownership when aggregate risks went above risk appetite which, when successfully identified and acted upon, was as much a chance to generate competitive advantage as to smply avert risk. They also had to move from their traditional heartlands of insurance, market and credit risk towards conduct and operational risk. That leaves the CRO of 2017 vastly different from the CROs of a few years ago let alone pre-financial crisis.
An inside perspective on the CRO of 2018
bobsguide spoke to Patricia Jackson, a non-executive director and chair of the risk committee for Atom bank, BGL, Lloyds of London and SMBC Nikko, who gives an inside perspective of the change in the CRO role.
What’s new for CROs?
Cyber risk has gone right up the agenda. In many organisations, cyber was previously sitting with IT and, the last year or so has seen a major shift in terms of the risk function taking more ownership of cyber risk, whilst we’ve also seen more engagement with cyber by the boards. There’s also much more focus on outsourcing and outsourcing risk by the CROs. In many companies, outsourcing was previously sitting with procurement and it has become a really key subject.
If you’re outsourcing functions to a supplier and you retain the risk, the question becomes ensuring the supplier is performing to a high enough standard and, as a topic, it’s evolving. In America, many firms are getting third party reviews done on cyber risk and they make those reviews available to those to whom they’re supplying services. That’s more of a changing area in the UK and it’s not quite in the same place where suppliers have third party assessments. So, in terms of business continuity and cyber, companies are wrestling with finding a way to ensure that outsourcing doesn’t leave them vulnerable.
Another huge topic is GDPR. GDPR is a real stretch for many firms and comes in in May next year. It’s complicated to deal with and it’ll bring heavy penalties if you get it wrong. For example, you have to be able to remove data at customer request and it’s far more complex than companies reckoned. For some years now, the CROs have been wrestling with risk appetite and how you assess forward risks against risk appetite. To start with, the focus was on the core financial risks and progress was made. But how you deal with non-financial risks including cyber and business continuity is still evolving.
What regulations are CROs focused on?
For some firms, anti-money laundering has been top of the agenda because the fines have been so high, so we are seeing enforcement there for some traditional organisations but also the tightening up of regulation of some more alternative sectors. Banks and insurers have been under regulatory pressure now for quite a few years and we’re seeing the tentacles spreading out to the more lightly regulated areas. I think it’s a general pattern, some CROs are spending as much as half of their time dealing with the regulatory agenda.
For capital, regulations are still changing for banks because the Basel committee is still issuing changes following on from Basel III. Trading book requirements are changing for example. Firms are also trying to wrestle with areas like risk culture where the regulators are focusing more. Outside the traditional banking and insurance sectors there is also focus on pricing and competition as well as operational risk.
Across all financial services, cyber is right up there as well as outsourcing. For companies dealing with a wider range of customers and jurisdictions, money laundering and financial crime are also right up there. Companies seem to be less bothered by credit and market risk I think because they believe they are under control. They’re very big risks but it’s central to what they do so they’re more comfortable managing it. The tricky bit is managing something as ever changing as cyber, whether that be the recent ransomware attacks or phishing expeditions.
What would CROs like in order to do their job better?
What CROs would really like is a halt to regulatory change so that they can deal with what’s happened so far - continuous change makes life impossible. Along with that, they’d like more IT budget to make their areas more efficient.
So greater technological use is the next step of CRO evolution?
That’s got to be part of the solution. People think of digital as the interface between firm and customer but the firm has also got to use it internally. AI can enable automation of intelligent processes and frees up time for the human to actually think about the risks. For instance, you don’t want to have to spend all your time calculating the numbers, but instead thinking about and assessing the risks.
As an example, one organisation which has many, many regulators had a specific team tasked with dealing with queries that came in about different rulebooks. They’ve run a pilot to roboticise the process and they’ve managed to reduce the time it takes to find the right rule enormously. So, something like that which you expect would require quite a bit of judgement can be managed quite well by AI.
Would Atom’s risks, as a digital and challenger bank, differ to legacy banks?
In terms of IT risks, Atom, as a mobile phone based bank, is very dependent on the app, but major traditional banks are also absolutely dependent on their IT and Atom avoids some of the key risks associated with browsers and internet banking, so in that sense I don’t think the challenges are unique and all banks are dependent on their IT and all banks have to look at the risks around cyber.
For a startup bank there needs to be very careful control of how new systems are put up and services are launched. That requires a very careful process which we did for Atom at every stage to make sure that the system, process and risk controls were in place before we moved onto the next phase. For instance, we didn’t put products up all in one fell swoop, but we brought them online as we were ready to do so and subjected them to a very careful risk management process. I expect the regulator welcomes this approach and will be looking for other new entrants to undertake the same level of oversight and control.
It seems, like everything else in business, that the buzzwords of AI, big data and machine learning continue to generate noise as the saviours of human roles struggling to keep afloat with the challenges that the same tech revolution has created.