DNA of the Challenger Banking CRO
We had the pleasure of catching up with Feike Brouwers, for our interview series. Feike is a chief financial officer turned chief risk officer with over 20 years’ experience in retail banking. His background includes international experience gained with c-level roles in operating business units as well as at corporate headquarters. His experience covers all aspects of financial management and risk management at Board level.
Feike is the chief risk officer at Kensington Mortgages, having joined from Tesco Bank where he was also the chief risk officer. Previously he held the same role at Coventry Building Society and from 2007 to 2013 he was chief financial officer at ING Direct in the UK. Prior to arriving in the UK, after being trained as an accountant with Price Waterhouse, he worked in Paris and Amsterdam for ING Direct, the internet banking arm of the Dutch ING Group.
Kensington Mortgages have assets under management of over £11 billion. It is the largest non-bank specialist mortgage lender in the UK including servicing of c£5.5 billion assets for third parties. They originated c£1.2 billion of new mortgages in 2018 representing a CAGR of more than 25% over the last four years.
They are one of the largest issuers of residential mortgage-backed securities (RMBS) in the UK having sponsored 15 securitisations totalling over £8 billion since 2015.
What is the future evolution of the CRO role?
In my view, the role is evolving from a narrow risk subject-matter-expert role into a broader enterprise leadership role. The CRO cannot operate in isolation and focus on a narrow field of ‘traditional’ banking risks, such as credit, market or operational risk. I’ve noticed increasingly broader involvement with the business is expected from CROs, including shaping strategy and contributing to delivering the business plan within the agreed risk parameters. There is also an increasing expectation that CROs should engage with the senior leadership team and the Board on a wide variety of topics which were not part of the standard CRO toolkit 10 years ago. This includes the risks associated with digital transformation programmes.
As part of this evolution, the risk function needs to adapt and continuously reskill and train to partner with the rest of the business through these changes rather than adopt a standard approach or toolkit. Another evolution is a shift in focus from traditional financial risks to non-financial risks, such as IT, cyber and data risks.
How does the CRO differ within a challenger or smaller bank?
In a smaller bank, the industry standard ‘three lines of defence’ model for a risk management framework cannot always be deployed as dogmatically as in larger organisations. Typically, the 2nd line risk team is smaller at a challenger bank, with fewer risk specialists for each risk type in the team. This requires a more hands-on approach and knowledge of a range of risk types. The CRO in a challenger bank is also more likely to be called upon to get involved in detail and day-to-day operational activity compared to larger or traditional high street banks. There’s an adage in risk management which says that “a small or weak first line can never by compensated by a large or strong second line”. So, with a small central risk team in a challenger bank, one must rely even more on very good risk management in the first line. Therefore, the CRO should spend a lot of time in building that strong relationship with first line risk management with the right quality people and the right risk culture.
How commercial should a CRO be?
This is a slightly controversial topic. Some pundits feel that it is the CRO’s role to minimize risk and that is his/her only role. However, I firmly believe that a good CRO should have at least some commercial blood flowing through his/her veins and help to drive growth within the risk appetite and boundaries as set by the Board.
If the risk capacity of an organisation is not utilised, or if a higher return can be achieved through diversification of risk, a good CRO should make this visible. The best CROs understand there are two sides to risk and they should pay attention to both. The key point though is to never overshoot in either direction and continuing to ask the difficult questions and remaining truly independent from the commercial side of the business.
How will innovation and automation impact the CRO agenda?
A lot! Advances in computing power and artificial intelligence and machine learning are already changing the game of risk management. For example, fraud detection and spotting trends and root causes in vast amounts of data using smart algorithms and using data visualization techniques have already become mainstream in risk management. This trend will only continue.
Financial services is going through a revolution driven by data science/analytics and the use of robotic process automation and application programming interfaces. Each of these come with tremendous benefits, but also with risks. The CRO and his risk team will need to gain a thorough understanding of these innovations to enable them to identify the risks. So, learning and development in these fields have become a high priority.
How can a risk management framework be simplified and still be effective?
What’s important, is to focus on the risks that really matter. This is easier said than done. But sometimes it is remarkably simple. For example, and perhaps paradoxically, reducing the frequency of a risk committee meeting, but with the right participants in the room and a well-prepared agenda, can sometimes improve the quality of the discussion and focus on the real risks, rather than discussing minutiae and ‘going through the motions’.
As mentioned earlier, a strong risk culture combined with good risk management in the first line, supported by technology, such as a governance, risk and compliance (GRC) software tool, creates efficiency and effectiveness at the same time.
And finally, it is important to not let the risk framework grow arms and legs without contributing to better risk management. I often compare a risk framework with a garden. One is never quite finished and needs to weed, prune, mow the grass and irrigate the framework. If you leave it idle it becomes overgrown, messy and unpleasant. It is essential to take an active focus in maintaining and developing the framework to ensure it stays effective, relevant and efficient.
We would be interested to hear your thoughts and comments?