The role of the Chief Risk Officer
Justin Whitehouse, Director of Banking at Interim Partners interviews Stephen Bell on the role of the Chief Risk Officer, the major challenges faced today and how the role has evolved since the credit crisis.
Previously Stephen was Chief Risk Officer and Board Director for Ulster Bank Group in Ireland. In this capacity he was a member of the Executive Committee and Board Risk Committee and also Chair of the Executive Risk Committee. For part of his time with Ulster he was also responsible for Retail and SME Collections & Recoveries. He is now Chief Executive of a Private Equity backed property business in Ireland and Chair of the Audit & Risk committee of the government arms length body, Homes England.
How has the role of a CRO changed over the last 5-10 years?
In my experience it has changed more than most C-Suite roles. In fact over that period it has become a regular feature in the C-Suite which it wasn’t always before. I’d say 10 years ago the typical Head of Risk was expected to be a Credit & Compliance specialist whereas the CRO today is described as a “strategic all-rounder”. You would also have to say that the role of CRO can be very different across organisations. It can cover a range of remits depending on the firm and where it is in its evolution and all have a place and a value.
What are the biggest challenges for CROs today?
As I see it, there are many areas of challenge. Finding the right balance between being commercially supportive while not giving false comfort is one. Being proportionate in your reactions to issues in a world where post-hoc judgements can be made is another. Part of the challenge over the last few years has been readjusting to the post-crisis and recovery phase. Very few people ignore the risk agenda in a crisis but once things return to BAU, retaining the right share of the firms thinking for enterprise risk thinking is critical. I’d also say it will be increasingly important that risk is seen as being on the pathway for leadership progression.
What are the essential ingredients for the risk agenda to succeed?
You need a CEO and Board who actually want a CRO and are clear on the value the role will bring. Alongside that you need to know what kind of CRO you are expected to be. Trying to operate as a “strategic all-rounder” in a firm which only places value on parts of the role can be a painful experience – I know, I’ve been there! While it’s unlikely you will have unanimity across all stakeholder groups as to the most important item on your to do list, you must ensure there are no significant areas of disagreement about priorities. Beyond that I’d say a shared understanding of what the starting point is, a broad agreement as to where everyone wants to get to, clarity on the strength of risk awareness in the “first line” and a good culture are all important.
What would you say to a CEO/Board who say they want to hire a CRO?
I’d ask them why and then listen carefully to what they say. I asked that of one organisation and by the end of the conversation it was clear they actually wanted a really good Head of Analytics/Data Science, not a CRO. Part of the challenge is that "CRO” can cover a multitude of requirements. Also because there is less history than there is for CFO or CEO roles, sometime people aren’t clear what they are looking for or what good looks like. I’d also ask about the corporate culture overall and risk culture in particular as they see it. Joining a firm with little risk infrastructure but an open attitude is more rewarding than a role in a large firm with an established infrastructure but a belief that it doesn’t need to improve.
How do you think a Board Risk Committee operates best?
In my experience it works really well when business people talk about business issues from a risk perspective. If the mandatory invitees are the heads of the main risk-taking areas (and I include Operations, IT and Legal in that definition) and commercially minded risk specialists, you will usually get a great conversation.
Are there any common themes across the organisations you have worked for?
One similarity is the need to be situationally sensitive. You may be crystal clear what is needed but it will be a resounding failure for you and the firm if it’s not what the wider stakeholders understand the value of. The CRO of any organisation must be capable of “disagreeing without being disagreeable” and be happy holding and defending minority views. I’d also say any incoming CRO should do their due diligence well and then trust their instincts as I’ve found my impressions after 3 months were rarely wrong.
What is the best career path towards being a CRO?
If you accept the idea that a good CRO is a strategic all-rounder or (to borrow a description from one of the Australian banks) “the guardian of reputation, strategy and capital” then I would say you need to be a business leader first and foremost. I’ve used the description of a “risk intelligent business leader” as the goal. As such when I get calls from companies or recruiters, I often suggest people with a strategy background, those with broad COO (not just IT) experience and ideally people who have Lean or Six-Sigma type training. Increasingly risks are a function of what lies between things, what is assumed about things and how things work. As such, someone who has operated mainly in one branch of risk may not be best equipped to see the aggregate risk profile. Of all the risk disciplines, I’d say Operational Risk and Enterprise Risk can be good places to look.
Why haven’t many CROs made the move into CEO roles?
I’d like to think this will change going forward. Perhaps the lack of former CROs in the CEO role is because the role is still quite “new” and was still emerging in shape when the financial crisis hit. When that happened, everyone wanted a CRO and there weren’t so many strategic all-rounders available, so the role was filled by those who had seen a lot of one part of the risk agenda over their long careers or by young, emerging talent. Without over generalising the former were too late in career to move into the CEO role, the later didn’t have the breadth and often are still not ready. While I am not looking to forecast the future, I’d say the current generation of CROs will move into other C-Suite roles and into Board Risk Committees and Boards. I’d dearly love to see a situation where an aspiring CEO has to spend some time in a senior risk role, even if they didn't move directly from the CRO role to being the CEO.