The Chief Risk Officer
According to the Basel III framework, large banks, internationally active banks and other financial firms (depending on their risk profile and local governance requirements), should have an independent senior executive with distinct responsibility for the risk management function and the institution's comprehensive risk management framework across the entire organisation.
This executive is commonly referred to as the Chief Risk Officer (CRO).
Whatever the title, at least in large banks, the role of the CRO should be distinct from other executive functions and business line responsibilities, and there generally should be no "dual hatting" (ie the chief operating officer, CFO, chief auditor or other senior management should not also serve as the CRO).
Formal reporting lines may vary across banks, but regardless of these reporting lines, the independence of the CRO is paramount.
While the CRO may report to the CEO or other senior management, the CRO should also report and have direct access to the board and its risk committee without impediment.
Also, the CRO should not have any management or financial responsibility in respect of any operational business lines or revenue-generating functions.
Interaction between the CRO and the board should occur regularly and be documented adequately.
Non-executive board members should have the right to meet regularly - in the absence of senior management - with the CRO.
The CRO should have sufficient stature, authority and seniority within the organisation.
This will typically be reflected in the ability of the CRO to influence decisions that affect the bank's exposure to risk.
Beyond periodic reporting, the CRO should thus have the ability to engage with the board and other senior management on key risk issues and to access such information as the CRO deems necessary to form his or her judgment.
Such interactions should not compromise the CRO's independence.
If the CRO is removed from his or her position for any reason, this should be done with the prior approval of the board and generally should be disclosed publicly.
The bank should also discuss the reasons for such removal with its supervisor.
Scope of responsibilities, stature and independence of the risk management function
The risk management function is responsible for identifying, measuring, monitoring, controlling or mitigating, and reporting on risk exposures.
This should encompass all risks to the bank, on- and off-balance sheet and at a group-wide, portfolio and business-line level, and should take into account the extent to which risks overlap (eg lines between market and credit risk and between credit and operational risk are increasingly blurred).
This should include a reconciliation of the aggregate level of risk in the bank to the board-established risk tolerance/appetite.
The risk management function --both firm-wide and within subsidiaries and business lines-- under the direction of the CRO, should have sufficient stature within the bank such that issues raised by risk managers receive the necessary attention from the board, senior management and business lines.
Business decisions by the bank typically are a product of many considerations.
By properly positioning and supporting its risk management function, a bank helps ensure that the views of risk managers will be an important part of those considerations.
While it is not uncommon for risk managers to work closely with individual business units and, in some cases, to have dual reporting lines, the risk management function should be sufficiently independent of the business units whose activities and exposures it reviews.
While such independence is an essential component of an effective risk management function, it is also important that risk managers are not so isolated from business lines - geographically or otherwise - that they cannot understand the business or access necessary information.
Moreover, the risk management function should have access to all business lines that have the potential to generate material risk to the bank.
Regardless of any responsibilities that the risk management function may have to business lines and senior management, its ultimate responsibility should be to the board.
A bank should ensure through its planning and budgeting processes that the risk management function has adequate resources (in both number and quality) necessary to assess risk, including personnel, access to information technology systems and systems development resources, and support and access to internal information.
These processes should also explicitly address and provide sufficient resources for internal audit and compliance functions.
Compensation and other incentives (eg opportunities for promotion) of the CRO and risk management staff should be sufficient to attract and retain qualified personnel.
Risk management personnel should possess sufficient knowledge, experience and qualifications, including market and product knowledge as well as mastery of risk disciplines.
Staff should have the ability and willingness to challenge business lines regarding all aspects of risk arising from the bank's activities.
Enterprise Wide Risk Management
One of the most important challenges for the Chief Risk Officer is to implement an Enterprice Wide Risk Management program, following the Enterprise Risk Management — Integrated Framework by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)
According to this framework, the underlying premise of enterprise risk management is that every entity exists to provide value for its stakeholders.
All entities face uncertainty, and the challenge for management is to determine how much uncertainty to accept as it strives to grow stakeholder value.
Uncertainty presents both risk and opportunity, with the potential to erode or enhance value.
Enterprise risk management enables management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value.
Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity's objectives.
Enterprise risk management encompasses:
- Aligning risk appetite and strategy – Management considers the entity's risk appetite in evaluating strategic alternatives, setting related objectives, and developing mechanisms to manage related risks.
- Enhancing risk response decisions – Enterprise risk management provides the rigor to identify and select among alternative risk responses – risk avoidance, reduction, sharing, and acceptance.
- Reducing operational surprises and losses – Entities gain enhanced capability to identify potential events and establish responses, reducing surprises and associated costs or losses.
- Identifying and managing multiple and cross-enterprise risks – Every enterprise faces a myriad of risks affecting different parts of the organization, and enterprise risk management facilitates effective response to the interrelated impacts, and integrated responses to multiple risks.
- Seizing opportunities – By considering a full range of potential events, management is positioned to identify and proactively realize opportunities.
- Improving deployment of capital – Obtaining robust risk information allows management to effectively assess overall capital needs and enhance capital allocation.
These capabilities inherent in enterprise risk management help management achieve the entity's performance and profitability targets and prevent loss of resources.
Enterprise risk management helps ensure effective reporting and compliance with laws and regulations, and helps avoid damage to the entity's reputation and associated consequences.
In sum, enterprise risk management helps an entity get to where it wants to go and avoid pitfalls and surprises along the way.
Events – Risks and Opportunities
Events can have negative impact, positive impact, or both.
Events with a negative impact represent risks, which can prevent value creation or erode existing value.
Events with positive impact may offset negative impacts or represent opportunities.
Opportunities are the possibility that an event will occur and positively affect the achievement of objectives, supporting value creation or preservation.
Management channels opportunities back to its strategy or objective-setting processes, formulating plans to seize the opportunities.
Enterprise Risk Management Defined
Enterprise risk management deals with risks and opportunities affecting value creation or preservation, defined as follows:
Enterprise risk management is a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
The definition reflects certain fundamental concepts.
Enterprise risk management is:
- A process, ongoing and flowing through an entity
- Effected by people at every level of an organization
- Applied in strategy setting
- Applied across the enterprise, at every level and unit, and includes taking an entity level portfolio view of risk
- Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite
- Able to provide reasonable assurance to an entity's management and board of directors
- Geared to achievement of objectives in one or more separate but overlapping categories
This definition is purposefully broad.
It captures key concepts fundamental to how companies and other organizations manage risk, providing a basis for application across organizations, industries, and sectors.
It focuses directly on achievement of objectives established by a particular entity and provides a basis for defining enterprise risk management effectiveness.
Basel II, Basel III and the Chief Risk officer (CRO)
To address fundamental deficiencies in bank corporate governance that became apparent during the financial crisis, the Basel Committee on Banking Supervision has issued a final set of principles for enhancing sound corporate governance practices at banking organisations.
Given the important financial intermediation role of banks in an economy, the public and the market have a high degree of sensitivity to any difficulties potentially arising from corporate governance shortcomings in banks.
Corporate governance is thus of great relevance both to individual banking organisations and to the international financial system as a whole, and merits targeted supervisory guidance.
The Committee's guidance assists banking supervisors and provides a reference point for promoting the adoption of sound corporate governance practices by banking organisations in their countries.
The principles also serve as a reference point for the banks' own corporate governance efforts.
Drawing on the lessons learned during the crisis, the principles, which were first published for public comment in March 2010, set out best practices for banking organisations.
Key areas of particular focus include:
(1) the role of the board;
(2) the qualifications and composition of the board;
(3) the importance of an independent risk management function, including a chief risk officer or equivalent;
(4) the importance of monitoring risks on an ongoing firm-wide and individual entity basis,
(5) the board's oversight of the compensation systems; and
(6) the board and senior management's understanding of the bank's operational structure and risks.
The principles also emphasise the importance of supervisors regularly evaluating the bank's corporate governance policies and practices as well as its implementation of the Committee's principles.
Principle 6, Principles for enhancing corporate governance
Banks should have an effective internal controls system and a risk management function (including a chief risk officer or equivalent) with sufficient authority, stature, independence, resources and access to the board.
Top 10 risk and compliance management related news stories and world events
Do you want to receive every Monday the Top 10 risk and compliance management related news stories and world events that (for better or for worse) shaped the week's agenda, and what is next?
You may submit the form that follows. We meet strict national and international privacy standards. You can unsubscribe at any time.
Join the International Association of Risk and Compliance Professionals (IARCP). Membership is Free
Certified Risk and Compliance Management Professional (CRCMP)
Certified Information Systems Risk and Compliance Professional (CISRCP)
Privacy and Compliance with the Federal Trade Commission Fair, the California Online Privacy Protection Act, the Children Online Privacy Protection Act, the Privacy Alliance, the Controlling the Assault of Non-Solicited Pornography and Marketing Act