The Chief Risk Officer

According to the Basel III framework, large banks, internationally active banks, and other financial firms, should have an independent senior executive with distinct responsibility for the risk management function and the institution's comprehensive risk management framework across the entire organisation. This executive is commonly referred to as the Chief Risk Officer (CRO).

Whatever the title, at least in large banks, the role of the CRO should be distinct from other executive functions and business line responsibilities, and there generally should be no "dual hatting" (ie the chief operating officer, CFO, chief auditor or other should not serve as the CRO).

Formal reporting lines may vary across banks, but regardless of these reporting lines, the independence of the CRO is paramount. While the CRO may report to the CEO or other senior management, the CRO should also report and have direct access to the board and its risk committee without impediment.

Also, the CRO should not have any management or financial responsibility in respect of any operational business lines or revenue-generating functions.

Interaction between the CRO and the board should occur regularly, and should be documented adequately.

Non-executive board members should have the right to meet regularly - in the absence of senior management - with the CRO.

The CRO should have sufficient stature, authority and seniority within the organisation. This will typically be reflected in the ability of the CRO to influence decisions that affect the bank's exposure to risk.

Beyond periodic reporting, the CRO should thus have the ability to engage with the board and other senior management on key risk issues and to access such information as the CRO deems necessary to form his or her judgment. Such interactions should not compromise the CRO's independence.

If the CRO is removed from his or her position for any reason, this should be done with the prior approval of the board and generally should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor.

Scope of responsibilities, stature and independence of the risk management function

The risk management function is responsible for identifying, measuring, monitoring, controlling or mitigating, and reporting on risk exposures. This should encompass all risks, on- and off-balance sheet and at a group-wide, portfolio and business-line level, and should take into account the extent to which risks overlap (eg lines between market and credit risk and between credit and operational risk are increasingly blurred).

This should include a reconciliation of the aggregate level of risk in the bank to the board-established risk tolerance/appetite.

The risk management function --both firm-wide and within subsidiaries and business lines-- under the direction of the CRO, should have sufficient stature within the bank such that issues raised by risk managers receive the necessary attention from the board, senior management and business lines.

Business decisions by the bank typically are a product of many considerations. By properly positioning and supporting its risk management function, a bank helps ensure that the views of risk managers will be an important part of those considerations.

While it is not uncommon for risk managers to work closely with individual business units and, in some cases, to have dual reporting lines, the risk management function should be sufficiently independent of the business units whose activities and exposures it reviews.

While such independence is an essential component of an effective risk management function, it is also important that risk managers are not so isolated from business lines - geographically or otherwise - that they cannot understand the business or access necessary information.

Moreover, the risk management function should have access to all business lines that have the potential to generate material risk to the bank. Regardless of any responsibilities that the risk management function may have to business lines and senior management, its ultimate responsibility should be to the board.


A bank should ensure through its planning and budgeting processes that the risk management function has adequate resources (in both number and quality) necessary to assess risk, including personnel, access to information technology systems and systems development resources, and support and access to internal information.

These processes should also explicitly address and provide sufficient resources for internal audit and compliance functions. Compensation and other incentives (eg opportunities for promotion) of the CRO and risk management staff should be sufficient to attract and retain qualified personnel.

Enterprise Wide Risk Management

One of the most important challenges for the Chief Risk Officer is to implement an Enterprice Wide Risk Management program, following the Enterprise Risk Management — Integrated Framework by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). According to this framework, the underlying premise of enterprise risk management is that every entity exists to provide value for its stakeholders.

All entities face uncertainty, and the challenge for management is to determine how much uncertainty to accept as it strives to grow stakeholder value.

Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management enables management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value.

Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity's objectives.

Enterprise risk management encompasses:

Aligning risk appetite and strategy – Management considers the entity's risk appetite in evaluating strategic alternatives, setting related objectives, and developing mechanisms to manage related risks.

Enhancing risk response decisions – Enterprise risk management provides the rigor to identify and select among alternative risk responses – risk avoidance, reduction, sharing, and acceptance.

Reducing operational surprises and losses – Entities gain enhanced capability to identify potential events and establish responses, reducing surprises and associated costs or losses.

Identifying and managing multiple and cross-enterprise risks – Every enterprise faces a myriad of risks affecting different parts of the organization, and enterprise risk management facilitates effective response to the interrelated impacts, and integrated responses to multiple risks.

Seizing opportunities – By considering a full range of potential events, management is positioned to identify and proactively realize opportunities.

Improving deployment of capital – Obtaining robust risk information allows management to effectively assess overall capital needs and enhance capital allocation.

These capabilities inherent in enterprise risk management, help management achieve the entity's performance and profitability targets, and prevent loss of resources. Enterprise risk management helps ensure effective reporting and compliance with laws and regulations, and helps avoid damage to the entity's reputation and associated consequences. In sum, enterprise risk management helps an entity get to where it wants to go and avoid pitfalls and surprises along the way.

Events – Risks and Opportunities

Events can have negative impact, positive impact, or both.

Events with a negative impact represent risks, which can prevent value creation or erode existing value.

Events with positive impact may offset negative impacts or represent opportunities.

Opportunities are the possibility that an event will occur and positively affect the achievement of objectives, supporting value creation or preservation.

Management channels opportunities back to its strategy or objective-setting processes, formulating plans to seize the opportunities.

Enterprise Risk Management Defined

Enterprise risk management deals with risks and opportunities affecting value creation or preservation, defined as follows:

Enterprise risk management is a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

The definition reflects certain fundamental concepts. Enterprise risk management is:

A process, ongoing and flowing through an entity.

Effected by people at every level of an organization.

Applied in strategy setting.

Applied across the enterprise, at every level and unit, and includes taking an entity level portfolio view of risk.

Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite.

Able to provide reasonable assurance to an entity's management and board of directors.

Geared to achievement of objectives in one or more separate but overlapping categories.

This definition is purposefully broad. It captures key concepts fundamental to how companies and other organizations manage risk, providing a basis for application across organizations, industries, and sectors. It focuses directly on achievement of objectives established by a particular entity and provides a basis for defining enterprise risk management effectiveness.

Privacy and Legal: