Recent bank failures turned a spotlight on Chief Risk Officers (CROs) and their relationships with C-suite peers and the board of directors. In hindsight, stronger CRO intervention was at least one factor that could have helped avert the institutional collapses witnessed last spring. But hindsight is 20-20, and we prefer to look ahead. Which raises the question: Where exactly should a CRO’s voice fit within the complex matrix of financial governance and how should their interactions with other bank leaders be reinforced? The answer begins with the essential relationship between CROs and Chief Financial Officers (CFOs).
The Intersection of the CRO and CFO
CROs and CFOs have a complicated dynamic. The two must collaborate for the safety and soundness of their institution—even as a CRO’s fundamental responsibility is to provide credible challenge to the CFO’s strategic assumptions, business focus, and decisions.
What’s needed is a healthy tension between CROs and CFOs and an active voice for both in executive leadership and dialogue with the board. The alternative is that business decisions can be too strongly swayed one way or the other, to the overall detriment of the bank. Too much sensitivity to risk, for example, and a bank’s growth can stagnate. On the other hand, too little consideration of risk in targeting profitability and other strategic goals, and you may be betting the bank.
Top 10 banks with mature, elaborate risk processes have managed to strike the necessary balance by forging collaborative CRO-CFO relationships within carefully structured risk management procedures. At midsize and smaller banks, though, the CFO often plays a much more prominent role, with risk management programs sometimes lacking the expertise, maturity, or empowerment to sufficiently engage and pose credible challenge at the decision-makers’ table. Conditions such as these were seen at play during last spring’s bank failures, leaving scenarios regarding risky concentrations untested and critical questions about asset and liability management assumptions unanswered.
Prime Examples: Capital Planning, Stress Testing, and the Strategic Plan
The CFO drives capital planning in most organizations, but more often than you’d think, that same CFO also owns the capital, liquidity, and interest rate stress testing programs. And while the chief credit officer typically leads credit stress testing, this too is done with extensive reliance on the CFO and finance team. It could be argued that CROs should own some or all stress testing programs, and in some institutions they do. Regardless, CROs need to provide robust challenges to critical stress testing assumptions and results.
While the CFO at a financial institution should have a fairly conservative approach to modeling risk and running scenarios, the CRO’s ability to challenge is still essential to assess whether the CFO’s results are well supported and reasonable. In an ideal division of labor, the CFO’s team, including the treasurer, investment officer, and financial planning and analysis executives, should focus on mining source data, developing models, selecting assumptions, and reporting out the results. The CRO’s role in stress testing must incorporate credible challenge of each critical element, including model development, data governance, scenario selections, key assumptions, model testing, and reporting reviews.
If the CRO doesn’t have a strong and active role in stress testing capital planning, things can go sideways quickly. For example, the risk management team has to ensure that the capital level for a perfect environment, as envisioned by the CFO, is juxtaposed against appropriate levels for various stressed environments.
It all rolls up into the annual update of the strategic plan. Here, again, the CFO often holds the pen as primary author, working with business line leaders and tying the plan back into the budgeting process. But the strategy must be consistent with the risk appetite approved by the board of directors and appropriate risk limits developed with CRO oversight. Policies and guidelines should ensure that business line risks are factored into expected returns, including appropriate pricing and consistent with prudent concentration limits. All strategic planning elements should be subjected to rigorous stress testing to ensure that the plan can withstand a wide range of potential stress scenarios without creating undue risk to safety and soundness through changes in the economic environment.
Structuring the Right CRO-CFO Balance
Collaborative CRO-CFO relationships do not always grow organically. Every bank has to contend with some unavoidable friction between their CFO, with responsibility for financial performance results, and the CRO, with accountability for maintaining acceptable guardrails and limits for business strategies.
With the CRO reporting either to the CEO or board risk committee, it takes sufficient resourcing, structures, policies, procedures, and even scheduling to create strong alignment in the CRO-CFO relationship.
- Resourcing: The board of directors and CEO must provide strong support and appropriate resources for the CRO to maintain an effective risk management function. Lacking resources, some risk management teams can’t muster the expertise needed for active engagement and credible challenge to the CFO.
- Structuring: Board governance structures must ensure that the voice of the CRO is present and encourage frank, transparent dialogue within senior management and the board. The CEO and CFO will often lead communication with the full board, and the CRO with the board risk committee. However, the CRO should also have a platform with the full board, audit committee, and assets and liabilities committee (ALCO) or its equivalent, to ensure these governance bodies also have unfettered access to the views from independent risk management. At the same time, the CFO should have an active voice in risk, ALCO, and audit, in addition to the chief audit executive (CAE).
- Policies: The reporting structure is important, but how the CRO and CFO interact should also be covered in documented risk management policies. And while the CFO will often own policies in areas such as ALCO, investments, liquidity, and mergers and acquisitions, these must fit into CRO-owned risk management policies and the board’s risk appetite. Ultimately, critical policies are board-approved, but the CRO and CFO play integral roles in policy design, implementation, and monitoring for adherence.
- Procedures: One key procedure that would benefit from more CRO participation is the submission of public filings such as the annual 10K to the Securities and Exchange Commission. While the CFO and general counsel typically own this procedure, a CRO’s review would ensure public reporting and risk factors remain consistent with internal risk assessments.
- CRO-CFO meetings: These two executives need both formal and informal lines of communication. They should conduct formal meetings at least monthly in addition to the usual preparation for board or committee meetings. Informal updates on matters of joint concern typically take place at least weekly.
Raising Tough Questions
Important questions may not even be raised if a CRO is not sitting at the table with the rest of a bank’s leadership. There should be a back-and-forth discussion in which the CRO might drill down on areas including the validity of assumptions, strength of controls, adequacy of capital, regulatory compliance, and, always, alignment with the board-approved risk appetite. Specific examples include:
- Asset and liability management: How might changes in interest rates affect earnings, liquidity, and capital for good, bad, or indifferent?
- Strategic plan: How does the plan account for emerging market volatility, regulatory change, cybersecurity risk, or technological disruption?
- New business: Does a particular business unit have sufficient resources and expertise to competently handle a proposed new business line, venture, or aggressive growth strategy?
The Takeaway
The interaction between the CRO and CFO will set the risk management tone for any bank, so both voices are critical to communicate and support the board’s risk appetite. CRO-CFO collaboration should leave little room for breaches of risk policies, and if they do occur, both must act aggressively—as one—to rapidly resolve potential risks. Boards and CEOs should understand this special relationship and seek to actively engage both the CRO and CFO in significant strategic decisions. Both must occupy seats at the leadership table, empowered to make their voices heard.