The Rise of the Oft-Misunderstood CRO

Influence of Risk Officers Grows in Aftermath of Financial Crisis

SMITH BRAIN TRUST – When the Smith School’s Clifford Rossi was chief risk officer for Citigroup's Consumer Lending Division, few people understood the role. It was 15 years ago, back when corporate America’s definition of the term “risk” was narrower in scope. Then came the global financial crisis and then a flood of cyberattacks.

“Now,” says Rossi, professor of the practice professor of finance at the University of Maryland’s Robert H. Smith School of Business, “the position of chief risk officer has dramatically evolved.”

Much of the evolution, he says, is for the better.

“When I started as a risk officer in 2004, many of the large banks didn’t have a chief risk officer,” Rossi says. Banks were only just beginning to expand their C-suite ranks to include a risk executive. From bank to bank, in those days, each CRO seemed to have a different role.

“Each institution had its own views of what the role of the CRO was,” Rossi says. “Some institutions thought that the CRO had responsibility only over a subset of the bank’s risks.”

A CRO at one bank might be assigned to oversee the institution’s credit risk, for example. While a CRO at another bank might be tasked with overseeing its interest rate risk. And some prominent risks might be assigned to other C-level executives. Compliance risk and regulatory risks, for example, might be assigned to the general counsel’s office, while operational risks might become the purview of the chief operations officer.

“A lot of people just didn’t know what my role and my team’s role encompassed,” Rossi says. “Were we a risk-audit group? Or were we there to be directly arm-in-arm with the businesses to help them manage risks? Or were we to be the great overseer of enterprise-wide risk?”

Meanwhile, banks were consolidating risk personnel. “There was this idea that there was a consolidation of risk personnel that was complicating the lives of the bankers who were trying to get business done,” he recalls.

In the halcyon time before the global financial crisis, those who lobbied for caution at big banks were often met with resistance. Rossi recalls bankers who referred to him and his team as “the business prevention unit.”

Then came the cataclysmic crisis, which proved a pivotal moment for the CRO. In the wake of Lehman Brothers’ unfathomable collapse, risk became a top concern. “Everyone gets religion in the foxhole,” says Rossi.

In 2010, the Dodd-Frank Wall Street Reform and Consumer Protection Act was adopted, and soon the Federal Reserve and the Office of Comptroller Currency were providing guidance to financial institutions about their expectations on how risk should be managed. These “heightened expectations for risk management,” as they were called, zeroed in on the largest financial institutions, those with assets in excess of $50 billion, spelling out the responsibilities and functions of risk management.

Suddenly, Rossi says, bank boards of directors were finding a way to fortify the role of the CRO, protecting it from interference from institution’s senior executives. No longer would CROs report to the chief executive officer or chief financial officer -- “a clear conflict,” Rossi says. The CRO now would be given a direct line of communication to the board of directors.

“The heightened expectations guidance really elevated the stature of the CRO and brought clarity about what the role was all about,” Rossi says, “and for the first time, provided the air cover that was missing for that role.”

Before that guidance, the chief risk officer in many cases would report directly to the chief financial officer, in what Rossi calls, “a clear conflict.”

“Now the CRO is able to say whatever they need to say directly to the board, without fear of retribution that might be imposed upon them by the executive team,” he says.

In the banking sector, the CRO function has become a “mature role,” according to a 2016 KPMG report, with 92 percent being in charge of risk control and risk assumption authorization functions. By contrast, the role of CROs in the insurance industry varies substantially, the report states, due to the fact that the function still lacks maturity. In their roles, insurance company CROs often perform other functions, and risk is of secondary concern. Still, in the insurance industry, the role still is undergoing “very dynamic development,” the report states.

Other industries, Rossi says, are yet to follow.

In the late 1990s, a CRO in the finance sector was typically someone who rose through the ranks in commercial or consumer underwriting. They’d understand bank operations, but their skills would be largely non-technical.

By the time Rossi was hired as CRO in 2004, banks were beginning to leverage analytics and what would later be called “big data.” That focus, which has only amplified with time, would alter the responsibilities of the chief risk officer.

Risks seemed to proliferate with the global economic crisis, forging a broader and more intense scope for the CRO that encompassed financial risk, credit risk, interest rate risk, market risk, liquidity risk and operational risks.

“In the years directly after the crisis, we have learned that operational risk – essentially breakdowns in people, process or technology – is probably one of the largest risks to the banking sector, now and in the future,” Rossi says.

Now, the role is evolving to place greater emphasis on technological risks.

“Many institutions are now automating many of their processes to underwrite the individual borrower, and that poses downstream technology risks or cyber risks,” he says. Blockchain, too, adds another new risk dimension.

Professionals who have information technology and computer science backgrounds, and who augment their background with an MBA or a master’s in finance “will find they are becoming very attractive in the job market, when it comes to landing senior risk roles at financial services companies, and beyond,” Rossi says.

Those candidates will be in demand beyond financial services, as well.

Any industry, commercial, government or non-government organization, that handles social security numbers or credit card numbers, he says, now has a need for a CRO. “Every organization has some form of risk,” he says, be it regulatory, reputational, legal, financial or credit risk. “Somebody at all of these entities has to be on point for collectively overseeing the risk of the institution.”

“Think about it this way,” he says: “Equifax didn’t have a CRO.”