Chief risk officers have the hardest jobs on Bay Street.
They are the real reason our banks, insurers and pension funds remain the envy of the world. But being a CRO is often a thankless profession. When they head off danger, they get none of the glory. But when disaster strikes, they get all the blame.
Sounds like fun, eh?
Those unsung heroes deserve their due because of the increasing complexity of risk management. Not only are they troubleshooting financial risks stemming from liquidity, interest rates and credit markets, but they are also mitigating emerging risks that are much harder to quantify.
CROs are finding themselves in the hot seat because financial regulators are paying closer attention to non-financial risks including artificial intelligence, climate change, crypto and foreign interference. The Office of the Superintendent of Financial Institutions, for instance, is mulling new guidelines that cover integrity and security along with operational risk and resilience.
“We have for some time recognized that risks that are not directly financial in nature – cyber and tech, third party, culture, compliance – can equally strike at the heart of the safety and soundness of financial institutions,” assistant superintendent Tolga Yalkin said during a recent news media briefing.
“Public confidence depends not just on knowing that financial institutions are and will remain financially sound, but also in knowing that they conduct their business with integrity and that they are addressing threats that seek to undermine the services they provide or compromise the data they hold,” he later added.
Absolutely. Just look at the headlines generated by international banks this year that cut corners on risk management.
Faulty financial risk controls were blamed for the failures of Silicon Valley Bank and the rescue of Credit Suisse. But cultural risks, including executive misconduct, also caused reputational damage to British banking giant Barclays PLC.
Earlier this month, former Barclays chief executive Jes Staley received a regulatory ban from Britain’s Financial Conduct Authority for mischaracterizing the nature of his relationship with Jeffrey Epstein, a wealthy convicted sex offender who died by suicide in jail in 2019.
The scandal also engulfed JPMorgan Chase, because Mr. Epstein was a client of the U.S. bank when Mr. Staley worked there prior to taking the top role at Barclays. Last month, JPMorgan agreed to a US$75-million settlement with the U.S. Virgin Islands and resolved a second lawsuit with Mr. Staley.
Last month in the U.S., the Federal Bureau of Investigation, the National Security Agency and the Cybersecurity and Infrastructure Security Agency issued a joint warning about deep-fake threats, including AI-generated voices that are being used by fraudsters to bypass the voice recognition security features used by banks and other companies.
Separately, a number of banks, including JPMorgan, Wells Fargo and BNP Paribas, were fined by U.S. regulators after their employees misused messaging apps such as WhatsApp, iMessage and Signal to conduct business, violating rules about safeguarding work communications.
This slew of non-financial risks is contributing to increased workloads for CROs and their teams, according to a 2023 Thomson Reuters Regulatory Intelligence report. But that increased pressure isn’t necessarily translating into bigger budgets.
“Low staff morale is emerging as a conduct risk for many firms, which may lead to more widespread non-compliance due to staff error or manipulation,” the report said.
There is no shortage of risks, so the independence of risk managers has never been more important, said Piyush Agrawal, who is Bank of Montreal’s CRO.
“There are always in a big organization multiple views on what things might be,” Mr. Agrawal told delegates at the Global Risk Institute’s annual summit in Toronto. “But for risk management to have the last word and have the stature to execute on beliefs is very important.”
It’s true that when things go awry for a bank, it is usually because executives overruled the sound advice of their risk and compliance staff in the blind pursuit of profits.
Mr. Agrawal also pointed to what he called a “unique convergence of risks” that are harder to immediately gauge, such as social-media risk.
“Think about today the frustration between a customer not logging in and the microsecond it takes to go to social media and complain,” he said. “And if you’re an influencer, God help you, right?”
In addition to numbers and analytics, assessing risk involves having difficult conversations, Deb Barnes, CRO of the Ontario Municipal Employees Retirement System, told attendees at the same conference.
“If we can’t get risk culture right, we can’t enable people to have the tough conversations at the right table with the right individuals. That is one of the biggest risks that an organization faces,” Ms. Barnes said.
Equally important are having proper escalation channels in place and aligning incentives with behaviours, she added.
Antoine Avril, executive vice-president of risk management at Desjardins Group, said effective risk managers are naturally curious and skeptical thinkers.
“Just go beyond the assumptions – question, ask. And it’s fun. I think it’s how we get better.”
So, be kind to CROs. They speak truth to power. Their version of “fun” must feel like flagellation.