Eighty percent of CROs in our recent analysis of 20 systemically important banks, now report to the chief executive officer, a big change since the financial crisis, when the majority reported to the chief financial officer. This clearly reflects the growing importance of the role of CRO. According to the survey, almost all have seen an expansion in the number of full-time employees in Risk and more than a third have seen the employee base grow by 25 percent or more.
The CRO now spends approximately 60 percent of his/her time dedicated to decision-making activities. And the time spent by the risk function in key areas such as credit risk, market risk, operational risk and compliance risk have all increased over the past three years. The board risk committee has also seen a similar shift in responsibilities, and the time spent advising and approving is likely to increase further over the next few years, as global regulators demand more from BRC members.
A bigger role for the CRO needs to be matched by an enhanced approach to risk throughout the financial institution, and not just within a single department. Many equate a more risk-aware enterprise as being more risk-adverse, but this is a myth. A delineation of the risk parameters partly depends on preparing a risk appetite statement in parallel to the banks strategic plan – thereby aligning overall business goals with the risks they entail. By doing so, banks can actually take on more risk in certain areas, not less. To do so requires the bank to have a mature approach to risk.
Our analysis found a stark contrast between nine banks that formally measure risk culture and nine that do not. As the chart below illustrates, this set of contrasts is useful when developing a picture of a more mature BRC and Risk function. At a financial institution with a more developed approach to risk governance, there are more formal assessments of effectiveness, and risk culture is reported to the BRC. Remuneration and risk culture are linked. And there is some coordination between the Audit Committee and the Risk Committee by means of joint meetings. In isolation, these items are beneficial. Taken together, they improve the overall risk governance of the institution.