How the role of the chief risk officer is changing

The role of the chief risk officer is changing for good. It will not come as a surprise to many that technology will help this change, but there are other factors at play, including a merger with the chief financial officer.

Before looking at how the role is going to change, we need to first understand what the current chief risk officer (CRO) does. The person in this executive position is responsible for identifying, analysing and mitigating both internal and external risks. Their key roles include ensuring compliance with government regulations such as Basel and Sarbanes-Oxley, and review other factors that could impact the business.

A panel at last week’s Virtual Global RegTech Summit discussed the changing role of the chief risk officer and how it is coming to be. Joining the panel was Ascent founder and CEO Brian Clark, MUFG Securities chief risk officer Jeff Simmons, Bank of America director Kaivalya Vishnu and Wolters Kluwer senior pre-sales consultant Aoife May. Serving as the panel’s moderator was SIFMA managing director Melissa MacGregor.

All of the panellist agreed that the role of the CRO is about to transform and the main driver of this will be the development of technology. Jeff Simmons from MUFG began the discussions stating that the role of the CRO will become a “combination of risk and finance.” He explained that the role of risk management was essentially a child of finance around 20 to 30 years ago when there was a breakaway of risk and treasury functions. As this risk management became more quantitative, risk and finance separated and became their own unique departments.

Simmons said, “Now with things like ICAP, stress testing and other business modelling tools, risk and finance are starting to come back together. The EBA stress test is all about stress and business plans, which is a combination of risk and finance. So I kind of see the CRO becoming the CFO as well.” He went on to sing the praises of technological developments and stating that while it might be a “bit of a cliché”, but technology will enable the CRO to see the risks at the top of the house. It will also improve their ability to work with the business by supporting and challenging it in making money

Brian Clark, the CEO and founder of regulatory compliance software Ascent, echoed the words of Simmons and added, “The way I’ve defined it as risk is the new operations.” He added, “It’s interesting that there’s this quantification that you [Jeff] was discussing. That’s really the key. Things that used to be a bit more intangible, a little bit more traditionally risk-based, were qualitative and now they are becoming very quantitative. We’re seeing this happen in a variety of different areas. It’s kind of the remainder sum. How do you capture that remainder sum that can impact the trajectory of the business?”

He went on to explain that when you try to quantify those risks, it is about working out how you can find those risks, measure them and then mitigate them. The main area where people fall short, Clark said, was actually finding those risks as it is difficult to sift through all of the high volumes of data for various circumstances. The way to efficiently find all of the risks is through technology. This enables the CRO to actually determine what all of the risks are and mitigate them with much more certainty. With risk evolving, Clark said firms need to be becoming more quantitative. But, how does a firm do that?

“What I see is that it was traditionally a top down approach,” he said. “You’d have experts and people up high provide ideas, assemble a lot of different data sets from these behaviours and opinions. But, what we’re seeing instead is what I call a bottom up approach, line by line in whatever discipline you’re in, to actually figure out the complete set of risks on every single item. That still solves the problem, but it solves the problem with much more certainty, through a much more data-driven approach, and ultimately reduces the potential harm that could come to the firm if a risk is missed.”

Artificial intelligence (AI) has been often been pegged as the revolutionary piece of tech that is helping to reinvent so many industries. Even in this year’s Virtual Global RegTech Summit another panel took to the digital stage to outline its uses and they best ways to employ them. Simmons replicated the admiration for AI, stating, “I’m very excited about where AI is going.”  This love of the technology boils down to that it will enable CROs and other members of management to find risks that they do not know about.

He said, “The challenge of a chief risk officer is not about what ends up on your reports or what analyses and stresses you asked for, it’s the ones that you don’t ask for that you get caught by. I think AI can help identify that by coming up with scenarios or situations that perhaps a human being wouldn’t have thought of.”

The benefits of using technology has been well documented over the years, hence it is starting to feel like a cliché to speak of them. But that does not detract from their impact. Their implementation is freeing up the time of CROs so they can put more focus on the meaningful parts of their job. Wolters Kluwer senior pre-sales consultant Aoife May said, “We often use the tongue in cheek term of use your degree and not your Excel skills” What this means is that their staff, which is made of intelligent people, can do away with the mundane tasks and do the things they were really hired for,

She went on to explain that AI is an umbrella term and is stopping people from thinking about what all the different parts can do. For example, robotic process automation can enable teams to get data every hour from websites and see if there is something new, which is not viable for a human to do as it would be too much work. Then going even further, natural language processing can enrich the data and pull out the key parts of the rulebook to optimise enforcement. This technology enables the CRO to avoid missing risks.

She said, “it is reducing risk, not just of knowing the risks, but the risk of missing something. So if you think nobody misses MiFID, nobody hopefully hasn’t heard of Brexit and nobody misses GDPR, but it’s those smaller regulations. It’s that piece of guidance that was issued late on a Friday afternoon that you didn’t notice on the regulator’s website, it was the Q&A that was published that you didn’t actually get ever analysed.”

Enjoyed the story? 

Subscribe to our weekly RegTech newsletter and get the latest industry news & research

Copyright © 2018 RegTech Analyst

Investors

The following investor(s) were tagged in this article.