The Chief Risk Officer
The Chief Risk Officer (CRO)
Listed firms and organizations must employ an independent senior executive with distinct responsibility for the risk management function, and a comprehensive risk management framework across the entire legal entity. This executive is commonly referred to as the Chief Risk Officer (CRO).
Whatever the title, the role of the CRO should be distinct from other executive functions and business line responsibilities, and there generally should be no "dual hatting" (the chief operating officer, chief financial officer, chief auditor etc. should not serve as the CRO).
Formal reporting lines may vary across firms and organizations, but regardless of these reporting lines, the independence of the CRO is paramount. While the CRO may report to the CEO or other senior management, the CRO should also report and have direct access to the board and its risk committee without impediment.
Also, the CRO should not have any management or financial responsibility in respect of any operational business lines or revenue-generating functions.
Interaction between the CRO and the board should occur regularly, and should be documented adequately.
Non-executive board members should have the right to meet regularly - in the absence of senior management - with the CRO.
The CRO should have sufficient stature, authority and seniority within the organisation. This will typically be reflected in the ability of the CRO to influence decisions that affect the exposure to risk.
Beyond periodic reporting, the CRO should have the ability to engage with the board and other senior management on key risk issues and to access such information as the CRO deems necessary to form his or her judgment. Such interactions should not compromise the CRO's independence.
If the CRO is removed from his or her position for any reason, this should be done with the prior approval of the board and generally should be disclosed publicly.
The Goldman Sachs Group Inc., Annual Report 2021 - about the Chief Risk Officer (CRO)
Risks are inherent in our businesses and include liquidity, market, credit, operational, model, legal, compliance, conduct, regulatory and reputational risks. Our risks include the risks across our risk categories, regions or global businesses, as well as those which have uncertain outcomes and have the potential to materially impact our financial results, our liquidity and our reputation. For further information about our risk management processes, see “Overview and Structure of Risk Management,” and for information about our areas of risk, see “Liquidity Risk Management,” “Market Risk Management,” “Credit Risk Management,” “Operational Risk Management” and “Model Risk Management” and “Risk Factors” in Part I, Item 1A of this Form 10-K.
Overview and Structure of Risk Management
We believe that effective risk management is critical to our success. Accordingly, we have established an enterprise risk management framework that employs a comprehensive, integrated approach to risk management, and is designed to enable comprehensive risk management processes through which we identify, assess, monitor and manage the risks we assume in conducting our activities. Our risk management structure is built around three core components: governance, processes and people.
Risk management governance starts with the Board, which both directly and through its committees, including its Risk Committee, oversees our risk management policies and practices implemented through the enterprise risk management framework. The Board is also responsible for the annual review and approval of our risk appetite statement.
The risk appetite statement describes the levels and types of risk we are willing to accept or to avoid, in order to achieve our objectives included in our strategic business plan, while remaining in compliance with regulatory requirements. The Board reviews our strategic business plan and is ultimately responsible for overseeing and providing direction about our strategy and risk appetite.
The Board receives regular briefings on firmwide risks, including liquidity risk, market risk, credit risk, operational risk and model risk, from our independent risk oversight and control functions, including the chief risk officer, and on compliance risk and conduct risk from Compliance, on legal and regulatory enforcement matters from the chief legal officer, and on other matters impacting our reputation from the chair of our Firmwide Client and Business Standards Committee and our Firmwide Reputational Risk Committee. The Chief Risk Officer (CRO) reports to our chief executive officer and to the Risk Committee of the Board.
As part of the review of the firmwide risk portfolio, the Chief Risk Officer (CRO) regularly advises the Risk Committee of the Board of relevant risk metrics and material exposures, including risk limits and thresholds established in our risk appetite statement.
The implementation of our risk governance structure and core risk management processes are overseen by Enterprise Risk, which reports to our Chief Risk Officer (CRO), and is responsible for ensuring that our enterprise risk management framework provides the Board, our risk committees and senior management with a consistent and integrated approach to managing our various risks in a manner consistent with our risk appetite.
Our revenue-producing units, as well as Treasury, Engineering, Human Capital Management, Operations, and Corporate and Workplace Solutions, are considered our first line of defense. They are accountable for the outcomes of our risk-generating activities, as well as for assessing and managing those risks within our risk appetite.
Our independent risk oversight and control functions are considered our second line of defense and provide independent assessment, oversight and challenge of the risks taken by our first line of defense, as well as lead and participate in risk committees. Independent risk oversight and control functions include Compliance, Conflicts Resolution, Controllers, Legal, Risk and Tax.
Internal Audit is considered our third line of defense, and our director of Internal Audit reports to the Audit Committee of the Board and administratively to our chief executive officer. Internal Audit includes professionals with a broad range of audit and industry experience, including risk management expertise. Internal Audit is responsible for independently assessing and validating the effectiveness of key controls, including those within the risk management framework, and providing timely reporting to the Audit Committee of the Board, senior management and regulators.
Model Risk Management
Model risk is the potential for adverse consequences from decisions made based on model outputs that may be incorrect or used inappropriately. We rely on quantitative models across our business activities primarily to value certain financial assets and liabilities, to monitor and manage our risk, and to measure and monitor our regulatory capital.
Model Risk, which is independent of our revenue-producing units, model developers, model owners and model users, and reports to our Chief Risk Officer (CRO), has primary responsibility for assessing, monitoring and managing our model risk through firmwide oversight across our global businesses, and provides periodic updates to senior management, risk committees and the Risk Committee of the Board.
Our model risk management framework is managed through a governance structure and risk management controls, which encompass standards designed to ensure we maintain a comprehensive model inventory, including risk assessment and classification, sound model development practices, independent review and model-specific usage controls. The Firmwide Model Risk Control Committee oversees our model risk management framework.
Morgan Stanley, Form 10-K for the year ended December 31, 2021, - about the Chief Risk Officer (CRO)
Chief Risk Officer
The Chief Risk Officer, who is independent of business units, reports to the Risk Committee of the Board (BRC) and the Chief Executive Officer.
The Chief Risk Officer:
- oversees compliance with our risk limits;
- approves exceptions to our risk limits;
- independently reviews material market, credit, model, operational and liquidity risks; and
- reviews results of risk management processes with the Board, the BRC, the Operations and Technology Committee of the Board (BOTC) and the Audit Committee of the Board (BAC), as appropriate.
The Chief Risk Officer also coordinates with the Chief Financial Officer regarding capital and liquidity management and works with the Compensation, Management Development and Succession Committee of the Board to help ensure that the structure and design of incentive compensation arrangements do not encourage unnecessary and excessive risk taking.
Independent Risk Management Functions
The risk management functions (Market Risk, Credit Risk, Operational Risk, Model Risk and Liquidity Risk Management departments) are independent of our business units and report to the Chief Risk Officer.
These functions assist senior management and the FRC in monitoring and controlling our risk through a number of control processes. Each function maintains its own risk governance structure with specified individuals and committees responsible for aspects of managing risk.
Risk Committee of the Board
The Risk Committee of the Board:
- assists the Board in its oversight of the ERM framework;
- oversees major risk exposures of the Firm, including market, credit, model and liquidity risk, against established risk measurement methodologies and the steps management has taken to monitor and control such exposures;
- oversees our risk appetite statement, including risk limits and tolerances;
- reviews capital, liquidity and funding strategy and related guidelines and policies; reviews the contingency funding plan and capital planning process;
- oversees our significant risk management and risk assessment guidelines and policies;
- oversees the performance of the Chief Risk Officer;
- reviews reports from our Strategic Transactions Committee, CCAR Committee and RRP Committee;
- reviews new product risk, emerging risks, climate risk and regulatory matters; and
- reviews the Internal Audit Department reports on the assessment of the risk management, liquidity and capital functions.
The BRC reports to the Board on a regular basis and coordinates with other Board committees with respect to oversight of risk management and risk assessment guidelines.
Annual Report 2021, Citigroup Inc. - about the Chief Risk Officer (CRO)
Second Line of Defense: Independent Risk Management
Independent risk management units are independent of front line units. They are responsible for overseeing the risk-taking activities of the first line of defense and challenging the first line of defense in the execution of their risk management responsibilities.
They are also responsible for independently identifying, measuring, monitoring, controlling and reporting aggregate risks and for setting standards for the management and oversight of risk. Independent risk management is comprised of Independent Risk Management (IRM) and Independent Compliance Risk Management (ICRM) and are led by chief risk executives (i.e., Chief Risk Officer (CRO) and Chief Compliance Officer (CCO)) who have unrestricted access to the Citigroup Board of Directors and its Risk Management Committee to facilitate the ability to execute their specific responsibilities pertaining to escalation to the Citigroup Board of Directors.
Independent Risk Management
The IRM organization sets risk and control standards for the first line of defense and actively manages and oversees aggregate credit, market (trading and non-trading), liquidity, strategic, operational and reputation risks across Citi, including risks that span categories, such as concentration risk, country risk and climate risk.
IRM is organized to align to risk categories, legal entities/regions and Company-wide, cross-risk functions or processes (i.e., foundational areas). There are teams that report to an independent CRO for various risk categories and legal entities/regions. In addition, there are foundational teams that report to Foundational Risk Management heads. The Risk Category, Legal Entity/Regional CROs and Foundational Risk Management Heads report to the Citigroup CRO.
Independent Compliance Risk Management
The ICRM organization actively oversees compliance risk across Citi, sets compliance risk and control standards for the first line of defense to manage compliance risk and promotes business conduct and activity that is consistent with Citi’s Mission and Value Proposition and the compliance risk appetite. Citi’s objective is to embed an enterprise-wide compliance risk management framework and culture that identifies, measures, monitors, controls and escalates compliance risk across Citi.
ICRM is aligned by product line, function and geography to provide compliance risk management advice and credible challenge on day-to-day matters and strategic decision-making for key initiatives. ICRM also has program-level Enterprise Compliance units responsible for setting standards and establishing priorities for program-related compliance efforts. These Compliance Risk Management heads report directly to the CCO.
Scope of responsibilities, stature, and independence of the risk management function
The risk management function is responsible for identifying, measuring, monitoring, controlling or mitigating, and reporting on risk exposures. This should encompass all risks, on- and off-balance sheet and at a group-wide, portfolio and business-line level, and should take into account the extent to which risks overlap.
The risk management function --both firm-wide and within subsidiaries and business lines-- under the direction of the CRO, should have sufficient stature within the firms and organizations, such that issues raised by risk managers receive the necessary attention from the board, senior management and business lines.
Business decisions by the firms and organizations typically are a product of many considerations. By properly positioning and supporting its risk management function, an entity helps ensure that the views of risk managers will be an important part of those considerations.
While it is not uncommon for risk managers to work closely with individual business units and, in some cases, to have dual reporting lines, the risk management function should be sufficiently independent of the business units whose activities and exposures it reviews.
Enterprise Risk Management Defined
Enterprise risk management deals with risks and opportunities affecting value creation or preservation, defined as follows:
Enterprise risk management is a process, effected by an entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
The definition reflects certain fundamental concepts. Enterprise risk management is:
- A process, ongoing and flowing through an entity.
- Effected by people at every level of an organization.
- Applied in strategy setting.
- Applied across the enterprise, at every level and unit, and includes taking an entity level portfolio view of risk.
- Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite.
- Able to provide reasonable assurance to an entity's management and board of directors.
- Geared to achievement of objectives in one or more separate but overlapping categories.
This definition is purposefully broad. It captures key concepts fundamental to how companies and other organizations manage risk, providing a basis for application across organizations, industries, and sectors. It focuses directly on achievement of objectives established by a particular entity and provides a basis for defining enterprise risk management effectiveness.
Enterprise wide risk management program
One of the most important challenges for the Chief Risk Officer is to implement an enterprise wide risk management program. The CRO can follow the approach of an international standard, like the Enterprise Risk Management — Integrated Framework by the Committee of Sponsoring Organizations of the Treadway Commission (COSO ERM).
According to this framework, the underlying premise of enterprise risk management is that every entity exists to provide value for its stakeholders.
All entities face uncertainty, and the challenge for management is to determine how much uncertainty to accept as it strives to grow stakeholder value.
Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management enables management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value.
Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity's objectives.
Enterprise risk management encompasses:
Aligning risk appetite and strategy – Management considers the entity's risk appetite in evaluating strategic alternatives, setting related objectives, and developing mechanisms to manage related risks.
Enhancing risk response decisions – Enterprise risk management provides the rigor to identify and select among alternative risk responses – risk avoidance, reduction, sharing, and acceptance.
Reducing operational surprises and losses – Entities gain enhanced capability to identify potential events and establish responses, reducing surprises and associated costs or losses.
Identifying and managing multiple and cross-enterprise risks – Every enterprise faces a myriad of risks affecting different parts of the organization, and enterprise risk management facilitates effective response to the interrelated impacts, and integrated responses to multiple risks.
Seizing opportunities – By considering a full range of potential events, management is positioned to identify and proactively realize opportunities.
Improving deployment of capital – Obtaining robust risk information allows management to effectively assess overall capital needs and enhance capital allocation.
These capabilities inherent in enterprise risk management, help management achieve the entity's performance and profitability targets, and prevent loss of resources. Enterprise risk management helps ensure effective reporting and compliance with laws and regulations, and helps avoid damage to the entity's reputation and associated consequences. In sum, enterprise risk management helps an entity get to where it wants to go and avoid pitfalls and surprises along the way.
Firms and organizations should ensure through the planning and budgeting processes that the risk management function has adequate resources (in both number and quality) necessary to assess risk, including personnel, access to information technology systems and systems development resources, and support and access to internal information.
These processes should also explicitly address and provide sufficient resources for internal audit and compliance functions. Compensation and other incentives (eg opportunities for promotion) of the CRO and risk management staff should be sufficient to attract and retain qualified personnel.
Risks and Opportunities - a challenge for the CRO
Events can have negative impact, positive impact, or both.
Events with a negative impact represent risks, which can prevent value creation or erode existing value.
Events with positive impact may offset negative impacts or represent opportunities.
Opportunities are the possibility that an event will occur and positively affect the achievement of objectives, supporting value creation or preservation.
Management channels opportunities back to its strategy or objective-setting processes, formulating plans to seize the opportunities.
The world is becoming increasingly interconnected. Large companies and organisations are multinational entities with subsidiaries in many countries. As a result, their exposure to risk has increased. They face risks including political, foreign exchange, and terrorist exposure.
Advancements in information technology have also increased risk. Organisations operate in virtual marketplaces, utilize complex financial instruments like derivatives, and are linked to the systems of business partners and vendors in many countries. The CROs must find ways to allow organisations to exploit opportunities and explore innovations, understanding that entities prosper by taking risks, and lose money by failing to manage them.
Case Study 1: Job description, Chief Risk Officer, Korn Ferry, Seattle.
The Chief Risk Officer (CRO) is responsible for mitigating those business risks that can impact the company’s profitability while serving our diverse communities. Deals with enterprise risk management issues, reducing those risks that can shut down operations and alienate members. A Chief Risk Officer has to work through department managers to adjust policies and procedures for risk reduction purposes. The CRO will require have extensive knowledge of banking activities and regulations. The CRO is a member of the Executive Team and therefore shares accountability for the overall creation and success of key strategic priorities and initiatives.
The CRO position is accountable for the risk management operations of the company, to include the integration of risk concepts into strategic planning, and risk identification and mitigation activities. Principal accountabilities are:
- Create an integrated enterprise risk framework for the entire organization.
- Assess risk throughout the organization.
- Quantify risk limits.
- Develop plans to mitigate risks.
- Advise on directing capital to projects based on risk.
- Assist functional managers in obtaining risk mitigation funding.
- Monitor the progress of risk mitigation activities.
- Create and disseminate risk measurements and reports.
- Communicate to key stakeholders regarding the risk profile of the business.
- Oversee Fraud Prevention, Regulatory Compliance, Audit, Legal, and Quality Assurance.
- Member of the Credit Union’s Risk Committee.
The CRO may be assigned a number of additional tasks besides the main ones already noted. They include:
- Oversee insurance. Decide upon the types and specifics of the various insurance policies that the organization should buy. This includes being the contact person for the insurance providers.
- Recommend insurance alternatives. Recommend any alternative insurance features that are not currently being used, or suggest using insurance products that are entirely new to the company.
- Manage claims. Supervise the filing of insurance claims, monitor their progress with insurers, and verify that payments have been received.
- Conduct due diligence. Investigate the risks inherent in a target company that may be acquired, as well as the state of its risk management practices.
Case Study 2: Job description, Commercial Bank, Chief Risk Officer, JPMorgan Chase & Co. Dallas, TX.
Commercial Banking is focused on helping our clients succeed and making a positive difference in our communities. We provide credit and financing, treasury and payment services, international banking and real estate services to clients including corporations, municipalities, institutions, real estate investors and owners, and nonprofit organizations.
Risk Management helps the firm understand, manage, and anticipate risks in a constantly changing environment. The work covers areas such as evaluating country-specific risk, understanding regulatory changes, and determining credit worthiness. Risk Management provides independent oversight and maintains an effective control environment.
JPMorgan Chase & Co., one of the oldest financial institutions, offers innovative financial solutions to millions of consumers, small businesses, and many of the world's most prominent corporate, institutional and government clients under the J.P. Morgan and Chase brands. Our history spans over 200 years and today we are a leader in investment banking, consumer and small business banking, commercial banking, financial transaction processing and asset management.
We recognize that our people are our strength and the diverse talents they bring to our global workforce are directly linked to our success. We are an equal opportunity employer and place a high value on diversity and inclusion at our company. We do not discriminate on the basis of any protected attribute, including race, religion, color, national origin, gender, sexual orientation, gender identity, gender expression, age, marital or veteran status, pregnancy or disability, or any other basis protected under applicable law. In accordance with applicable law, we make reasonable accommodations for applicants' and employees' religious practices and beliefs, as well as any mental health or physical disability needs.
The health and safety of our colleagues, candidates, clients, and communities has been a top priority in light of the COVID-19 pandemic. JPMorgan Chase was awarded the "WELL Health-Safety Rating" for all of our 6,200 locations globally based on our operational policies, maintenance protocols, stakeholder engagement and emergency plans to address a post-COVID-19 environment.
As a part of our commitment to health and safety, we have implemented various COVID-related health and safety requirements for our workforce. Full vaccination is a requirement for this role for new hires joining JPMorgan Chase. Additional requirements include sharing information including your vaccine card in the firm's vaccine record tool and may include mask wearing and social distancing. Requirements may change in the future with the evolving public health landscape. JPMorgan Chase will consider accommodation requests as required by applicable law.
Note: The requirement to be fully vaccinated to be hired for this role does not apply to roles with a work location in Arkansas, Florida, Iowa, Montana, and Tennessee. For applicants to these roles, JPMorgan Chase will consider all qualified applicants regardless of vaccination status, due to state and local laws.
Our Firmwide Risk function is focused on cultivating a stronger, unified culture that embraces a sense of personal accountability for developing the highest corporate standards in governance and controls across the firm. Business priorities are built around the need to strengthen and guard the firm from the many risks we face, financial rigor, risk discipline, fostering a transparent culture and doing the right thing in every situation. We are equally focused on nurturing talent, respecting the diverse experiences that our team of Risk professionals bring and embracing an inclusive environment.
Commercial Term Lending (Multifamily) provides commercial real estate owners and investors with term loans ranging from $1MM to $25MM+. As the nation's #1 multifamily lender, we offer clients full-service real estate financing products and services that are unparalleled in the market. CTL also provides term financing for commercial properties (industrial/retail/office).
The Commercial Real Estate (CRE) Commercial Term Lending (CTL) Chief Risk Officer shall be responsible for the strategic direction, oversight, and leadership of the CB CTL franchise from a risk management perspective. This position reports to the Chief Risk Officer of Commercial Real Estate (CRE), overseeing a portfolio in excess of $80 Billion; leading an organization of more than 150 primarily domestic employees.
- Manage multiple levels of credit risk professionals across geographies, markets, and lines of business.
- Lead and facilitate a robust and diverse talent strategy and development plan across the organization.
- Fosters a collaborative and inclusive environment that supports growth and development; leads inclusively and prioritizes diversity, equity, and inclusion.
- Partner with executive management across the organization to drive, influence, and collaborate on the accomplishment of business objectives, risk strategy, and overall company goals.
- Establish a performance model to include clear and measurable goals priorities and accountabilities centered on business results, leadership competencies, and the core values of the firm.
- Initiate, influence and drive change to advance market, function, and organizational growth and progression, including technology and continuous process improvement.
- Identify the key risk factors associated with clients, transactions, and industry sub-sectors.
- Develop and articulate a dynamic, forward-looking risk assessment of borrowers, transactions, competitive threats, and industry and other factors.
- Ensure thorough client due diligence, discipline, and consistent transaction negotiations across the team.
- Oversee identification, monitoring, measuring, and mitigation of various risk categories: credit, operational, market, legal and reputational across the full real estate cycle.
- Embrace technology and innovation to align systems with strategy and to achieve efficient execution and transparent reporting.
- Oversee regular review and analysis of portfolio trends to detect deterioration in portfolio quality. This includes the monitoring and control of the CTL portfolio by ensuring that all exposure is properly approved, reported, and reviewed.
- Recommend and approve appropriate credit structures relative to risk assessment and policy considerations.
- Partner with CECL and CCAR partners across the firm on reserve and stress testing methodology.
- Credit Approval Process, Portfolio Management and Control Process.
- Review credit approval materials, ensure all credit risk policies are followed, and utilize approval authority and/or, where necessary, present and recommend credits for approval by senior management.
- Lead the team in the analysis, negotiation and execution of financing terms and conditions.
- Ensure risk ratings are accurate across the portfolio and reflect a current forward-looking view of the portfolio's health.
- Provide early identification and proactive management of deteriorating credits and other problem situations and drive the team to successful outcomes.
- Lead periodic portfolio reviews, watchlist and credit surveillance meetings.
- Drive acceptable portfolio management metrics for covenant monitoring, document gathering, approval requirements, etc.
- Achieve satisfactory audit, regulatory exams and credit review results.
- Maintain a control environment consistent with internal policies.
- Participate in business activities providing a risk perspective, strategic planning, resolution of legal issues, assessment, and mitigation of reputational risks, etc.
Case Study 3: Job description, Chief Risk Officer, CTBC Bank Co., Ltd. (India), New Delhi.
The role and responsibilities of the Chief Risk Officer (CRO) India Branches:
- Heading the Risk function of CTBC Bank India Branches (CTBC India) and setting the vision and strategy for the risk function for CTBC India, in line with regulatory framework and CTBC Bank global risk policy and guidelines.
- Building robust risk management framework and architecture for CTBC India, bringing together a number of teams (operational risk, credit administration, enterprise risk management, interest rate and market risk, stress testing, modelling and analytics) and managing CTBC India wide risk.
- Building and leading a highly collaborative and proactive risk function that is able to navigate the increasingly complex business and regulatory environment of CTBC India.
- Ensuring a system-wide view and understanding of the combined risks of the business and their inter-relationships (interest rate risk, liquidity risk, operating risk, credit risk, reputational risk, regulatory risk).
- Formulating and articulating a coherent risk appetite and infrastructure, including operating and financial models and hiring plans.
- Embedding a positive culture of confident and informed risk-taking through training, communication and promotion of the agreed risk framework in collaboration of various departments of CTBC India in India as well as Head office.
- Interacting with regulatory bodies like the Reserve Bank of India with respect to matters related to risk management framework of CTBC India.
- Responsible for compiling, assessing and reporting risk information to the Risk Management Committee and CTBC Bank Global Risk functions.
- Bringing in and instituting best in class risk management practices through appropriate benchmarking of CTBC India risk practices with peers of CTBC India.
- Will play a role of Risk Advisor but will not be dual hating the roles of any other function.
In the Reading Room (RR) of the association you can find our weekly newsletter - "Top risk and compliance management news stories and world events, that (for better or for worse) shaped the week's agenda, and what is next". Our Reading Room