Pub. 2 2013 Issue 2

22 l e a d i n g a d v o c a t e f o r t h e b a n k i n g i n d u s t r y i n k a n s a s THE RISE OF THE CHIEF RISK OFFICER By Michael Cohn, CPA CISA CGEIT G IVENTHECURRENTENVIRONMENTANDCHANG- es in the industry the chief risk officer has become one of the most important people in your financial institu - tion today. That’s because community-based financial institutions are increasingly becoming more risk-oriented in their strategic and operational focus due to the increasingly competi- tive and regulated environment. Enterprise risk management is being implemented more at the community institution level, and experts are in need to ensure it is being practiced properly. Since the position of chief risk officer is new to community banking and still evolving, it’s helpful to take a broad view of how someone can become a CRO and what is generally expected of CROs from the board, executives, and staff. The internal forces at play There are internal forces at your institution that are calling on expertise and knowledge gained over years of service perhaps in operations, audit, credit, or IT. These forces are now looking to the CRO to build and imple- ment an enterprise risk management program that will make the institution more competitive and financially secure. w TheCEOneeds greaterinsight overall elements of riskandcompliance The number and frequency of risk assessment analyses grow every day, mostly spurred by business changes and regulatory expectations. Central management and oversight by a risk manager should improve consistency, which will in turn increase efficiency. With more integrated technology systems, greater reliance on third parties, and continued earnings pressures, better information at a lower cost is required today. w The board requires a holistic view of all risks As the institution takes on more risk the Board will demand that a holistic view of all the risks and their relative level of danger be devel- oped. To be fully informed, the Board may also require an analysis on the sufficiency of current spending on risk management. The CRO can provide this information by taking stock in the current activities and organizing them along the functional risk areas. w The CEO and board need a process to vet risks of new strategies The CEO and Board will begin to turn to the CRO to provide a process to vet the risks inherent in new products and business strategies for the institution. The obligation of the CRO is to tease out and communicate the key threats that could threaten the viability of the franchise. The external forces at play There are also significant external forces that are causing the CRO to be needed by the institution. These forces are pushing institutions to be more risk-focused than ever before, which in turn, raises the responsi- bilities on the CRO. w New lines of business Whether the objective is to put newdeposit balances towork, compensate for lower fee income due to reductions in overdraft and interchange fees, or offer more competitive products, your institution is likely growing the number and types of product offerings. These activities increase and broaden the spectrum of risk taken on by the institution. Amajority of institutions believe they are conservative in their business practices. The process of change plus the introduction of new products gives rise to a risk shift. The CROmust be able to articulate the level and impact of change to the institution’s risk DNA, and ensure all governance bodies accept the changes. w Becoming a $1 billion institution Many community-based institutions have seen steady growth in deposits and assets over the past few years. As a result, a number of institutions are approaching $1 billion in assets and facing FDICIAcompliance. The effort to build a FDICIAprogramby itself is not so expansive, but, in many cases, it serves as the tipping point for the addition of a riskmanagement position to oversee this and the growing list of new compliance initiatives. w Increasing regulatory expectation Increasing regulatory pressures on community-based institutions are another force causing the institution to establish and formalize the role of the CRO. With continued growth there is likely an increase in opera- tional complexity. To manage the complexity and maintain an adequate level of safety and soundness, regulatory expectations are growing for the creation of the formalization of risk management function and a dedicated CRO in the institution. The CRO must be able to design sustainable processes to mitigate risk,