Recent newspaper reports highlighted the fact that the role of Chief Risk Officer (CRO) is not clearly understood by bankers including board members. The Bangladesh Institute of Bank Management (BIBM) conducted a survey that has found that more than half of bank CROs feel their boards do not know what their operative role is. The survey further revealed that the CROs have no full-time role in their respective banks. This is not surprising at all because the concept and position of CRO is very new in the banking industry.
BACKGROUND OF CREATING CRO: In fact, when financial market crashed in the US in 2008 following scandals and irregularities arising out of so-called subprime mortgage as well as financial derivatives, the regulators found serious weaknesses and loopholes in banks' control and compliance procedure. This financial debacle contaminated the developed world including Europe which made regulators and policymakers strongly believe that compliance weakness were the common problem not only in the US financial market but also the whole financial industry of the developed world. This situation further aggravated when many internationally-reputed large banks were involved in committing various irregularities for which US and European regulators had to impose billion dollar penalty and file many lawsuits. This unprecedented financial debacle and gross violation as well as massive compliance failure of large banks and financial institutions had compelled the authorities to act seriously on strengthening of control and compliance procedure of banks. Financial and reputational risks came up in discussions across the global financial market. Identifying risks, determining risk appetite, developing risk parameters and establishing control on each risk area became top-most priority of banks. Prior to creating this new position, the Chief Executive Officer (CEO) was held responsible for compliance failure and therefore, s/he was looking for alternative suitable solution shifting primary responsibility of control and compliance of banks from him/her to some other person. In the backdrop of all changing circumstances, the positions of Risk Officer (RO) and Chief Risk Officer were established in banks' organogram attaching utmost importance to this position.
Subsequently, two international bodies, which mainly govern banking rules, regulations and standards all over the world, adopted this concept making it mandatorily applicable in each bank's operation. The Bank for International Settlements (BIS) has recommended that a bank should have a risk management function (including a CRO or equivalent for large and internationally active banks), a compliance function and an internal audit function, each with sufficient authority, stature, independence, resources and access to the board. Similarly, Basel-III has included it in its policy and recommendation that banks must have an effective independent risk management function under the direction of a CRO with sufficient stature, independence, resources and access to the board. The independent risk management function is a key component of banks' second line of defence.
CROs FOR BANKS IN BANGLADESH: Since BIS has recommended the position of CRO for each bank and Bangladesh is in the process of implementing BASEL-III, all banks in our country will have to establish control and compliance procedure along with creating new designation of CRO. However, mere creation of such a designation without formulating detailed workflow, modus operandi and determining particular job responsibility as well as accountability may not serve the purpose. This is what has exactly happened in the CRO's role in our banking industry. Needless to speak that if strategies and procedures designed for banks of developed countries are replicated without properly customising and adjusting in line with our own industry's norms, its implementation will become clumsy and no optimum benefit can be derived. We have experienced such a similar situation in the past as LRA (Lending Risk Analysis), ALM (Application Lifecycle Management) Committee and CRM (Credit Risk Management) which were exactly adopted as per specification of foreign consultants and therefore, no tangible benefit was derived.
IMPORTANCE OF CRO: Now-a-days, the importance of CRO's role has become paramount in ensuring banks' control and compliance and thus mitigating risks. Banking is known as a high-risk business because it deals in money and more precisely in other people's money. So ensuring safety of the depositors' money is the prime responsibility of banks. Every step in dealing in others' money involves risks. Besides, banks are also considered as the most regulated form of business entity because it has to operate under many regulatory authorities which mostly include central bank, Securities & Exchange Commission, tax authority, Registrar of Joint Stock Company and many SROs (Self-Regulatory Organisations) viz. accounting board / association and stock exchanges of the country. In addition, many laws and rules and regulations including some of international laws are meticulously followed in running banking business. Moreover, nature, scope and complexity of banking business have rapidly changed calling for more stringent rules and regulations in place. Under this situation, ensuring compliance has become an important aspect of bank management and the role of any particular person with an exclusive responsibility in this regard is inevitably required.
BOARD'S DECISION: The eventual responsibility of practicing standard risk management in a bank lies with the Board of Directors (BoD). In fact, the board represents the owners of the organisation; so they are accountable to the shareholders as well as other stakeholders. Bank's operational efficiency and achieving its goal of maximising shareholders' value considerably depends on how well risks associated with banking business are managed. So it is the board's prime responsibility of establishing proper risk management techniques in all operational areas of a bank. On the other hand, bank is run as desired by the Board of Directors. The role of BoD is more dominant in banking operation in our country. To speak the truth, chairman of the BoD and MD are two key persons who technically run a bank while management teams just simply follow them. The BIBM survey has rightly pointed out that Chief Risk Officers' opinion is hardly counted while making important judgement. Not only CRO, the opinion of other executives or departmental heads viz. credit chief, audit head and treasury head is not taken into consideration. This culture has not been developed yet. However, Bod will now have to revisit its business strategy and thus develop delegation and accountability norms for the bank management. Establishing effective CRO in the organisation and empowering him/her with authority should be a major function of our banking industry.
RISK PARAMETERS: It is commonly said that a bank is always exposed to risk in its every action. Operations from teller service to sanctioning loans and preparing accounts involve risks of different magnitude. So identifying risk areas, assessing risk appetite and determining risk parameters are the most important functions of CRO. These risk aspects, however, vary widely from region to region, country to country and bank to bank. One area considered as high risk in one country may be considered as nominal risk in other countries. Sanction screening is considered as very high risk area in banks of developed countries while the same is treated as nominal risk in an emerging country's banks. Nevertheless, there are some common risk areas in every bank which include credit risk, liquidity risk, reputational risk, regulatory risk, financial risk, audit risk, foreign trade risk and money laundering risk. Degree of these risks and consequence of its failure are quite different based on which parameters are determined and appropriate controls are in place. In this context, the role of CRO is very crucial because he/she will be exclusively assigned with the responsibility of risk-related jobs.
The writer is a banker based in Toronto, Canada. firstname.lastname@example.org