The role of chief risk officer is no longer relegated to the largest banks. Ever since the Great Recession of 2007 to 2008, banks of all sizes have begun incorporating chief risk officers into the C-suite.
Nowadays, the role could be more useful than ever as community banks confront an assortment of risks and opportunities, including cybersecurity, emerging business lines such as banking as a service, as well as rising inflation and a potential recession.
In the earliest days of the pandemic, Executive Vice President and Chief Risk Officer Karin Taylor and the teams that report to her helped executives at Grand Forks, North Dakota-based Alerus Financial Corp. understand the potential impacts on the business and coordinate the bank’s response. They addressed employee concerns, made decisions about how to sustain the business during the pandemic, performed stress tests and helped human resources with establishing new policies and communication.
“[CROs] bring some discipline in planning and operations because we facilitate discussion about risks, help identify risk and help risk owners determine if they’re going to accept risk or mitigate risk. And then we do a lot of reporting on it,” she says. “If anything changed in the pandemic, perhaps it was a better understanding of how [the risk group] could better support the organization.”
At $3.3 billion Alerus, Taylor reports directly to the CEO and serves as the executive liaison for the board’s risk and governance committees. Her reporting lines include the enterprise risk group as well as the bank’s legal, compliance, fraud teams, credit and internal audit teams (internal audit also reports to the audit committee). Those kinds of reporting lines allows CROs to help manage risk holistically and break down information silos, says Paul Davis, director of market intelligence at Strategic Resource Management. Their specific risk perspective makes them useful liaisons for community bank directors, who are usually local business people and not necessarily risk managers.
“You’re going to have one member of the management team [at board meetings] talk about opportunities,” he says. “It’s the CRO’s job to say, ‘Here are the tradeoffs, here the potential risks, here the pitfalls and the things we need to be mindful of.’”
Southern States Bancshares, a $1.8 billion institution based in Anniston, Alabama, decided to add a CRO in 2019 as the company prepared to go public. Credit presented the largest risk to the bank, so then-Chief Credit Officer Greg Smith was a natural fit.
His job includes reviewing risk that doesn’t neatly fit into other areas of the bank. He also serves as liaison for the risk committee and sits in on other meetings, like ALCO, to summarize the takeaways.
“While I was focused on risk the entire time I’ve been at the bank, this broadened that horizon and it expanded my perception of risk,” he says.
For instance, the bank’s rollout of the new loan loss accounting standard made him consider risk in the bond portfolio. Working with several attorneys on the board made him think about reputation risk when the bank launched new products and services. That expanded perspective allows him to raise considerations or concerns that different committees or areas of the bank may not be focused on. He can also help the bank price its risk appropriately.
Taylor sees her role as helping Alerus and its directors and executives make empowered decisions; her job isn’t just to say “No,” but to help the bank understand and explore opportunities based on its risk appetite. However, she doesn’t think all community banks need a CRO. Banks of similar asset sizes may have very different levels of complexity and strategies; adding another title may be a strain on limited resources or talent. The most important thing, she says, is that executives and the board feels that they have the right information to make decisions. To that end, Taylor shared a list of questions directors should ask when ascertaining if banks have appropriate risk personnel.
Questions for Directors and Executives to Ask:
- Do you feel you have a holistic view of risk for your organization?
- Do you think you have the information you need to understand your risk profile and identify potential pitfalls or risk to your strategy, as well as being able to address opportunities?
- Is there a good understanding of the importance of, and accountability, for risk management throughout the organization?
- Can these questions be answered by existing staff, or should we consider hiring for a chief risk officer position?