Fintech partnerships appeal to banks for a range of reasons, including the ability to adopt a new technology customers want without a dramatic internal overhaul or the opportunity to add new sources of fee income. But bank leaders also need to understand the risks inherent to fintech partnerships. Jame Sloan, chief risk officer at BrightFi, shares some best practices bankers can adopt to better understand and manage third-party risks.
The role of chief risk officer is no longer relegated to the largest banks. Ever since the Great Recession of 2007 to 2008, banks of all sizes have begun incorporating chief risk officers into the C-suite.
Nowadays, the role could be more useful than ever as community banks confront an assortment of risks and opportunities, including cybersecurity, emerging business lines such as banking as a service, as well as rising inflation and a potential recession.
In the earliest days of the pandemic, Executive Vice President and Chief Risk Officer Karin Taylor and the teams that report to her helped executives at Grand Forks, North Dakota-based Alerus Financial Corp. understand the potential impacts on the business and coordinate the bank’s response. They addressed employee concerns, made decisions about how to sustain the business during the pandemic, performed stress tests and helped human resources with establishing new policies and communication.
“[CROs] bring some discipline in planning and operations because we facilitate discussion about risks, help identify risk and help risk owners determine if they’re going to accept risk or mitigate risk. And then we do a lot of reporting on it,” she says. “If anything changed in the pandemic, perhaps it was a better understanding of how [the risk group] could better support the organization.”
At $3.3 billion Alerus, Taylor reports directly to the CEO and serves as the executive liaison for the board’s risk and governance committees. Her reporting lines include the enterprise risk group as well as the bank’s legal, compliance, fraud teams, credit and internal audit teams (internal audit also reports to the audit committee). Those kinds of reporting lines allows CROs to help manage risk holistically and break down information silos, says Paul Davis, director of market intelligence at Strategic Resource Management. Their specific risk perspective makes them useful liaisons for community bank directors, who are usually local business people and not necessarily risk managers.
“You’re going to have one member of the management team [at board meetings] talk about opportunities,” he says. “It’s the CRO’s job to say, ‘Here are the tradeoffs, here the potential risks, here the pitfalls and the things we need to be mindful of.’”
Southern States Bancshares, a $1.8 billion institution based in Anniston, Alabama, decided to add a CRO in 2019 as the company prepared to go public. Credit presented the largest risk to the bank, so then-Chief Credit Officer Greg Smith was a natural fit.
His job includes reviewing risk that doesn’t neatly fit into other areas of the bank. He also serves as liaison for the risk committee and sits in on other meetings, like ALCO, to summarize the takeaways.
“While I was focused on risk the entire time I’ve been at the bank, this broadened that horizon and it expanded my perception of risk,” he says.
For instance, the bank’s rollout of the new loan loss accounting standard made him consider risk in the bond portfolio. Working with several attorneys on the board made him think about reputation risk when the bank launched new products and services. That expanded perspective allows him to raise considerations or concerns that different committees or areas of the bank may not be focused on. He can also help the bank price its risk appropriately.
Taylor sees her role as helping Alerus and its directors and executives make empowered decisions; her job isn’t just to say “No,” but to help the bank understand and explore opportunities based on its risk appetite. However, she doesn’t think all community banks need a CRO. Banks of similar asset sizes may have very different levels of complexity and strategies; adding another title may be a strain on limited resources or talent. The most important thing, she says, is that executives and the board feels that they have the right information to make decisions. To that end, Taylor shared a list of questions directors should ask when ascertaining if banks have appropriate risk personnel.
Questions for Directors and Executives to Ask:
Do you feel you have a holistic view of risk for your organization?
Do you think you have the information you need to understand your risk profile and identify potential pitfalls or risk to your strategy, as well as being able to address opportunities?
Is there a good understanding of the importance of, and accountability, for risk management throughout the organization?
Can these questions be answered by existing staff, or should we consider hiring for a chief risk officer position?
Chief risk officers, risk committees and enterprise risk management—which go together like toast, eggs and ham—are still relatively new concepts in banking even though they have been mandated by the Federal Reserve Board since 2014 for institutions of a certain size. Banks with $10 billion in assets or greater are required to have an enterprise-wide risk committee, and banks above $50 billion must also have a chief risk officer. Union Bankshares Corp., a $7.8 billion asset institution headquartered in Richmond, Virginia, has all three. Under the leadership of Executive Vice President and Chief Risk Officer David G. Bilko, the holding company for Union Bank & Trust implemented its ERM program two years ago. Bilko is an enthusiastic supporter of an ERM approach, which he believes provides a clearer, more unified view of the bank’s risk profile than its previous approach, which tended to be fragmented. In an interview with Bank Director Editor in Chief Jack Milligan, Bilko talks about the challenges of implementing an ERM program, among other topics.
Define your role at Union. What are you responsible for? Bilko: In a nutshell, my responsibility can be boiled down to this: I own the design, implementation and governance of the enterprise risk management program.
We utilize the traditional three-lines-of-defense model. From a risk management perspective, the first line?which is the front line of the business units and support functions, really own and are responsible for managing risk. The second line, which is the ERM function that I manage, provides the program, tools standards and consistent practices that we use to help the first line in their risk management responsibilities. The third line of defense, which is the internal audit function, does the test work to ensure that those things are working properly.
How long has Union had an enterprise risk management program in place? What were some of the big challenges you had to deal with in terms of implementation? Bilko: We’ve had our ERM program fully in place for about two years now. It took us eight months or so to get the foundation laid and put the elements of the program in motion. We started with more of a top-down approach to make sure we had the right governance structure?the reporting structures to the board and executive management?set up. Concurrently, we implemented what I would call the bottom up part of it, which is the grass-roots risk and control assessment process.
It takes time to get that into motion and by the latter half of 2014, we were finished, or at least established in a consistent fashion. We’ve just continued to build on it from there. It’s really a maturation process. It’s never over. You always have to continue to mature and get better at it.
In terms of challenges, one is awareness. In an organization such as ours, where risk management was more distributed across the organization, we were doing it but it was ad-hoc in nature and not tied together in a central program, or a consistent discipline across the organization.
You have to make people aware of what enterprise risk management is, and what it isn’t, and who’s doing what, and how it’s supposed to work, and what the governing principles are. The awareness piece of it is an educational process that takes time, and is a challenge, in terms of how you go about that.
Which also leads into another challenge, which is role clarity. I mentioned the three lines of defense; people need to know what is expected of them under the program.
ERM gives you a holistic view of risks throughout the enterprise. That sounds like something that’s good to have, but does it really, in a very tangible way, enable management and the board to control risk more effectively than when risk management was siloed—or as you put it, distributed—throughout the organization? Bilko: In my opinion, it does because it allows you to break down your risks into portfolios that receive very focused attention on a regular basis. There’s constant assessment and identification of risk that leads to control or mitigation, and it all rolls up into a risk profile at the portfolio category level, which would include such risks as credit, market, operational, strategic and reputation, that then can be consolidated into an aggregate portfolio for the institution. We provide quarterly updates on those risk portfolios as well as the aggregate risk profile, so that anything that needs to be addressed is addressed more quickly.
We’re able to get a more forward looking view rather than always looking behind us, which is more of the old way. This is much more dedicated to seeing the train coming at us rather than looking at it right after it’s run over us.
What advice would you give another bank that starting down the path of ERM design and implementation based your experience? Bilko: First of all, there’s a ton of information and knowledge available today on ERM. You can find whatever you want just by searching the internet, not to mention all the consulting firms that offer advice on it. There’s no shortage of information.
I think the biggest thing you have to do is align the program with your culture. If you do something because it’s traditional, or best practice, but is counter to your culture, it’s going be way more difficult to implement.
One of the things that I focused on here was to make sure I understood our culture, so that we could implement or build a program that was aligned with that, recognizing that culture changes over time.
I also think it’s important to keep it simple so that it’s easier to create and to understand for the people who are involved in it.
What’s your reporting relationship with Union’s CEO, William Beale, and with the board of directors? How do you line up with both of them from a communication and accountability perspective? Bilko: I report directly to our CEO. He actually sits in the office right next to mine, and he keeps me close by. We talk a lot. He’s very inquisitive and very focused on ERM, and he uses me a lot as a sounding board on a lot of different risk and control issues.
The way we’re set up is, I have a direct reporting line into the CEO and a dotted line into the risk committee of the board. I kind of view it as a triangle: The CEO, the board’s risk committee and myself. We try to keep the triangle intact, and be very transparent with everything we’re doing. I think that’s a good way to do it. The risk committee is very involved in the oversight of the enterprise risk management program. Our CEO’s participation and interaction in my process allows us to be better and more affective in terms of governance reporting and actual practice.
Union has both an audit committee and a risk committee. How has the board divided up risk governance between the two, and how often, and in what way, do you communicate with both committees? Bilko: The risk committee of the board is charged with the oversight of enterprise risk management. All the elements of that program are under their umbrella, and we report on them. To draw the distinction between the risk and audit committees, I participate in the audit committee meetings just like our chief audit executive participates in our risk committee meetings. There is a lot of sharing going on there and a lot of interaction. I hear what the conversations are within the audit committee realm from a control perspective and risk mitigation perspective. In the same vein our chief audit executive hears that from the risk committee side. There’s a fairly deep connection there.
Additionally, our audit committee and risk committee have a joint meeting once a year where all the directors on those committees are in the same room and we build an agenda that reflects what the risk management program is doing and reporting on, as well as what the audit group is involved with and some of the significant issues that they’re reporting on.
And finally, we have two directors that are on both the audit committee and the risk committee, so there’s that cross-over that’s happening as well.
I wouldn’t characterize it as dividing up risk between the two committees. I would characterize it as more open and broader communication across the committees so that both are aware of what’s going on, what issues need to be discussed, elevated and acted on. The full board is getting the benefits of those reports from both committees, and they’re both in the know.
Regulation becomes much tougher when a bank crosses over the $10 billion asset threshold. My understanding is that the regulators don’t wait until you get there and then suddenly look at you differently. As you get closer to that magic number, they want to know where you’re going as an organization. They want to know what your growth plans are, they want to know where you think the bank might be in five years, and they want you to start building an infrastructure that is scalable and appropriate for a larger bank, even if you haven’t reached that point legally. Is that how it works, in your experience? Bilko: Yes. The way you described that is pretty spot on. The regulatory agencies, and our primary regulator is the Federal Reserve, want to understand your objectives, your strategies, and if those strategies are growth oriented. We have regular conversations with our counterparts at the Federal Reserve to keep abreast of those types of things and what we can expect. Clearly, it’s a matter of readiness and scalability. If you’re going to grow, you need to be ready to grow. When they talk about it, that boils down to infrastructure and processes that are capable of handling that growth dynamic. It’s something that we’ve certainly experienced over the last few years as we’ve continued to execute our growth strategy.
What do you think that the greatest risk challenges are facing banks today, including Union? What do you worry about most? What would keep you up at night? Bilko: I get asked that question a lot, actually. I think what’s top-of-mind always?and it seems to be what we read about the most—is the risk associated with technology, vulnerability to data loss, information security, breaches, those sorts of things. We can play defense, but the bad guys are really good at playing offense, so our defense lags. We don’t consider ourselves necessarily to be a prime target, but the effort to keep our data protected is an ongoing imperative.
Process discipline has also become very important. Operationally, we want to be very sure that we have appropriately determined the risk around our processes, and that they are controlled adequately and are kept up to date. Typically, where you have gaps in your processes is where you have breakdowns.
I would summarize by saying that a lot of risk management is change management?adapting your risk practices to the constant changes that are occurring. We live in a rapidly changing world, both regulatory and otherwise, and we have to be able to adapt quickly.
What’s your professional background, and what path did you follow to become a chief risk officer? Bilko: I have spent my entire career in banking, at both big banks and small banks. I worked for a couple years in retail banking, and then a couple of years in the support group for lending. But up until about the last six years, most of my career has been spent in internal audit. I have been involved with, or at least got to see and learn, just about every aspect of the business, and every area within the institution. It created a broad view for me, of how how things run and what makes these banking organizations tick.
Over the course of time, I was able to really understand all the different functions and businesses within [a banking] organization. Later on, I became more involved in the management and infrastructure of the company as chief audit executive. It was kind of a natural progression from the control world of internal audit to a broader enterprise-risk view.
Internal audit seemed to be a logical training ground for a chief risk officer because there’s probably no one who has a better view of the entire organization than the internal audit team. It’s their job to poke into everything. Are there other disciplines within the bank that could also be good training ground for CROs? Bilko: I would say that beyond internal audit, there’s certainly other skills that will add to the versatility. Technology, data management and data analytics are such a large part of what we do today?and will be going forward?so there’s a clear need for experience and background in utilizing data to better identify, understand and prevent risk incidents or events. The whole big data thing is important to translate well into the risk management world.
And it will never hurt to live for a little while in the credit space, particularly if you’re doing some credit analysis, or you’re supporting a lending activity, where you get to understand the underwriting criteria and loan portfolios.
Al Dominick, President & CEO of Bank Director, shares three major areas of risk facing financial institutions today. This video, filmed during the 2016 Bank Audit & Risk Committees Conference in Chicago, IL, reflects on his time spent with chief financial officers, chief risk officers, general counsel, audit and risk committee members and various executives from leading professional service and advisory firms.
Banks today must adapt to a world where “digital”, “cyber risk” and “fintech” are the new business lexicon. As the bulk of the workforce shifts from baby boomer to millennial, there is an increased need to attract talent from outside traditional financial services. Below we highlight some changing and emerging roles and a few strategies banks can use to attract top talent.
Emerging Skills and Roles
Chief Technology Officer/Chief Digital Officer Banks today are pressured to enhance mobile capabilities and compete with fintech companies such as Lending Club, Square and Circle. These new competitors have disrupted traditional financial services offerings, which is forcing banks to adapt their product offering and service platforms to remain competitive. This new competition and technology focus have also led banks to reach outside their typical talent pool to attract candidates with new skills.
Chief Risk Officer/Chief Compliance Officer Since the financial crisis, regulators have significantly increased the requirements for banks to manage and mitigate risk practices. Add to that the increased threats of cyber risk and it is clear that risk and compliance officers are critical members of the senior leadership team.
Chief People Officer/Chief Culture Officer As a service related industry, people are a critical asset. And as more millennials enter the workforce, traditional banking environments may need to change. Talent development, succession planning and even culture will be differentiators and expand the traditional role of human resources.
Chief Strategy Officer/Chief Innovation Officer Part of the transition in the banking industry involves shifts in customer profile, competitors and new products. As banks emerge from the financial crisis and focus on growth and profitability, many are turning to innovators from outside the banking industry to help find creative M&A opportunities, new products and a new customer base.
Do’s and Don’ts
Attracting and retaining non-traditional banking talent can create both challenges and opportunities.
Do:
Think strategically: Assess the talent, skills and capabilities you need to execute your strategic plan (new regions, new products, new capabilities). What skill “gaps” need to be filled? Do you need to go outside or can you offer nontraditional career paths and transition current leadership into different roles? How should the leadership structure and team evolve? Create a leadership strategy that supports your business strategy.
Think outside the industry: Many of the roles discussed above are outside the norm for the traditional banking industry. Technology roles may be filled from start-ups or Silicon Valley firms and culture or innovation roles may be filled by ex-consultants or top talent from other industries. If you do recruit from outside of banking, you may need to access different sources of talent (e.g. recruiters) and different benchmark data than you typically use.
Be creative: If you fear you can’t “afford” talent from other industries, think beyond traditional compensation solutions. Compensation is only a part of a total rewards package and there are other important factors such as development and growth opportunities, as well as company culture and lifestyle. Be open to new work environments and career opportunities that will appeal to new (and current) staff.
Reward and retain: In the race to attract the “best” it can be tempting to offer large up-front compensation packages and buyouts of existing unvested awards to acknowledge that the executive is taking a risk to change jobs. While there are reasons to provide these usual pay components, if not designed right, they can be short-lived. A well-designed new hire package and ongoing compensation program should allow the bank to attract top talent, reward performance and create powerful retention.
Don’t:
Rely on compensation surveys: Many banks rely on established compensation surveys and/or peer group data to benchmark roles. However, such data for “hot jobs” is rare or far from perfect. Sample sizes may be small and data is often over a year old. Use multiple data perspectives/views and “triangulate” the information to determine fair and appropriate pay.
Over-focus on internal pay relationship: Respect and align with internal relationships but be flexible. In order to attract an executive in one of these “hot” areas, a bank may need to pay outside of the current compensation structure, but there should be a clear path to pay equity among the executive team over time.
Rush the process: It is important to undertake a thoughtful process when hiring a new executive, particularly those from other industries or non-traditional areas. The compensation committee should receive background information on the candidate(s) as well as detailed information on the compensation package, contractual arrangements and performance expectations.
A heightened regulatory environment is here to stay, that much seems clear. So how are banks and bank management teams coping?
They are hiring more employees, buying software, scrutinizing vendors for compliance and focusing more and more on the business of complying with regulations, in addition to running the bank. Preston Kennedy, the CEO of $200 million asset Bank of Zachary, in Zachary, Louisiana, says he spends one-third of his time on compliance and regulations. “The regulations are now the table stakes,’’ he says. “If you want to go outside in the winter, you have to wear a coat. If you want to be a banker, you have to abide by a lot of regulations. ”
The following is a list of ways in which banks are coping with increased regulations.
Hiring a Chief Compliance Officer or Chief Risk Officer Previously the domain of the largest banks, even small banks are hiring chief risk officers or chief compliance officers. In Bank Director’s 2015 Risk Practices Survey, 71 percent of respondents from banks below $1 billion in assets had a chief risk officer. So, too, did 92 percent of respondents from banks with $1 billion to $5 billion in assets. Bank of Zachary, despite its small size, has both a compliance officer and a recently hired chief risk officer, who reports directly to the CEO and the board of directors.
Buying Compliance Software or Getting Outside Advice Banks also are turning to software vendors, core processors and outside consultants such as Fiserv, FIS, Computer Services, Inc. and DH Corp. to help manage compliance. “We are definitely seeing more indications that banks are relying on software more in all different areas,” says Christine Pratt, a senior analyst at financial services research firm Aite Group. Bank of Zachary just purchased a $35,000 program from Continuity to keep track of new regulations that will impact the bank, and help the bank document its compliance. Proper documentation is key because banks have to prove to regulators that they are in compliance. “In order to run a $200 million bank in suburban Louisiana, we have to rely on a company that is hardwired to the government to keep up with this pipeline of new regulations,’’ Kennedy says. “It’s absolutely ridiculous but it’s the task that we have.”
Incorporating Compliance Banks are shifting away from handling compliance after the fact and moving toward incorporating compliance into many of their basic business processes, says Jamie van der Hagen, director of consumer lending for Wolters Kluwer Financial & Compliance Services, which sells regulatory consulting services and compliance software to banks. For example, instead of giving out loans and then checking to see if they meet fair lending standards, banks increasingly incorporate fair lending standards into the process of making loans. “Proactive compliance efforts, through automated testing for example, help banks validate their entire portfolio of products and accounts and identify potential compliance issues before they become a problem,’’ says van der Hagen. “Finding and addressing these possible compliance issues can have a positive impact on the bottom line by enabling institutions to identify loans that qualify for CRA credits and other premiums that can help them improve their overall bottom line.”
Starting to Prepare in Advance of Knowing the Final Rules Banks are finding they have less time than in prior years to adjust after a rule is finalized and goes into effect. That means they have to prepare even as the rules are in the proposal stage. “They don’t have the time anymore to wait for the rule to be formulated,” says Pratt. “Banks have told me they’re writing two different versions of software [to prepare ahead of time]. That’s incredibly expensive.” Alternatively, vendors should help with the process of updating software on time.
Scrutinizing Vendors for Compliance Regulators are increasingly emphasizing that banks are responsible for the missteps of their vendors on pretty much every law or regulation, including fair lending, debt collection or unfair consumer practices. The New York State Department of Financial Services, the state’s banking regulator, recently surveyed banks to determine their oversight of vendors for cybersecurity, as it is preparing new regulations on how banks should monitor third party vendors. Managing a bank’s vendors for compliance is a complex process, but there are general guidelines to getting it right.
However much of a burden it feels, bank management teams and boards know that they have to comply with regulations to stay in business. Managing the pace of regulatory change and keeping the bank out of the crosshairs of regulatory fines and punitive enforcement actions has become a core responsibility of the bank’s management team. “The pace of regulatory change has really increased in the last 10 years and there is no indication that it is going to go down,’’ says van der Hagen.
There was a general consensus among most of the investment bankers and attorneys I spoke with at our Acquire or Be Acquired conference last January that takeovers of healthy banks will accelerate this year because an increasing number of institutions will see this as their best option for growth in the face of poor loan demand from business borrowers and shrinking net interest margins. Sounds good in theory, but one of the problems with this strategy is that acquisitions don’t always achieve their primary objective, which is earnings-per-share (EPS) accretion for the buyer’s shareholders.
Indeed, there are probably many more things that can go wrong in an acquisition than go right, and this places enormous pressure on the acquirer to hit the bull’s eye on each one of its assumptions about asset quality, cost reductions and revenue enhancements. If a buyer misses any of those targets by a wide enough margin, it will essentially have overpaid—and that means it will miss the projected increase post-merger earnings per share that it used to justify the merger in the first place. Few bank chief executive officers want to risk angering their institutional investors by overpaying for a deal.
Recently I asked Stephen Figliuolo, the executive vice president and corporate risk officer at Citizens Republic Bancorp in Flint, Michigan, for a list of questions that every bank chief risk officer (CRO) should be asking in any acquisition. Figliuolo has been on both sides of an M&A deal—transactions that Citizens has done as the acquirer and, of course, the bank’s own sale last year to FirstMerit Corp. Here are his questions, which have been organized into five categories:
Loan portfolio: “What is the credit mark on the portfolio? How much is the loan portfolio really worth? This is dependent on the quality of the loans, so you look at loan concentration levels and ask whether the various types of loans fit your strategic need? Are the loans supported with appropriate loan documentation? Is the seller’s credit rating system similar to yours or more liberal? Are there any major reporting discrepancies to impaired loans, nonperforming loan designations or charge-offs? Are they sufficiently reserved? What is the quality of the portfolio monitoring and can it detect deteriorating credits?” These are all good questions and CROs should wave a red flag if they aren’t satisfied with the answers they get back because if you miss big on your analysis of the target’s asset quality, the deal will probably be a bust. All of these categories of risk are important, but gauging the target’s asset quality correctly is probably most important.
Balance sheet: “What are the components of the balance sheet? What is the quality and duration of the securities portfolio? What steps will you as a buyer have to take to unwind investments that don’t fit your strategy from a duration, interest rate or risk perspective? How does the target fund itself? Does it rely more on high-cost deposits including brokered versus low-cost core deposits, in which case you will need a plan to eliminate those high-cost deposits over time?”
Regulation: “What are the regulatory risks? The hot items in banking today are anti-money laundering/Bank Secrecy Act laws, consumer add-on products, fair lending and consumer compliance. You buy those issues as they exist at the acquired bank and you will need a plan to fix them.” An example of a consumer add-on product would be a situation where an individual takes out a loan to buy, say, a boat and the bank agrees to fund the loan for 5 percent more than the purchase price. The borrower could then use this extra money for some purpose unrelated to the boat purchase itself. “The Consumer Financial Protection Agency is all over this,” he says. “They ask, ‘Does the borrower have the ability to repay that loan?’”
Pending legal actions: “Not only do you get an idea of prospective legal costs involving the acquired institution, but an idea on how well the company is managed.”
Strategic fit: “What exactly are you buying and why? Is it the deposit base as a source of funding, or are you buying it for market share or to acquire an annuity-like revenue stream, to name a few of the factors? And how much expense can you take out through improved efficiencies?” This might be an especially important concern if the bank is doing an acquisition because it can’t find much organic growth in its market. A bank that feels a self-imposed pressure to do a deal might not exercise as much caution as it should. “Do you understand the strategic fit?” asks Figliuolo. “Does the deal make business sense?”
CROs will normally be an important participant in the due diligence process that precedes an acquisition, but the extent of their involvement probably depends on where they rank in the institutional pecking order. “It depends on the status and experience of the CRO in the organization,” says Figliuolo. “At some banks, the CRO leads the due diligence process. At others, it might be the chief financial officer, and the CRO only contributes to those things under his purview.”
Either way, CROs have a vital role to play when their banks are vetting a possible merger—and they could be the difference between a successful deal and one that blows up?if they ask the right questions.
The price for peace of mind has gone up and nowhere is that more evident than the compensation levels for chief risk officers (CROs). If you are a large or medium-size regional bank looking to hire a new chief risk officer, you should expect to pay up to $1 million in annual compensation and potentially more depending on the size of the institution or the skills and experience needed. Demand for this talent has risen but there is a premium to pay and compensation has in many cases doubled compared to a few years ago.
Why has the price risen so sharply of late? This has become a role that can make or break a bank’s relationship with its board, shareholders and regulators. The CRO has become significantly more active in determining a bank’s strategic direction and the shape of its asset portfolio, as well as continuing to monitor traditional risk functions. The skills sought today in a top CRO are broader than they have been historically, slimming the pool of available talent significantly. Additionally, the career risk for an individual stepping into the CRO role is extremely high, making the roles themselves less attractive. CROs are increasingly blamed for a bank failure and many former CROs are now either out of the market altogether or have changed career paths, moving into consulting or joining a regulator.
This white paper examines the skills and backgrounds needed for a chief risk officer and poses four questions boards should be asking.
Citizens Republic Bancorp, a bank holding company with $9.6 billion in assets in Flint, Michigan, started a risk office and hired a chief risk officer seven years ago at the urging of regulators. Like many banks, it struggled in the aftermath of the recession but returned to profitability and exited a memorandum of understanding with regulators. Although banks below $50 billion in assets aren’t technically required to have a chief risk officer, many smaller banks do. Steve Figliuolo has had the job since 2005. He talked to Bank Director in 2012 about his work, his views on what makes a good chief risk officer and the operations of the risk committee.
What kind of person should be a risk officer and what does a risk officer do?
The previous CEO’s feeling was if we had someone who had a broad background and understood how a bank worked, understood asset/liability and balance sheet management and operations, along with an ability to get things done, that would be the right fit. At the time, we had to start our risk office from the ground up. In my organization, there are about 35 people now. The loan review function reports to me. I have a manager of loan review who reports to me with eight loan review officers. They look at business units and their loans and make sure they are complying with our policies and regulations, and the loan review officers validate the loan risk rating and facility (collateral quality) rating. You need to have an independent group that validates the work of the business units and gives comfort to the regulators that your loans are properly valued. I have an operations risk manager, and he has four or five direct reports—one of those reports has the fraud and investigation department along with the Bank Secrecy Act and anti-money laundering monitoring team, which comprises 12 or so people.
The physical security and system security operations team reports up through me as well. You have a cadre of people spread throughout an organization that perform risk management functions that can be overseen by the risk officer, such as insurance risk and making sure you’re properly insured. Some banks have the compliance function under risk as well, but now our chief compliance officer reports to our general counsel and the CEO/board maintains oversight. At our company, I sit on the asset/liability, management and revenue committees and I report to the CEO.
Another role chief risk officers have is they are the interface between regulators and the bank management team. If you have a low CAMELS score, there will be more involvement by the CEO and the board, but typically, the chief risk officer is the first interface with the regulators.
We have two or three people who do risk reporting for us. They make meaningful judgments along with the business units regarding key risk indicators that are tied to a dashboard for monitoring, review and action. We use a red, yellow and green dashboard, and if any key risk indicators fall below a certain level, the business unit manager has to correct that.
The way we see it here, I should be able to make my peers perform better. Your job is really to ask the tough questions that sometimes people don’t want to think about. I should be able to state openly what the risks are for the company, rather than thinking this will reflect poorly on my career or other teammates. That makes a chief risk officer very effective. They shouldn’t have an ‘I gotcha’ attitude, however. You definitely need to have interpersonal skills and you have to garner the respect of your peers. No one wants to work with someone who doesn’t help make them better.
What if there is a disagreement with other managers?
Ultimately, it’s the CEO’s call. We have a strong CEO who is not afraid to make decisions. In our company, we always try to do the right thing. You’re not going to put the company at risk through some kind of incentive payment, for example. A chief risk officer is very effective if the rest of the peers operate with professional maturity. It is very important to have that open, honest dialogue. I made it clear that I didn’t want the job if my opinion wouldn’t count and it was just to make the company look good on paper. I wanted authority and the ability to make an impact.
How do you work with the board?
We do have a risk management committee and a director chairman. I work with that person to structure the agenda, content and decide when we have to bring things to the full board. We meet quarterly. During the crisis, we met six times per year because the extra board oversight was needed. We always start off with a review of our corporate dashboard. We are looking at credit risk, liquidity risk, reputational risk and other risks. There is actually a Fed guidance letter 95-5 that details the six or seven risks that an organization should be mindful of. The focus in the industry the last couple of years has been credit, capital and liquidity. We wanted to make sure we devoted enough time to those risks. The treasurer and chief credit officer both make presentations to the risk committee. Typically, those two have 45 minutes to one hour. Our meetings typically last 2.5 to 3 hours.
What kind of bank needs a chief or corporate risk officer?
I think a bank needs a chief risk officer if it wants to look at risk from a holistic level, understand what the risks are, the metrics that drive them, monitor them and correct them. At our company, the two biggest risks on the balance sheet are the loans and the management of the balance sheet itself. So the treasurer manages the asset/liability risks and the chief credit officer manages the credit risks. Those two areas, asset/liability and credit, are very complex and require technical knowledge that you aren’t going to find embedded in one person. The chief risk officer rolls them up in a meaningful way and in a way that can be digested by the board, specifically the risk committee, so it can provide oversight and guidance and ask management to come up with solutions. The regulators want to understand, ‘What is the risk appetite in your company?’ Are you going to be making loans that are asset-based, or are they going to be leveraged finance-type deals, or are you going to play in the more risky end of the market? You can do that based on your capital level and your ability to withstand any losses and your chief risk officer should be able to provide meaningful input in those conversations.
How is your work evaluated?
The [CEO] Cathy Nash and I have a list of criteria; we have results-based goals and objectives. We have at least three of them that Cathy and I agree upon. One goal is to work closely with the compliance department on rules coming out of the Dodd-Frank Act. I act as a facilitator to make sure they get that done. Another objective is to create an office of model risk management as part of our enterprise risk management program. It’s important to judge the accuracy of the balance sheet and credit risk models that we use. I still have daily tasks to oversee and manage the departments that I run. I should enable Cathy to do the things a CEO should do. For instance, there are a whole host of exams that happen throughout the year for compliance, and I coordinate all that activity, so Cathy doesn’t have to think about first day letter preparation or examination response deadlines.
What do chief risk officers get paid? I’ve heard that some of them make $1 million per year because demand is so high for someone who can do the job.
That is based on market conditions and the responsibility associated with the job. I don’t make $1 million. For smaller banks, it’s probably $100,000 and up, I would imagine. [Editor’s note: Figliuolo was not one of the top five highest paid executives at Citizens Republic, so his pay was not publicly available.]
In the aftermath of the 2008 global financial crisis, bank boards are taking on a much more active role in overseeing enterprise risk management (ERM). Bank directors face greater liability from shareholders and regulators in the form of lawsuits and professional liability claims from the Federal Deposit Insurance Corp., more stringent regulatory and disclosure requirements and higher expectations from key stakeholders. An effective relationship between the chief risk officer and the board is more important than ever.
How should bank directors support the chief risk officer (CRO) and improve the effectiveness of their relationship? Consider these five steps:
Understand the role of the board in ERM. Bank directors recognize the regulatory requirements and business uncertainties that they face. Recent surveys indicate that risk management has emerged as a top board concern. What is the role of the board in ERM? There are three key responsibilities: (a) establishing an effective governance structure to oversee ERM, (b) approving an ERM policy that includes a risk appetite statement, and (c) establishing assurance and reporting processes to monitor risk management effectiveness. Bank directors who understand their role in ERM can provide effective risk oversight without encroaching on the role of management.
Appoint more risk professionals on bank boards. Section 165 of the Dodd-Frank Act established new requirements for publically traded banks with assets over $10 billion, including the establishment of a risk committee of the board that includes at least one risk management expert. The Federal Reserve Board may also begin requiring a risk committee at smaller publically-traded banks. James Lam & Associates reviewed the professional biographies of over 1,200 bank directors at U.S. banks with over $10 billion in assets, and found that only 5 percent have a risk background. We expect that number to more than double in the next few years.
Ensure an effective risk committee of the board. While appointing risk professionals to their ranks will enhance the board’s capabilities to oversee ERM, there are other best practices for an effective risk committee. These requirements include (a) a well-developed charter that defines the risk oversight responsibilities of the risk committee relative to the full board, the audit committee and other board committees, (b) a set of integrated dashboard reports designed specifically for the board that will highlight major risk exposures and key decision points and (c) a periodic assessment of the effectiveness of the risk committee based on both subjective and objective criteria.
Enhance the independence of the risk function. What is the reporting relationship between the CRO and the risk committee of the board? If there is a dotted line relationship, what does that dotted line really mean in terms of direct communication, CRO hiring/firing decisions and CRO performance evaluation? Moreover, what is the expectation of the board with respect to the responsibilities of the CRO? Importantly, is the CRO sufficiently independent and able to raise critical risk issues to the board without concern about job security or compensation? These are some of the key questions that should be addressed.
Integrate board oversight of strategy and ERM. Monitoring strategy development and execution has long been the purview of boards. As boards become more active in ERM, the integration of strategy and risk oversight is a logical and desirable outcome. Independent research studies from Deloitte Research, The Corporate Executive Board and James Lam & Associates have found that when publicly-traded firms suffer a significant decline in market value, approximately 60 percent of the loss events were caused by strategic risks, 30 percent from operational risks and 10 percent from financial risks. While integrated strategy and risk oversight is arguably a key role for the board, this process is still in its early stage of development.
In the current business and regulatory environment, establishing an effective partnership between the board and the CRO is more important than ever. Given that the CRO is responsible for implementing the ERM program, and the board is responsible for overseeing its effectiveness, the partnership between the two should be an ideal match.
Chief risk officers, risk committees and enterprise risk management—which go together like toast, eggs and ham—are still relatively new concepts in banking even though they have been mandated by the Federal Reserve Board since 2014 for institutions of a certain size. Banks with $10 billion in assets or greater are required to have an enterprise-wide risk committee, and banks above $50 billion must also have a chief risk officer. Union Bankshares Corp., a $7.8 billion asset institution headquartered in Richmond, Virginia, has all three. Under the leadership of Executive Vice President and Chief Risk Officer David G. Bilko, the holding company for Union Bank & Trust implemented its ERM program two years ago. Bilko is an enthusiastic supporter of an ERM approach, which he believes provides a clearer, more unified view of the bank’s risk profile than its previous approach, which tended to be fragmented. In an interview with Bank Director Editor in Chief Jack Milligan, Bilko talks about the challenges of implementing an ERM program, among other topics.
Banks today must adapt to a world where “digital”, “cyber risk” and “fintech” are the new business lexicon. As the bulk of the workforce shifts from baby boomer to millennial, there is an increased need to attract talent from outside traditional financial services. Below we highlight some changing and emerging roles and a few strategies banks can use to attract top talent.
A heightened regulatory environment is here to stay, that much seems clear. So how are banks and bank management teams coping?
There was a general consensus among most of the investment bankers and attorneys I spoke with at our 
Citizens Republic Bancorp, a bank holding company with $9.6 billion in assets in Flint, Michigan, started a risk office and hired a chief risk officer seven years ago at the urging of regulators. Like many banks, it struggled in the aftermath of the recession but returned to profitability and exited a memorandum of understanding with regulators. Although banks below $50 billion in assets aren’t technically required to have a chief risk officer, many smaller banks do. Steve Figliuolo has had the job since 2005. He talked to Bank Director in 2012 about his work, his views on what makes a good chief risk officer and the operations of the risk committee.
In the aftermath of the 2008 global financial crisis, bank boards are taking on a much more active role in overseeing enterprise risk management (ERM). Bank directors face greater liability from shareholders and regulators in the form of lawsuits and professional liability claims from the Federal Deposit Insurance Corp., more stringent regulatory and disclosure requirements and higher expectations from key stakeholders. An effective relationship between the chief risk officer and the board is more important than ever.