Risk Management at Crunch Time: Are Chief Risk Officers Compliance Champions or Business Partners?

Abstract

Risk management departments in financial institutions have been undergoing major transformations. New regulatory requirements have raised the bar on compliance and expanded the remit of risk management significantly. The compliance imperative requires banks to implement a firm-wide risk management framework complete with analytical models for the measurement and control of quantifiable risks. In addition, recent corporate governance guidelines advocate the 'business partner' role of risk management. The COSO Enterprise Risk Management framework (2004) explicitly defines risk management as a high-level strategic activity, contributing to board-level decision making, planning and performance management. This role requires that senior risk officers possess an understanding of key strategic uncertainties, and that they communicate these to senior management and the business lines. But how do senior risk officers strike a balance between the twin roles of compliance champion and business partner? Too much reliance on the regulatory crutch may erode the credibility of the risk function as a business partner, while too much emphasis on the business advisory function might weaken its policing capability. In this paper, I assess the roles that risk functions and, in particular, senior risk officers play in fifteen international banks. Because the research was carried out between June 2006 and June 2007, it offers a rare snapshot of the 'calm before the storm' - the state of risk management at fifteen large players before the liquidity and credit crunch became apparent in the second half of 2007. The findings suggest that the role of chief risk officers (CROs) had expanded dramatically, with more than half of them frequently involved in firm-level strategic decisions. However, various compliance and risk modeling initiatives were still works-in-progress in the majority of these large international banks at the onset of the market turmoil. CROs voiced divergent views on the uses, benefits and limitations of risk models, suggesting that they promoted different 'calculative cultures' (quantitative enthusiasm versus quantitative skepticism). Strategically involved CROs therefore interpreted the business-partner role of their function in different ways. Some risk functions aspired for an influential expert voice in key business decisions (the risk function as strategic advisor), while others strived for the formal integration of risk management with performance management (the risk function as strategic controller). The achievement of the Strategic Advisor role in some banks and the Strategic Controller role in others, calls for a clarification of stakeholder expectations on risk management. This would reduce the danger of an expectations gap opening around particular risk management approaches that are adequate for certain banks but ill-suited for others.