Posted on
The Evolution of the CRO – Chapter 2

Our first in-person breakfast event since pre-pandemic was chapter two of the evolution of the CRO – a Future CEO? This was a follow-on from the event we hosted back in 2015. Hoggett Bowers and the Institute of Risk Management (IRM) were co-partners for this discussion.
We were delighted to be joined by a group of prominent CROs and board members from across the financial services industry to discuss: How the CRO role has evolved since 2015, and what the role will look like in the future, given the challenges we face as a global community? To lead the discussion, we had the pleasure of welcoming our guest speaker, David Fletcher (Group CRO, Bupa). In addition to his CRO roles, David has also undertaken CEO/MD roles in banking and insurance across the globe, sharing his rich insights into what it takes to successfully transition from a CRO to a CEO.
Hoggett Bowers CRO practice leader, Tariq Ghadie, introduced the event by highlighting yet another very recent example in the market of someone who has made the transition from CRO to CEO, C S Venkat at Barclays.
David started his talk by making clear that risk isn’t going away anytime soon, and the demands of risk management will increase, meaning the role of the CRO will continue to broaden and evolve. It’s evolved from a backward looking and check the box role of many years ago, which largely gave a false sense of readiness and ignored the strategic aspects of business. The role is now more forward looking, with everyone utilising scenario planning, stress testing and advanced data analytics. It’s broadened from a financial/prudential focus to encompass non-financial risks. The operational risk categories include cyber, technology, fraud, people etc. And, it’s further evolved to encompass strategic risks, such as climate change, geopolitical risk and social licence to operate. People often refer to emerging risks, but these should be put together with strategic risks, in his view. This is to avoid a potential debate on whether a risk has emerged or is emerging.
The CROs are sitting with CEOs, other C-suite executives and boards to be an effective enabler of strategy and change. They do not sit on the side lines only to challenge or get involved at the later stages of execution. The role has become more central and important to financial institutions. If you fail to identify your strategic risks, you will likely fail as a business no matter how well your organisations manage their operational and financial risks. This highlights how the CRO role has evolved to truly add value to the business.
As a young graduate trainee at Citibank David recalls the chair of the credit policy committee coming to address graduates in his department. He was a formidable imposing character and had an unnerving habit of asking a question whilst walking behind you. In his address, he said “I have the easiest job in the world”, going on to explain that if he said “no” to everything, he would never be wrong. However, it’s obvious to everyone that the business would not be there to be part of, either.
Business priorities should be discussed in the context of the business appetite for risk. They want, that necessary, reward/risk trade-off to cover the upside as well as the downside. The CRO role is about providing perspective, with guidance on strategy and strategic business risks, as well as guidance on opportunities, the WHEN and the HOW to take them? The CRO has become more commercial, which shouldn’t be seen as a dirty word, moreover this should be viewed as essential, whilst not compromising on risk independence in any way. CROs should focus on strategy, in some ways, much more than on execution. Stepping back from some of the detail and day to day operational matters, leaving it to others who are better placed to deal with that. CROs need to be thinking more broadly about risk and its impact, looking outside as well as within the firm, but not constrained by the four walls they operate, crashing through silos to understand the bigger picture, through a focus on outcome and not activity. This may require taking perspectives much longer than one is used to doing i.e. in scenario planning and stress testing. Climate change is a good example of this, it doesn’t neatly fit in to a corporate pattern of 3- and 5-year plans. As the CRO role evolves, the tools and methods used to enact the role, also need to evolve.
David cited his own CEO at Bupa, who is relatively new in his post, always says, “I want a CRO and a risk function that doesn’t tell me what I can’t do but tells me how I can do something”. This in many ways encapsulates the evolution of the CRO role, setting it up as an enabling role. We should not ignore risk appetite, learning from mistakes and risk culture. It’s natural that CROs and their organisations are more comfortable taking risks underpinned by strong and identified controls. However, this restricts our thinking and approach to risk appetite. There needs to be a balance. The pandemic is a reminder that low probability high impact events can happen. So, CROs need to think about systemic risk.
As a collective, he worries about the CRO community and the CEO community being too self-congratulatory on the resilience shown during the pandemic. Yes, things have worked very well in many sectors, but has resilience really been cracked? What if the next pandemic (not if but when) isn’t a Corona type virus initially effecting the elderly section of the population, but targets the younger population in the same magnitude we have seen with Covid-19? Our resilience will be tested in a very different way and will the outcome be equally successful? It’s the restlessness of thought, exploring different vulnerabilities that is essential to the modern CRO.
The CRO is now expected to have an opinion on a range of things. At Bupa, he formally has to give an opinion to the board on their 1- and 3-year plan, any sizeable acquisition, disposal or project. In this formal board paper, there is a focus on alignment to strategy, risk appetite, achievability, and how well risks and opportunities are being identified. In particular, non-financial risks i.e. management bandwidth and how technology will apply and always the potential reputational impact. Having an opinion also means having an opinion on softer issues, such as behaviour and character. In credit risk, it’s not just about the ability to repay, it’s also about the willingness to repay. An opinion is just an opinion, its great if we have all the facts, but often, all the facts will not be in place. If we wait for all the facts, then the opinion will probably be too late. So, the CRO needs to be prepared to take risks and to follow their instincts.
There is no point having the best risk thoughts, systems and processes if most of the discussion sits purely in a 2nd line ivory tower within the organisation, where the CRO has little credibility and influence with the business. Getting the key risk messages across – managing risk in the business and risk being everyone’s role, needs a CRO who is comfortable to both communicate and to be visible.
Reputational risk is an area which has accelerated at pace over the last few years and will continue to do so. CROs will need to think more creatively, and one aspect that has evolved is how reputational risk can be risk by association. It can be at arm’s length through 3rd party relationships and associations. CROs are essential for building risk aware cultures, knowing how to identify and mitigate risk, how to prioritise risks, and ensure risks are factored into decision making at all levels. We all want early identification and action taken. From a behavioural point of view, this means the CRO is a heavy influencer role, which is another way the role has evolved of the years.
There are lots of routine things that get done, around controls, assurance, and risk frameworks, which are an essential part of the function the CRO performs. However, there is more to a CRO than just making sure these things are working as they should.
What will the CRO role look like in the future? The easy answer is more evolution of the same strategic forward-looking approach. Within this, there are 2 key areas: –
1. The ability to embrace and utilise technology i.e., machine learning, artificial intelligence, blockchain and data analytics & fluency. Answering the question, we all need to ask ourselves – do we understand well enough, the possibilities of technology, in and for risk management? The speed of acceleration is going to keep on increasing and CROs are going to need to embrace and drive this. This also points to the need for the CRO to orchestrate more conceptualisations and hierarchy’s than they currently do today. There will be very different types of people driving technology in the future, and CROs need to be adaptable and open enough to embrace and work with them.
2. The move from risk control to risk intelligence. The CRO needs to change in the same way, becoming even more active in identifying trends, growth opportunities and ensuring we have a dynamic agile approach to risk and risk appetite. Recognising the trends of social responsibility and our social licence to operate. Understanding that not taking an opportunity is a risk.
One of the biggest risks companies will face as the environment around them changes, is that they are not changing themselves and they are not changing quickly enough. CROs need to recognise this, and be looking in and outwards, probably meaning changing themselves. The future CRO will make new possibilities happen in an appropriate way.
If CROs are doing all the things mentioned already, and more, they should be confident in making the transition to CEO.
Historically, if CROs have been thought of as introverted geeks, then the question may be valid, but this has never really been true. It’s about experience, personal qualities, knowledge of business and management techniques. Let’s remember that the C in CRO indicates a C-suite role, and we should not be apologetic about that. CROs should not think they are in a C-suite role due to the regulators pushing for the role to be there. Anyone who thinks this is out of date. It’s not about being a chief in name only, it’s about having earned it.
A successful transition to CEO requires confidence and not defensiveness of having been a CRO. Even if you are not defensive yourself others might well be, which needs to be recognised and tackled head-on. As a general collective of CROs we have been defensive about this transition, and it’s wrong.
Steven Van Rijswijk who moved from CRO at ING Group to be CEO in mid-2020 sums up the transition very well. On his appointment he said, “I have no plans to change the strategy when I take over, because as a member of the executive board, I was also responsible for that strategy, so that wouldn’t be an obvious thing to do”. He isn’t defined by the fact he was a CRO, he’s using the experiences of having been a CRO and having been a part of the senior management team to give him the confidence to be the CEO.
The executive committee role has two aspects. The representative of risk within the organisation, and a broader aspect of being part of senior management and owning the strategy and its execution.
The CEO role is also looking at these things, including risk. Yes, its broader, but many of the similar essential skills are there. In the same way as we rightly see CROs as having the ability to become CEOs as much as CFOs, and those in customer roles or with business backgrounds, it’s also important we see the need to have non-risk people in our risk functions. Transition is much easier if you are comfortable working with a broader range of people, and you see yourself as a general manager rather than only a risk officer.
Risk management skills are great general management skills and vice versa. It’s about being open to this and recognising it. CEO roles can be very lonely roles, you are part of the team, but your role within the team is amplified, sitting above the team. The CEO has a board and hopefully a supportive chair, but it’s still a lonely place to be as the senior executive. Any successful transition from CRO to CEO recognises this but will also recall the loneliness the CRO role can have, especially when raising unpleasant truths and the things people do not want to hear.
A CEO wants a CRO who will challenge and has an opinion. Someone who will tell the CEO things he/she doesn’t want to hear, making you think and challenge your own assumptions. Also, someone who recognises when it’s the CEOs decision to make/take with their full support.
The CRO to CEO can be a successful transition and CROs should be in contention for CEO roles if they want to be. One final thought, if any of you do become CEOs, make sure you get yourself a really good CRO!
Q. Paola Bergamaschi Broyd, INED, Chair of the Risk Committee, BNY Mellon International
The point you made around technology is not very popular with CROs and they delegate a lot of the digital transformation / asset’s discussions. What needs to happen to change this mindset?
A. It’s about balance, the CRO doesn’t have to be an expert in technology, but they must recognise the trend and where the agenda is going. CROs can be guilty of thinking (including me) it’s not something I have done in the past, and it’s another new topic to learn. However, the reality is things are changing rapidly. So, if we don’t want to get left behind personally, and miss key risks/trends, then we need to embrace new technology. This means attracting new and different people into risk functions, people who we might find difficult to work with in the early stages as they speak a different language to us and have contrasting backgrounds. If we carry on down a narrow path and sit on the side lines, we will not be doing our job properly and miss what is going on. It’s largely about mindset and being more open.
Q. Fabrice Brossart, CRO, AIG International
You mentioned the CRO is part of the management team and at the same time must provide an opinion. However, sometimes this opinion may not align with the CEO or wider management team. Have you experienced this?
A. When I was a CEO, I wanted that opinion from my CRO even if it was different. I was always very clear, we are talking about an opinion and you are involved in the decision, but ultimately, it is my decision to make. There are other times where it was more collective. As a CEO you need to be very clear with your senior management team what sort of discussion you are having. As CRO I don’t think we should compromise, it’s our job to have that opinion. I would categorise as being very happy to work with people who have a different opinion to me as long as we are rowing the boat in the same direction. I would not tolerate a person, whilst as a CRO or CEO, who was trying to row the boat in a different direction.
Q. Duncan Martin, Chair of the Board Risk Committee, Chetwood Financial & Senior Advisor, BCG
You mentioned technology as a driver of change. What about regulation?
A. I take the point we work in a highly regulated sector and given what we have been through with the pandemic, we should expect more and different types of regulation. This is just something we have to live with. Again, the CRO has a role (and the CEO) to have the right conversations with the regulators about key and evolving issues i.e. technology. This will help ensure regulation doesn’t become an impediment to what is going on.
Q. John Gill, Non-Executive Director, Quilter Investment Platform
How can the CRO use the risk committee to their advantage?
A. I think it’s very important the CRO has an open relationship with the Board Chair of the Risk Committee (BRC), with the ability for the CRO to share things with the BRC that are not going to be repeated. I value the relationship with my BRC at Bupa very highly, and we talk regularly, even if it’s just a check-in to see how things are going. It’s a constant dialogue type of relationship, built on openness and transparency.
Q. Jose Vazquez, Group CRO, Directline
As CEO, if it wasn’t for regulators, would you have a CRO?
A. Absolutely! As a CEO I valued the challenge and strategic input from my CRO. Also, someone who viewed things through a certain lens being the senior executive for risk across the organisation. Having spent most of my life in regulated industries, most of regulation makes sense.
Q. David Sansom, CRO, Lloyds of London
Often, it’s the CRO as a member of the executive team who writes the challenge/opinion down for the board. How do you balance all the different challenges when you are the person responsible for putting pen to paper?
A. I’m about to write my opinion on our 3-year plan which is the highlight of my year! My board is not expecting me to say that everything is fine and do not worry about it. They are expecting a balanced view and, for me to point out the things that could go wrong. Equally, I have been vocal at the board and with the BRC, that one of our biggest risks is that we don’t change at pace as an organisation. So, when I get presented with a plan that presents change, it’s about changing the strategic risks into an operational risk as we start to deliver it. There have been cases in the past where I’ve said we should not be doing this, and here are the reasons why i.e. on an acquisition. You have to be clear on what the board is looking for. Are they looking for you opinion or your blessing?
Q. Feike Brouwers, CRO, Monument Bank
To what extent should the CRO be involved in driving the people and culture agenda?
A. The senior management team needs to drive the people agenda and culture the firm is looking to develop. Personally, I don’t like talking about risk culture. I much prefer talking about culture of which risk is a component, ensuring it becomes more central to what is going on. The CRO has to be involved in these discussions, it’s not uncommon for the CRO to play an active role in the interview process for senior executives to get a sense of their character and behaviour.
Q. Evan Waks, CRO, Ageas UK
When you talk about opinions and strategies, my experience is that the quantitative discussions are easy. On non-quantitative issues, it comes down to a qualitative judgement of the likelihood of something working or not i.e. a change programme. How do you approach the question from a NED, is this within our risk appetite?
A. When our new group CEO was appointed, the BRC made clear they were open to amending risk appetites subject to their approval. Equally, they explained that not everything is set in stone. You have to marry risk and strategy. If not, you will likely have a strategy that is completely out of control or a strategy which misses a lot of the opportunities it should be taking. Once you get into the discussions, it becomes an opinion and a judgement.
Q. Zoe Shapiro, CRO, Bupa Insurance UK
You talked about climate change and tensions in society. What do you think the role of risk leaders might be in a broader way, outside their organisation?
A. These are issues the senior executive generally need to be thinking about. And, as a member of the senior executive there is a responsibility for the CRO to ensure they are thinking about these issues. They will have an impact on company strategy, risk profile and appetites. And, we have to get away from thinking in a 1-3-5-year mind set to a more accumulative approach to achieve a longer-term goal.
David Fletcher, biography:
David became Group Chief Risk Officer of Bupa in January 2017. He has been with Bupa since 2014 in senior roles including Chief Internal Auditor and MD of IDM. He has had extensive international financial services experience, having held various senior positions in Nigeria, China, Hong Kong, Singapore, Bangladesh, Indonesia, and in London with Standard Chartered and Citibank