The Role of the Risk Officer
There is no common job description for the risk officer, and where there is one, it is far from uniform.
But there is something important we do know: Risk officers become more important year after year.
Risk officers must:
- Manage the implementation of all aspects of the risk function, including implementation of processes, tools and systems to identify, assess, measure, manage, monitor and report risks.
- Assist in the development of and manage processes to identify and evaluate business areas' risks and risk and control self-assessments.
- Manage the process for developing risk policies and procedures, risk limits and approval authorities.
- Monitor major and critical risk issues.
- Manage the process for elevating control risks to more senior levels when appropriate.
- Manage the corporate risk and control assessment reporting process as well as manage and maintain infrastructure elements (e.g. management reporting, including reporting to senior management).
- Be leaders in developing and improving management reporting.
- Liaison with Business users to prepare Functional specifications.
- Generate project management documents.
- Prepare high-level user requirements to assist in preparation of Project Initiation Documents.
- Translate business requirements and functional needs into business / reporting and system specifications.
- Ensure technical specifications meet the stated needs of the business.
- Provide User Training for in-house developed systems.
- Conduct compliance & risk assessments.
- Conduct and document audits of client compliance to industry standards
- Document project plans, action plans, presentations and project results for clients.
- Define & produce client policies, procedures, processes & other documentation as required.
- Enhance the security architect function and be responsible for the end-to-end security architecture of applications, technologies and services.
- Implement the security program’s risk and control framework and global IT risk strategy.
- Ensure the program is effectively integrated into product development and delivery methodology.
- Participate in local and global discussions to formulate new or enhance existing security processes, policies and standards.
According to the Bank for International Settlements, a bank should have a risk management function (including a chief risk officer (CRO) or equivalent for large banks and internationally active banks), a compliance function and an internal audit function, each with sufficient authority, stature, independence, resources and access to the board;
- Risks should be identified, assessed and monitored on an ongoing firm-wide and individual entity basis;
- An internal controls system which is effective in design and operation should be in place;
- The sophistication of a bank’s risk management, compliance and internal control infrastructures should keep pace with any changes to its risk profile (including its growth) and to the external risk landscape; and
Effective risk management requires frank and timely internal communication within the bank about risk, both across the organisation and through reporting to the board and senior management.
Banks should have an effective internal controls system and a risk management function (including a chief risk officer or equivalent) with sufficient authority, stature, independence, resources and access to the board.
Basel III and the role of the Risk Officer
and the Chief Risk Officer (CRO)
Banks must have an effective independent risk management function, under the direction of a Chief Risk Officer (CRO), with sufficient stature, independence, resources and access to the board.
The independent risk management function is a key component of the bank’s second line of defence.
This function is responsible for overseeing risk-taking activities across the enterprise.
The independent risk management function (bank-wide and within subsidiaries) should have authority within the organisation to oversee the bank’s risk management activities.
Key activities of the risk management function should include:
• identifying material individual, aggregate and emerging risks;
• assessing these risks and measuring the bank’s exposure to them;
• supporting the board in its implementation, review and approval of the enterprise-wide risk governance framework which includes the bank’s risk culture, risk appetite, RAS and risk limits;
• ongoing monitoring of the risk-taking activities and risk exposures to ensure they are in line with the board-approved risk appetite, risk limits and corresponding capital or liquidity needs (ie capital planning);
• establishing an early warning or trigger system for breaches of the bank’s risk appetite or limits;
• influencing and, when necessary, challenging material risk decisions; and
• reporting to senior management and the board or risk committee, as appropriate, on all these items, including but not limited to proposing appropriate risk-mitigating actions.
While it is common for risk managers to work closely with individual business units, the risk management function should be sufficiently independent of the business units and should not be involved in revenue generation.
Such independence is an essential component of an effective risk management function, as is having access to all business lines that have the potential to generate material risk to the bank as well as to relevant risk-bearing subsidiaries and affiliates.
The risk management function should have a sufficient number of personnel who possess the requisite experience and qualifications, including market and product knowledge as well as command of risk disciplines
Staff should have the ability and willingness to effectively challenge business lines regarding all aspects of risk arising from the bank’s activities.
Large, complex and internationally active banks, and other banks, based on their risk profile and local governance requirements, should have a senior manager (CRO or equivalent) with overall responsibility for the bank’s risk management function.
In banking groups, there should be a group CRO in addition to subsidiary-level risk officers.
The CRO has primary responsibility for overseeing the development and implementation of the bank’s risk management function. The CRO is responsible for supporting the board in its development of the bank’s risk appetite and RAS and for translating the risk appetite into a risk limits structure.
The CRO, together with management, should be actively engaged in the process of setting risk measures and limits for the various business lines and monitoring their performance relative to risk-taking and limit adherence.
The CRO’s responsibilities also include managing and participating in key decision-making processes (eg strategic planning, capital and liquidity planning, new products and services, compensation design and operation).
The CRO should have the organisational stature, authority and the necessary skills to oversee the bank’s risk management activities. The CRO should be independent and have duties distinct from other executive functions.
This requires the CRO to have access to any information necessary to perform his or her duties.
The CRO, however, should not have management or financial responsibility related to any operational business lines or revenue-generating functions and there should be no “dual hatting” (ie the chief operating officer, CFO, chief auditor or other senior manager should in principle not also serve as the CRO).
While formal reporting lines may vary across banks, the CRO should report and have direct access to the board or its risk committee without impediment.
The CRO should have the ability to engage with the board and with senior management on key risk issues. Interaction between the CRO and the board and/or risk committee should occur regularly, and the CRO should have the ability to meet with the board or risk committee without executive directors being present.
Appointment, dismissal and other changes to the CRO position should be approved by the board or its risk committee. If the CRO is removed from his or her position, this should be disclosed publicly.
The bank should also discuss the reasons for such removal with its supervisor.
The CRO’s performance, compensation and budget should be reviewed and approved by the risk committee or the board.
Risks should be identified, monitored and controlled on an ongoing bank-wide and individual entity basis.
The sophistication of the bank’s risk management and internal control infrastructure should keep pace with changes to the bank’s risk profile, to the external risk landscape and in industry practice.
The bank’s risk governance framework should include policies, supported by appropriate control procedures and processes, designed to ensure that the bank’s risk identification, aggregation, mitigation and monitoring capabilities are commensurate with the bank’s size, complexity and risk profile.
Risk identification should encompass all material risks to the bank, on- and off-balance sheet and on a group-wide, portfolio-wise and business-line level. In order to perform effective risk assessments, the board and senior management, including the CRO, should, regularly and on an ad hoc basis, evaluate the risks faced by the bank and its overall risk profile.
The risk assessment process should include ongoing analysis of existing risks as well as the identification of new or emerging risks. Risks should be captured from all organisational units that originate risk. Concentrations associated with material risks shall likewise be factored into the risk assessment.
Risk identification and measurement should include both quantitative and qualitative elements.
Risk measurements should also include qualitative, bank-wide views of risk relative to the bank’s external operating environment. Banks should also have a method to identify and measure hard-to-quantify risks, such as reputation risk.
Internal controls are designed, among other things, to ensure that each key risk has a policy, process or other measure, as well as a control to ensure that such policy, process or other measure is being applied and works as intended.
As such, internal controls help ensure process integrity, compliance and effectiveness.
Internal controls provide reasonable assurance that financial and management information is reliable, timely and complete and that the bank is in compliance with its various policies and applicable laws and regulations.
In order to avoid actions beyond the authority of the individual or even fraud, internal controls also place reasonable checks on managerial and employee discretion.
Even in smaller banks, for example, key management decisions should be taken by more than one person.
Internal reviews should also determine the extent of a bank’s compliance with company policies and procedures, as well as with legal and regulatory policies.
Adequate escalation procedures are a key element of the internal control system.
The sophistication of the bank’s risk management infrastructure including, in particular, a sufficiently robust data, data architecture and information technology infrastructure – should keep pace with developments such as balance sheet and revenue growth; increasing complexity of the bank’s business, risk configuration or operating structure; geographic expansion; mergers and acquisitions; or the introduction of new products or business lines.
Banks must have accurate internal and external data to identify and assess risk, make strategic business decisions and determine capital and liquidity adequacy.
The board and senior management should give special attention to the quality, completeness and accuracy of the data used to make risk decisions.
While tools such as external credit ratings or externally purchased risk models and data can be useful as inputs into a more comprehensive assessment, banks ultimately are responsible for the assessment of their risks.
Risk measurement and modelling techniques should be used in addition to, but should not replace, qualitative risk analysis and monitoring.
The risk management function should keep the board and senior management apprised of the assumptions used in and potential shortcomings of the bank’s risk models and analyses.
This helps ensure more complete and accurate reflection of exposures and may allow quicker action to address and mitigate risks.
As part of its quantitative and qualitative analysis, the bank should utilise stress tests and scenario analyses to better understand potential risk exposures under a variety of adverse circumstances.
• Internal stress tests should cover a range of scenarios based on reasonable assumptions regarding dependencies and correlations. Senior management and, as applicable, the board should review and approve the scenarios that are used in the bank’s risk analyses.
• Stress test programme results should be periodically reviewed with the board or its risk committee. Test results should be incorporated into the reviews of the risk appetite, the capital adequacy assessment process, the capital and liquidity planning processes, and budgets.
They should also be linked to recovery and resolution planning. The risk management function should suggest if and what action is required based on results.
• The results of stress tests and scenario analyses should also be communicated to, and given appropriate consideration by, relevant business lines and individuals within the bank.
Banks should regularly compare actual performance against risk estimates (ie backtesting) to assist in judging the accuracy and effectiveness of the risk management process and making necessary adjustments.
In addition to identifying and measuring risk exposures, the risk management function should evaluate possible ways to mitigate these exposures.
In some cases, the risk management function may direct that risk be reduced or hedged to limit exposure.
In other cases, such as when there is a decision to accept or take risk that is beyond risk limits (ie on a temporary basis) or take risk that cannot be hedged or mitigated, the risk management function should report and monitor the positions to ensure that they remain within the bank’s framework of limits and controls or within exception approval.
Either approach may be appropriate depending on the issue at hand,
provided that the independence of the
risk management function is not compromised.
Banks should have risk management and approval processes for new or expanded products or services, lines of business and markets, as well as for large and complex transactions that require significant use of resources or have hard-to-quantify risks.
Banks should also have review and approval processes for outsourcing bank functions to third parties.
The risk management function should provide input on risks as part of such processes and on the outsourcer’s ability to manage risks and comply with legal and regulatory obligations.
Top 10 risk and compliance management related news stories and world events
Do you want to receive every Monday the Top 10 risk and compliance management related news stories and world events that (for better or for worse) shaped the week's agenda, and what is next?
You may submit the form that follows. We meet strict national and international privacy standards. You can unsubscribe at any time.
Join the International Association of Risk and Compliance Professionals (IARCP). Membership is Free
Certified Risk and Compliance Management Professional (CRCMP)
Certified Information Systems Risk and Compliance Professional (CISRCP)
Privacy and Compliance with the Federal Trade Commission Fair, the California Online Privacy Protection Act, the Children Online Privacy Protection Act, the Privacy Alliance, the Controlling the Assault of Non-Solicited Pornography and Marketing Act