The role of the risk officer
We have described some responsibilities for a risk officer at the index of risk-officer.com, but it is good to remember that there is no common job description, and where there is one, it is far from uniform.
This is an example from the market:
Under the direction and supervision of the governance director, you will be responsible for executing the risk and governance program by performing the following:
- Risk Register: Maintain a risk register based on the identified applicable laws and regulations, fraud schemes, and AML considerations.
- Controls Catalogue: Based on review of procedures and walkthroughs, maintain an inventory of internal controls and map them to key risk areas.
- Issues Management: Track the progress of remediation of control weaknesses identified by Internal Audit, self-testing, or controls assessment.
- Risk Assessment: Assist in the execution of the corporate compliance, fraud, and BSA risk assessments by identifying the key risks and assessing mitigating controls to determine the risk profile for the organization.
- Risk Monitoring: Assist in the development and monitoring of key risk indicators (KRIs) that are mapped to various risks to determine elevations in risk and proactively implement risk mitigation measures.
- Emerging Risks: Identify emerging risks that present new regulatory, fraud, or money laundering risks. These includes risks associated with new products and services, customer types, geographies, and channels.
- Data Analytics: Coordinate the collection of risk information from source systems, departments, and reporting. Analyze the data and apply to various key risk areas to update the risk profile.
- Policy and Procedure Maintenance: Provide assistance to in developing and updating policies and procedures by enforcing document standards.
- Manage Document Library: Manage the publication, dissemination, and availability of compliance and financial crimes policies and procedures.
- Demonstrate strong knowledge of risks identification, assessment, and management frameworks.
- Strong knowledge of control frameworks and the ability to design and evaluate effectiveness of controls embedded within business processes.
- Knowledge of the risk and governance standards such as COSO framework, SR08-8, and the OECD and Basel Corporate Governance Principles.
- 5 years of experience working for a bank.
Must possess a bachelor’s degree in Business Administration, Accounting, Finance or equivalent. MBA or MS a plus. Strong skills in spreadsheets and in analyzing large volumes of data.
Basel III and the "risk management function"
Banks must have an effective independent risk management function, under the direction of a Chief Risk Officer (CRO), with sufficient stature, independence, resources and access to the board.
The independent risk management function is a key component of the bank’s second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise.
The independent risk management function (bank-wide and within subsidiaries) should have authority within the organisation to oversee the bank’s risk management activities.
Key activities of the risk management function should include:
- identifying material individual, aggregate and emerging risks;
- assessing these risks and measuring the bank’s exposure to them;
- supporting the board in its implementation, review and approval of the enterprise-wide risk governance framework which includes the bank’s risk culture, risk appetite, RAS and risk limits;
- ongoing monitoring of the risk-taking activities and risk exposures to ensure they are in line with the board-approved risk appetite, risk limits and corresponding capital or liquidity needs (ie capital planning);
- establishing an early warning or trigger system for breaches of the bank’s risk appetite or limits;
- influencing and, when necessary, challenging material risk decisions; and
- reporting to senior management and the board or risk committee, as appropriate, on all these items, including but not limited to proposing appropriate risk-mitigating actions.
While it is common for risk managers to work closely with individual business units, the risk management function should be sufficiently independent of the business units and should not be involved in revenue generation.
Such independence is an essential component of an effective risk management function, as is having access to all business lines that have the potential to generate material risk to the bank as well as to relevant risk-bearing subsidiaries and affiliates.
The risk management function should have a sufficient number of personnel who possess the requisite experience and qualifications, including market and product knowledge as well as command of risk disciplines.
Staff should have the ability and willingness to effectively challenge business lines regarding all aspects of risk arising from the bank’s activities.
Large, complex and internationally active banks, and other banks, based on their risk profile and local governance requirements, should have a senior manager (CRO or equivalent) with overall responsibility for the bank’s risk management function.
In banking groups, there should be a group CRO in addition to subsidiary-level risk officers.
The CRO has primary responsibility for overseeing the development and implementation of the bank’s risk management function. The CRO is responsible for supporting the board in its development of the bank’s risk appetite and RAS and for translating the risk appetite into a risk limits structure.
The CRO, together with management, should be actively engaged in the process of setting risk measures and limits for the various business lines and monitoring their performance relative to risk-taking and limit adherence.
The CRO’s responsibilities also include managing and participating in key decision-making processes (eg strategic planning, capital and liquidity planning, new products and services, compensation design and operation).
The CRO should have the organisational stature, authority and the necessary skills to oversee the bank’s risk management activities. The CRO should be independent and have duties distinct from other executive functions.
This requires the CRO to have access to any information necessary to perform his or her duties.
The CRO, however, should not have management or financial responsibility related to any operational business lines or revenue-generating functions and there should be no “dual hatting” (ie the chief operating officer, CFO, chief auditor or other senior manager should in principle not also serve as the CRO).
While formal reporting lines may vary across banks, the CRO should report and have direct access to the board or its risk committee without impediment.
The CRO should have the ability to engage with the board and with senior management on key risk issues. Interaction between the CRO and the board and/or risk committee should occur regularly, and the CRO should have the ability to meet with the board or risk committee without executive directors being present.
Appointment, dismissal and other changes to the CRO position should be approved by the board or its risk committee. If the CRO is removed from his or her position, this should be disclosed publicly.
The bank should also discuss the reasons for such removal with its supervisor.
The CRO’s performance, compensation and budget should be reviewed and approved by the risk committee or the board.
Risks should be identified, monitored and controlled on an ongoing bank-wide and individual entity basis.
The sophistication of the bank’s risk management and internal control infrastructure should keep pace with changes to the bank’s risk profile, to the external risk landscape and in industry practice.
The bank’s risk governance framework should include policies, supported by appropriate control procedures and processes, designed to ensure that the bank’s risk identification, aggregation, mitigation and monitoring capabilities are commensurate with the bank’s size, complexity and risk profile.
Risk identification should encompass all material risks to the bank, on- and off-balance sheet and on a group-wide, portfolio-wise and business-line level. In order to perform effective risk assessments, the board and senior management, including the CRO, should, regularly and on an ad hoc basis, evaluate the risks faced by the bank and its overall risk profile.
The risk assessment process should include ongoing analysis of existing risks as well as the identification of new or emerging risks. Risks should be captured from all organisational units that originate risk. Concentrations associated with material risks shall likewise be factored into the risk assessment.
Risk identification and measurement should include both quantitative and qualitative elements.
Risk measurements should also include qualitative, bank-wide views of risk relative to the bank’s external operating environment. Banks should also have a method to identify and measure hard-to-quantify risks, such as reputation risk.
Internal controls are designed, among other things, to ensure that each key risk has a policy, process or other measure, as well as a control to ensure that such policy, process or other measure is being applied and works as intended.
As such, internal controls help ensure process integrity, compliance and effectiveness.
Internal controls provide reasonable assurance that financial and management information is reliable, timely and complete and that the bank is in compliance with its various policies and applicable laws and regulations.
In order to avoid actions beyond the authority of the individual or even fraud, internal controls also place reasonable checks on managerial and employee discretion.
Even in smaller banks, for example, key management decisions should be taken by more than one person.
Internal reviews should also determine the extent of a bank’s compliance with company policies and procedures, as well as with legal and regulatory policies.
Adequate escalation procedures are a key element of the internal control system.
The sophistication of the bank’s risk management infrastructure including, in particular, a sufficiently robust data, data architecture and information technology infrastructure – should keep pace with developments such as balance sheet and revenue growth; increasing complexity of the bank’s business, risk configuration or operating structure; geographic expansion; mergers and acquisitions; or the introduction of new products or business lines.
Banks must have accurate internal and external data to identify and assess risk, make strategic business decisions and determine capital and liquidity adequacy.
The board and senior management should give special attention to the quality, completeness and accuracy of the data used to make risk decisions.
While tools such as external credit ratings or externally purchased risk models and data can be useful as inputs into a more comprehensive assessment, banks ultimately are responsible for the assessment of their risks.
Risk measurement and modelling techniques should be used in addition to, but should not replace, qualitative risk analysis and monitoring.
The risk management function should keep the board and senior management apprised of the assumptions used in and potential shortcomings of the bank’s risk models and analyses.
This helps ensure more complete and accurate reflection of exposures and may allow quicker action to address and mitigate risks.
As part of its quantitative and qualitative analysis, the bank should utilise stress tests and scenario analyses to better understand potential risk exposures under a variety of adverse circumstances.
- Internal stress tests should cover a range of scenarios based on reasonable assumptions regarding dependencies and correlations. Senior management and, as applicable, the board should review and approve the scenarios that are used in the bank’s risk analyses.
- Stress test programme results should be periodically reviewed with the board or its risk committee. Test results should be incorporated into the reviews of the risk appetite, the capital adequacy assessment process, the capital and liquidity planning processes, and budgets. They should also be linked to recovery and resolution planning. The risk management function should suggest if and what action is required based on results.
- The results of stress tests and scenario analyses should also be communicated to, and given appropriate consideration by, relevant business lines and individuals within the bank.
Banks should regularly compare actual performance against risk estimates (ie backtesting) to assist in judging the accuracy and effectiveness of the risk management process and making necessary adjustments.
In addition to identifying and measuring risk exposures, the risk management function should evaluate possible ways to mitigate these exposures.
In some cases, the risk management function may direct that risk be reduced or hedged to limit exposure.
In other cases, such as when there is a decision to accept or take risk that is beyond risk limits (ie on a temporary basis) or take risk that cannot be hedged or mitigated, the risk management function should report and monitor the positions to ensure that they remain within the bank’s framework of limits and controls or within exception approval.
Either approach may be appropriate depending on the issue at hand, provided that the independence of the
risk management function is not compromised.
Banks should have risk management and approval processes for new or expanded products or services, lines of business and markets, as well as for large and complex transactions that require significant use of resources or have hard-to-quantify risks.
Banks should also have review and approval processes for outsourcing bank functions to third parties.
The risk management function should provide input on risks as part of such processes and on the outsourcer’s ability to manage risks and comply with legal and regulatory obligations.