3 Reasons Chief Risk Officers Fail

You’d think that a bank with a chief risk officer would have a strong handle on careful risk management, but like a lot of what we’ve learned from the financial crisis, logic doesn’t always apply.

At least that’s the finding of a new study which concluded that big banks that employed a CRO were far more likely to be overexposed to the riskiest new financial derivatives. The study, The Hazards of Expert Control: Chief Risk Officers and Risky Derivatives, was published in the American Sociological Review and discussed by its authors in a Harvard Business Review. It’s based on studying the derivatives use of the 157 largest U.S. banks between 1995 and 2010.

The researchers suggest three reasons why CROs at these banks didn’t properly manage risk.

  1. Their job was to maximize profits, not manage threats. Ask any good chief risk officer what her job is, and she’ll tell you that she’s there to identify, assess, mitigate and monitor risk. She is guided by her institution’s appetite for risk and helps the board and management make strategic decisions that align with it.

    That’s not what was happening in many big banks using risky derivatives, the researchers believe:

    “In hitching themselves to the shareholder-value bandwagon, they had to abandon their old mantra of reducing risk, which wasn’t seen as being in the interest of shareholders. Instead, they embraced a new mantra of ‘maximizing risk-adjusted returns,’ which involved using their expertise to bring risk right up to the edge of allowable limits, with no wasteful margin for error.”

  2. No one else cared about risk management. Risky behavior was more common at banks with CROs because management and employees were less inclined to worry about risk, mentally outsourcing the task to the CRO. It’s a psychological concept called moral licensing.

  3. “In creating a new, high-level position to oversee risk management (signaling that the bank was ‘risk aware’), executives may have encouraged the managers of other bank departments to become less cautious in policing their own risky behavior.”

  4. The CRO wasn’t supported. A CRO may be responsible for policies and strategies, but those won’t go anywhere without management and board support. If management chooses to turn a blind eye to risk when tempted by increased profits or encourages a CRO to engage in overly risky strategies, risk management will be nonexistent. Unfortunately, some CEOs were incentivized to prioritize short-term profits over long-term stability.

    “When they [CEOs] had more skin in the game — for example, if they held a lot of stock in the company — they restrained the CRO’s push for risky derivatives. But the opposite was true when CEOs received more compensation in the form of performance pay (like a big cash bonus), which rewards outsize risk taking but doesn’t penalize losses.”

The lesson here is clear. It’s not enough to have an employee with the title CRO. Everyone at an institution, especially those at the top, needs to make risk management a priority. While a smart risk management strategy can help bolster profits, the true goal of risk management is to balance profits with protecting the institution from threats to its long-term success.

If your board and management aren’t taking risk management seriously, now is a good time to start.