In just the past few years, a series of unprecedented and fast-moving threats have disrupted organizations. How companies, particularly financial institutions, respond to these complex risks has profound implications.
The COVID-19 pandemic wreaked havoc on credit models, and social media has played a leading role in accelerating bank runs to real time. The latter exposed a systemic risk that has required banks to rethink their liquidity and interest rate models.
No one feels these changes more than the chief risk officers (CROs) at financial institutions. Traditionally, these CROs focus on dealing with financial risk and limiting credit and market losses—both critical for keeping institutions safe for customers and the economy at large. But over time, a new era emerged in which CROs faced greater nonfinancial risk amid pressure to boost the bottom line. Today’s evolving risk environment once again puts new pressures and requirements on CROs.
To be successful these days, CROs need to exert more influence and manage more risk. They need to do so amid mounting scrutiny from supervisors while building the business. Most important, they need to embed future-ready resilience in their institutions. As Richard Treagus, CRO of Old Mutual Limited told us, resilience has become the North Star guiding the CRO office and leadership suite: “We [as CROs] really need to demonstrate that organizational resilience is respected, healthy, and a high priority.”
We [as CROs] really need to demonstrate that organizational resilience is respected, healthy, and a high priority.
To understand just how much the CRO role is changing and which mindsets, skills, and best practices are now required for excellent risk leadership, McKinsey conducted in-depth interviews and surveyed more than 30 current and former CROs of major financial institutions worldwide; each of these individuals has spent at least five years in the role.
Through these discussions and our own insights, we identified six essential habits of successful CROs today:
- They are explicit about their risk and resilience purpose and vision and champion a risk-aware culture.
- They invest in, empower, and create the next generation of risk–and other–leaders.
- They lead beyond risk by engaging deeply with other C-suite leaders and the board to accomplish business, resilience, and risk objectives.
- They treat supervisors as partners and are fully transparent.
- They focus on what only the CRO can do by integrating insights across the organization to anticipate future threats and strengthen resilience.
- They continually monitor their personal effectiveness and take steps to manage time.
Many of these habits may seem familiar, but how well CROs utilize them varies. CROs told us they should be applied across all decisions. Indeed, CROs who follow these habits are more likely than their peers to manage risk more effectively and embed resilience in the organizations they lead.
Habit 1: Be explicit about the risk and resilience purpose and vision and champion a risk-aware culture
Given the expanding scope of potential risks, now more than ever, employees in financial institutions’ risk functions need a North Star. This guiding principle is an understanding of the organization’s long-term vision, mission, and objectives relating to risk and resilience—and a risk culture to match. The most effective CROs relentlessly pursue the North Star and continually evaluate whether an organization is following it or not.
To develop this North Star, CROs will need to think beyond regulatory compliance and safeguarding the bank. While both remain essential, they are no longer sufficient as the focus for the risk function.
A good first step for CROs is to reflect on the following questions: What is the company’s overarching strategy? How does our organization differentiate itself through our business model? What areas are most important to us? What do our stakeholders care most about? What does success look like? A CRO who regularly helps the risk organization answer these questions can significantly boost institutional awareness and engagement.
For some CROs, the North Star is articulated in a mission statement. One risk team used 360-degree feedback from C-suite leaders, business leads, and the risk team to come up with one. Another CRO told us his organization intentionally separated its mission statement into three sections: to set standards for the whole organization, to partner with the board and the CEO to maximize the return on capital invested in resources, and to meet regulatory and external standards (including for shareholders and communities served). Still another CRO reported that their institution’s rallying cry can be summed up in one word: trust. Everything they do must reinforce customers’ and employees’ trust in the institution.
Getting buy-in on the value proposition can yield benefits to a risk function. A veteran CRO we spoke with said aligning values with management, shareholders, and the communities the bank serves not only demystifies risk and provides greater understanding but also helps to provide a margin for error. Stakeholders will “give you a lot of latitude to make mistakes, to manage through difficult times, if they see that your values and their values are aligned,” he said.
With the vision in place, CROs can champion risk culture across the organization and foster a risk-aware culture in line with their purpose and vision. As Frank Roncey, CRO of BNP Paribas, explained, “One of my primary focuses is to preserve the risk culture of the bank, which has served us quite well so far. This doesn’t mean we are necessarily conservative; it means we are disciplined, demanding, and thorough.” Roncey considers himself “guardian of the temple,” and his chairman sees the risk team as “angels of the bank.”
“Among other things,” Roncey said, “I am tasked to ensure that this culture is kept across generations. This is done through strong, principles-based risk decision making at the highest level of the organization and through clear communication about the decisions, drawing and sharing lessons from risk events or our mistakes, and explaining our decisions to younger colleagues.”
One CRO would encourage transparency and timely escalation by letting his team know that “if you tell me about a risk issue and that issue subsequently blows up, then that’s my problem. If you don’t tell me, then it’s your problem.”
Establishing a mission, vision, and risk culture won’t happen overnight; nor is it easy. One CRO described it as a “cultural journey” in which risk and resilience principles slowly permeate into all levels of the organization. Lorie Rupp, who has been the CRO at First Citizens BancShares since 2017, used a creative way to champion risk culture. “We found a picture of one of the teller stations in Smithfield where they had bars on the teller windows. That was risk management back in 1898. We have been managing risk as a company since the beginning of time. Then I started telling that story and everybody invited me to do that with their teams. It became a little bit of a road show to make the point that risk management is what we do every day.”
Having merged risk into the organization’s vision—and continually nurturing it—CROs have elevated their role. It’s moved from traditional risk management to one in which a resilient culture fuels and, in many ways, leads growth. But this change doesn’t happen without a team built to meet today’s unprecedented changes.
Habit 2: Invest in, empower, and create the next generation of risk–and other–leaders
The demands of managing in today’s increasingly complex risk environment require CROs to build a bench that meets the moment. That’s why CROs create the next generation of risk leaders—and, ultimately, the organization. They do so by building a diverse team, delegating to and empowering the team, and planning for leadership development and succession from the beginning.
The CROs told us that the most critical aspect of diversity is diversity of thinking. Achieving this involves combining different backgrounds, experiences, and skill sets.
CROs also said that as nontraditional professionals learn risk, they bring their experience and point of view on board. Many leaders purposely shift workers in and out of risk and between the first and second lines of defense. In doing so, they gain a broader perspective while making external talent attraction easier. Role shifts need to happen inside the risk function as well. The same principle applies to geography. By rotating risk professionals around its geographic footprint, an organization creates opportunities for team members to share insights and adds a boots-on-the-ground perspective while also reinforcing the risk culture.
Another essential component of building a future-ready, resilient risk team is directly investing in them. CROs told us they spend an average of 34 percent of their time with members of the risk function. In this way, they get to know a team’s strengths and weaknesses and its natural leaders.
For Mahesh Aditya, CRO at Santander Group, staying close to leaders in his organization during a crisis provides important insights. Aditya said that in stable times leaders often seem strong, but in a crisis, some show weakness and indecisiveness. “Do they instinctively lead or look for someone to blame . . . for me, this is the first true test of a leader,” he said.
It’s a process of learning and development. Many CROs told us they consistently check in with their people to give feedback. They want employees to not just accept feedback but ask for it. Successful CROs model this behavior by asking for feedback themselves. “That sets a tone of deliberate vulnerability and being open to growth, and that makes it OK for other people to do the same,” said a former CRO.
Or, as former Ally Financial CRO Jason Schugel puts it, “We have some uncomfortable conversations [as a leadership team]. That’s OK. But if we don’t have those conversations, we won’t get any better.”
CROs cull top performers among junior risk professionals. They prepare them for future growth and career elevation within or outside the risk organization. Day-to-day, this can include showcasing them with an organization’s executive team, business leaders, and, in some cases, the board.
As with other C-suite roles, meetings, dinners, and other events are places where CROs introduce the next wave of talent. CROs allow their top people to shine, present, and answer questions. For instance, Brian Leach initiated the Women in Risk program at Citigroup. It aims to elevate women through training and added visibility, preparing them for senior leadership roles in risk and beyond.
Handing off to junior team members can be a tall order for many CROs who feel the weight of responsibility, but as former Goldman Sachs CRO Craig Broderick said, “You don’t want to be defensive of your own position; if [junior risk partners] are successful, you’ll be successful.” He adds, “A CRO shouldn’t be insecure in that regard. For a successful organization and a successful person, there’s more than enough credit to go around.”
In addition to building a top team of risk professionals, the goal of developing talent is to produce a future CRO. It’s not unusual for a CRO to think about succession planning on their first day on the job. At the start, there may not be an obvious candidate or front-runner, and one may not immediately emerge. Yet a CRO can nurture candidates by sharing insights and building personal relationships with the risk team.
Ultimately, these moves pay off by giving leaders the ability to delegate when necessary. Top performers take center stage and are more prepared for succession. A major part of that training will also include learning a habit that is critical to CRO excellence today: building deeper and more influential relationships with the C-suite and board.
Habit 3: Lead beyond risk by engaging deeply with the executive team and board to accomplish risk and business objectives
Today’s leading CROs don’t simply inform the board and the CEO; they become a vital member of the executive team and a trusted adviser to the board. They’ve built a deeper relationship that keeps risk and resilience synced with the organization’s overall mission. They communicate early and often and generate debate, which ensures there are no surprises.
In relationship building, successful CROs are close to the board and executive team so nothing comes as a shock. CROs who see themselves as business drivers in their institutions are especially adept at this. CROs told us they spend up to 56 percent of their time with the executive team and board. Those interactions go far beyond formal meetings. Some CROs have informal talks with the CEO every day. They also talk to the board risk committee often, sometimes meeting more than once a month.
CEOs and boards always welcome good news. But CROs have an obligation to deliver uncomfortable news when needed. Having an ongoing dialogue makes hard discussions easier and fortifies the principle of “no surprises.”
Relationship building, of course, requires adapting the language of risk and resilience to the language of board members. Because of diverse backgrounds, some on the board may not be fluent in the technical dialect of risk management. Some CROs see themselves as translators for the rest of the organization. They use business-focused wording instead of the risk jargon that their teams sometimes use.
Being able to cross over effortlessly into business goes beyond words. Today, CROs are more engaged with business decision making, including regarding strategy, products, markets, and M&A. They understand revenue generation and strategic priorities.
One CRO holds regular “teatime” with the organization’s chief information officer (CIO). These talks help them both understand the organization’s technology and information priorities, as well as the risk implications.
As some CROs put it, conversations aren’t always and shouldn’t always be about risk. Talking about a wide variety of issues—or what a business leader cares about—helps avoid an “us versus them” mindset as the CRO demonstrates strong interest in business development.
One of the markers of effective engagement, said one CRO, is “being called into the room when you don’t need to be there and being asked to be involved in crafting a business case on day one, instead of having it handed to you for limit approvals when it is fully baked six months later. Success as a CRO is when instead of having to make outbound calls to get information and make things happen, you receive inbound calls.”
The goal is to create relationships that allow for honest discussion and avoid leaders viewing challenge as criticism. “You’re going to take risks, and you’re going to make mistakes,” Broderick said. “That’s perfectly fine so long as the distribution of those mistakes and the composition of those mistakes or losses … fall within parameters and within a spectrum that you clearly identify to the respective constituent as being possible outcomes.”
Familiarity, trust, openness, and understanding are ways in which CROs have reshaped their role to make an organization more resilient. Yet these qualities aren’t limited to the organization. They are needed to shift relationships with supervisors and regulators into collaborations that benefit both sides.
Habit 4: Treat supervisors as partners, and be fully transparent
Just as CROs need to understand and influence the leaders in the C-suite and boardroom, CROs should establish successful working relationships with supervisors. They should find a common ground with supervisors and try to understand their perspectives, motivations, and what makes them successful. They should also be transparent and proactive in discussing both good and bad developments.
A key to building a constructive relationship is internalizing the supervisor’s priorities and understanding what problem the supervisors intend to solve.
One CRO told us they begin every conversation with a supervisor assuming they have a different view. Supervisors worry about their jobs, too. So CROs should begin by trying to understand and support the priorities of their supervisory counterparts.
A mindset of collaboration is essential. Successful CROs meet often with supervisors and openly discuss what’s happening in their business. Similar to the habit of engaging the executive team and CEO, CROs should aim to avoid surprises with their supervisors. It’s not uncommon among CROs today to think of supervisors as advisers on some topics.
“The important thing for any of us is to take time to understand what the regulator is trying to achieve,” said National Australia Bank’s (NAB’s) Shaun Dooley. “We need to see them as partners, not adversaries, and take a relationship management approach with them. We have an active relationship-planning mindset internally in the way we engage with regulators.” Another CRO said “You need to be transparent and collaborative, or else in the long-term you lose,” adding, “We are very challenging with supervisors, but never aggressive … we try to anticipate their requests, we come very prepared, with a lot of data and facts to defend our position. For this reason, [supervisors] respect us.”
Some CROs emphasize their ability to influence rule making and policy when relationships are strong and trust is established. Trust enables supervisors to lean on CROs for guidance. After all, CROs are closer to the communities that supervisors are seeking to keep safe.
Fostering stronger relationships with supervisors and regulators is one way a CRO can bring a unique skill set and value to an organization. But there’s more that a CRO is especially suited to do, and the most successful make a habit of it.
Habit 5: Focus on what only the CRO can do by integrating insights across the organization
Inside the organization, successful CROs see three unique levers they can use to help their institutions succeed. First, they have a distinctive vantage point, granting them visibility and access to details across the entire organization as well as to external trends. It provides them with an independent view on cross-cutting issues with the greatest risk and resilience implications. Second, they can afford to take a longer-term vision and build resilience for future events. Finally, they are the ones managing the deployment of resources against risks that threaten the institution.
It’s my accountability at the top of the house to have my own independent, supported-by-facts analysis. [It’s my responsibility to offer an] extreme amount of rigor and data to give my own personal, independent view of how we’re operating within or without our risk appetite. I’m the only one who can do that.
Successful CROs who engage in Habit 1—being explicit about their function’s purpose and vision—have already infused risk and resilience into the organization. In turn, the business, when guided by the risk function, is always working to strengthen its resilience to make sure it is ready for any disruptions.
Since risk can be unpredictable in nature and timing, CROs need to build capabilities to prepare the institution for future crises that are at least partially unknown. They do so by learning from their organizations’ responses to previous crises while always looking ahead for the next potential crisis. They are ready to use those lessons not only to reduce risks but also to find opportunities that help their institutions’ business goals.
You may, at times, not be the most liked person in the room, so you need to be prepared for this and be courageous nonetheless.
Leaders and the board may be influenced by short-term goals and pressure from investors. But the CRO is in a special—if not easy—position to help an organization find balance. As Sadia Ricke, group CRO at Standard Chartered, put it: a CRO needs to have developed “influence and gravitas” to remind leaders of the medium- and long-term impact of short-term decisions. She said, “You may, at times, not be the most liked person in the room, so you need to be prepared for this and be courageous nonetheless.” Westpac CRO Ryan Zanin said, “Even in a crisis, my demeanor is calm. That doesn’t mean I don’t have anxiety or concerns about things. But I think slowing things down initially to figure out what are the three things that we must do right away, and then what are the things that can wait until later, can enable you to run faster with confidence.”
Just as successful CROs make a habit of finding the right balance of their time to give to current and potential issues, they also need to manage organizational resources with the same judicious approach.
“The things that should come to me are the really big resource allocation decisions or major complex or large exposure issues or strategy for the organization,” said David Kimm, former CRO of R&T Deposit Solutions. “Those are the ones I ought to be seeing, and my organization better worry about the rest.”
Costs and budgets may force CROs into tough choices regarding resource management. For NAB’s Dooley, reallocating resources can run afoul of a more traditional approach such as adding workers to solve a problem. “My role is to actually say, ‘You know what? I’m going to disinvest in this part of the risk function because we’re going to automate, and we’re going to invest here. And you all might not see that as the most important priority, but I do, and here’s why.’”
The habit of embracing what only a CRO can do means using a holistic view to “see around the corner” and make tough decisions. CROs need to learn from past crises, anticipate the next crisis, delegate responsibility to a trusted team, and manage resources—and their own time. Given all the new responsibilities CROs are taking on, they need to employ a final habit that keeps them balanced and ready.
Habit 6: Continually monitor personal effectiveness and take steps to manage time
Successful CROs also reflect on their own effectiveness. They are relentless and deliberate about how they spend their time, set goals, and prioritize. They maintain poise by identifying strategies to maintain work–life balance and their own long-term sustainability. These CROs recognize that running a risk function is a marathon, with occasional sprints. They ask for others’ opinions, regularly meeting with industry peers while developing an inner circle of close advisers they use to stay grounded and up to date.
Many CROs highlighted what they see as a paradox of the role. It’s one of the most interesting roles of their career, given its broad cross-cutting perspective on the institution. Yet it’s one of the most challenging, due to the vast range of issues to handle and the various demands of stakeholders.
How a CRO manages their time and resources goes beyond personal effectiveness. Being a role model is paramount. How a CRO balances work and life and sets boundaries around each is important to motivating a team—and themselves. So input from family and friends isn’t ignored. Many successful CROs have what they call a “circle of trust” that allows for honest feedback.
This includes people inside the organization who feel free to discuss a CRO’s performance, as well as outside voices. CROs say the more voices the better when trying to gauge their overall effectiveness.
[My mother’s wisdom was] any time you do something, always think about what it will look like six months later. . . . If that means doing something that gets you fired, at least . . . you will be able to say it was because you disagreed with the principle and not because you sold yourself.
And yet for all the value of close advisers, CROs need time alone to read and think strategically. They need to know about current issues, meet with people in the industry, go to conferences, and participate in think tanks.
To benefit from these perspectives without becoming overwhelmed, CROs need to delegate and manage time, not only for their teams but for themselves. CROs spend different amounts of time on daily risk issues. But all of them have spent at least a fifth of their time–29 percent on average—finding and preparing for potential risks. Some spend as much as 73 percent of their time on future threats, according to our survey.
One CRO told us that after getting feedback, they adjusted their work schedule to model better balance for their team—and themselves. Another said effectively prioritizing responsibilities can include simple measures such as cutting one-hour meetings to half an hour. And many mentioned receiving encouragement from their spouses and slotting exercise into their daily routines.
For all successful CROs, engaging in self-reflection and measuring performance are critical for the endurance necessary for the role. Input from professional and personal sources ensures that work does not impede life.
The six habits of highly successful CROs—being explicit about and championing the risk and resilience purpose, investing in the next generation of leadership, leading beyond risk, partnering with supervisors, focusing on their unique role, and continuously improving their effectiveness—are essential practices that enable them to meet the challenge of today’s unprecedented risks.
Ultimately, these habits stem from the acute need for resilience and are crucial for embedding a strong risk culture within the organization. By adopting these habits, CROs can evolve their roles from risk managers to influential leaders who drive the organization’s success and sustainability in an ever-changing environment.
