with previous risk management and/or banking experience.
• Three banks have only one independent committee member with what we consider to be the ideal risk management/
banking background.
• Four banks have broad banking representation on the
committee, but the independent members do not have specific
risk management experience.
These findings are applicable to both complex institutions
and universal banks; indeed, with regard to committee composition, there are no clear-cut differences between the two
types of banks examined in this article.
CROs in Place, but Other Lines Need
Strengthening
As mentioned previously, both industry groups and regulators have recently emphasized the importance of not only
the role of the board of directors in risk oversight but also
the authority of the CRO. The insufficient authority of some
CROs, and the lack of regular contact between them and
banks’ senior executives and board members, have been
deemed to be important contributing factors to the management failures at some banks.
Going forward, a strong and empowered risk management
function is a key element for more resilient banks. Assessing
the effectiveness and authority of a CRO is challenging, but
there are two features that can offer a signal of the positioning of the CRO within the firm: the first relates to the reporting line; the second to his or her position with respect to the
bank’s management team (see Tables 3A and 3B).
Given the size and complexity of the banks we examined,
it is not too surprising that 90% of the banks have a dedicated CRO. Indeed, we would have expected that all banks
had a dedicated CRO, but this is not the case.
For 87% of the banks with a CRO, he or she is a member
of the bank’s executive management team. However, this is
the case only for 80% of all complex institutions ( 12 out of
15 banks). The geographical analysis shows that most of the
firms where the CRO is not a member of the executive committee are based in Europe (see Table 3B).
In addition, our result show that the CRO reports directly to the CEO (or the CEO and the board) 80% of the
time. For the remaining 20%, the reporting line of the CRO
is in some cases to the firm’s CFO. Complex institutions have
a higher percentage of CROs reporting to the CFO than
universal banks (see Table 3A).
From a geographical perspective, the percentage of CROs
reporting to the firm’s CFO is higher in Europe than in North
America or in Asia Pacific. Meanwhile, only three banks (one
on each continent) follow best practice, with the CRO reporting to both the CEO and the board.
Table 3A: CRO Position and Reporting Line —
Breakdown by Type of Bank
Dedicated CRO
CRO member of
Executive Team/Committee
CRO reports to CEO and Board
CRO reports to CEO
CRO reports to CFO
Other reporting line
No dedicated CRO
Total
15
Universal
16
31
12
2
8
3
2
0
15
15
1
14
0
1
4
20
27
3
22
3
3
4
35
Table 3B: CRO Position and Reporting Line —
Breakdown by Region
Dedicated CRO
CRO member of
Executive Team/Committee
CRO reports to CEO and Board
CRO reports to CEO
CRO reports to CFO
Other reporting line
No dedicated CRO
Total
9
Europe
18
4
Total
31
8
1
7
1
0
1
10
15
1
12
2
3
3
21
4
1
3
0
0
0
4
27
3
22
3
3
4
35
Final Thoughts
The results presented in this article show that there is significant room for improvement in each of the risk governance
areas we have assessed.
The presence of a dedicated risk committee is still not a
common practice across large banks, with the audit committee
often taking on risk oversight duties. In these cases, there is a
danger that the audit committee might not have sufficient time
to meet its whole remit (including risk oversight) effectively.
Banks that have an all-risks committee also have their share
of flaws. For example, even in a year of market turmoil (like
