Recruiting a Chief Risk Officer

The Chief Risk Officer [CRO] is a critical role for Financial Services institutions. The potential for damage to investments, business units and the whole banking system came into stark focus following the 2008 financial crisis. Since then, regulation has been expanded and strengthened and we now see stress testing, credit risk exposure and liquidity under regular and rigorous review. New risk categories have developed around privacy and the protection of personal data while technology has precipitated a whole new range of fraudulent activity.

rook chessboard risk management concept

Foreign banks, FinTechs and challengers entering the market have led the demand for CRO talent to outstrip supply which, in turn, has seen packages becoming more attractive. In 2020, CROs are even further to the fore as COVID-19 disrupts the credit cycle to an unprecedented level, disperses workforces and drives the rapid development of new processes, procedures and working practices. With the risk environment more complex than ever, the demand for top talent will only increase.

In 2015 the FCA replaced the Approved Persons Regime with the Senior Managers and Certification Regime [SMCR] that aims to main optimum governance levels through the selection of accountable, senior personnel and to manage contingencies for when key roles become vacant. The pandemic has seen some temporary flexibility built-in, but the modern CRO needs to have a specific range of skills, experience and expertise while demonstrating genuine leadership capability. It’s a difficult role to cover for.

Responsibilities of the CRO

The CRO generally takes responsibility for Credit Risk, Operational Risk, Market Risk, Compliance and Financial Crime although the profile varies between institutions. These areas of responsibility mean that the CRO’s activities have a significant impact on a bank’s risk profile. As such they are considered “material risk takers” [MRTs] in legislation drawn up by the EBA and enshrined by the FCA. As a result, variable remuneration is controlled (more below). Here is a typical list of a CRO’s responsibilities for a large bank.

  • Primary risk partner across all risk types collaborating with Compliance, Market and Operational Risk departments.
  • Leading the Credit Risk Function, including credit policy, approvals and analytics; portfolio monitoring and quality assurance.
  • Leading the Fraud Analytics and oversight team.
  • Leading collections, default, and loss mitigation teams.
  • Second-line oversight of consumer banking and fraud operations.
  • Recommending relevant tools and technology.
  • Monitoring wider investment in risk management;
  • Identifying emerging risk issues and initiating mitigation strategies.
  • Monitoring the implementation and effectiveness of risk mitigation strategies and policies.
  • Maintaining cost discipline.
  • Ensuring the consistency and rigour of customer treatment processes.
  • Integrating risk considerations into all activities designed to enhance shareholder value
  • Leading relationship management with regulators, rating agencies, auditors and other industry bodies.
  • Collaborating on risk management as it relates to talent management, succession planning, performance management and employee engagement.

Selection Considerations from the CRO Perspective

The list will vary, it may include generic senior management responsibilities and could mention headline challenges a bank faces or initiatives it plans to implement. This leads to an important point about transparency. There have been incidences, even very recently, of newly-appointed CRO’s leaving banks due to risk exposure that they discovered after on-boarding. It is worth signing NDAs with the shortlist of candidates involved during the selection process so that transparent disclosure can be managed in a controlled environment. The exposure that CROs face due to the SMCR means that candidates are wary of inheriting unacceptable risk unless this has been disclosed in advance and there have been assurances that the resources are in place to remediate the situation. They also need to know that they have full accountability and veto rights and that there is suitable expertise in place to cover for them in their absence to a level acceptable under SMCR.

Compensation

Risk is a specialist area for Healy Hunt. We have placed many senior executives and, as the risk function has increased in prominence, we have helped to build out entire risk departments. The advent of the SMCR has seen compensation levels increase to such an extent that the market for risk roles has become more dynamic. In the same regulatory context, banks are motivated to keep non-revenue generating divisions as lean as possible. However, they understand the cost implications of unnecessary churn and the fact that this can be exacerbated by below-average remuneration and the under-resourcing of key departments.

Depending on the organisation’s profile – we typically work with small to medium-sized companies across banking and other specialist Financial Services sectors – a Head of Credit Risk or Operational Risk can command a salary in the region of £130,000 – £180,000 but the trend is upwards and we have seen ranges with upper limits as a high as £250,000.

For CROs, as with most senior managers, an integrated reward package is a better base for benchmarking. The SMCR means the CRO is held strictly accountable for their role beyond the level of divisional risk managers. This elevated responsibility demands a financial package that reflects the consequences of failing to prepare sufficiently to protect against a regulatory breach or other failure. The responsibility associated with some London roles is even greater due to their regional EMEA scope. Compensation for a CRO typically comprises salary, bonus, pension, equity and other benefits.

The following ranges are based on recent data but there is variance within these numbers and clear overlaps, any range can be stretched by the nature of a company’s activities, the urgency of the appointment and the calibre of the candidate. As such, they can be treated as no more than qualified guidelines:

Small challenger banks recruit CROs at circa £180-£220,000. Credit cards and payment companies have been a touch higher at £200-£300,000. International banks with smaller UK footprints, Tier 1 challengers and building societies have a wider range of £220-£350,000. Then, in corporate and institutional banking, the wide range stretches from £220,000 to median salaries around £400,000 with some exceptional regional roles at the largest banks demanding up to £800,000.

Bonuses and Incentives

Annual bonuses are capped at 100% of base salary in line with EBA, FCA and PRA regulations relating to material risk takers but this can flex to 200% with shareholder approval. CROs typically qualify for their annual bonus with the average pay-out standing at around 48% of salary. The PRA requires that for variable remuneration in excess of £500,000, 60% should be deferred. We have not yet placed or spoken with a CRO whose variable pay exceeded this threshold, however, we believe that increasing demand could see this happen in the near to medium term.

Pension

Due to the experience required for the role, most CROs have reached their lifetime allowance caps for pension contributions. This benefit is generally still provided as a non-contributory cash equivalent at around 15% of base salary. This amount is received alongside regular remuneration and is subject to PAYE taxation.

Benefits

Benefits are the lowest value portion of any package but some elements are non-negotiable in the eye of CRO candidates, especially life insurance, health insurance and critical illness cover. As a group, employer support for professional development programmes is also seen an attractive feature of any package. Other benefits include the typical range of well-being vouchers, discounted memberships, retail offers and annual leave allowances of up to 30 days.

Summary

Banking finds itself in a fluid position as lockdown starts to ease. The industry is far healthier than it was when emerging from the 2008 crisis but the risk environment has become more dynamic and the role of CRO will only increase in stature and market value. It is advisable and necessary for banks to proactively manage retention and contingency policies for senior risk professionals. When seeking to attract new talent, they must be prepared to pay market rates and to carefully consider the motivations and concerns of potential CROs.

Close