Skip to main content

Evolution of the Chief Risk Officer

Anusha Ramaswamy and Reet Bhambhani

Chief Risk Officer - Key Imperatives

In the aftermath of the NPA blowout, the stress across key financial institutions both in the public and private sector and the potential of a contagion effect, the burning need for stringent risk management practices emerged as a top priority for financial institutions including NBFCs.

Therefore, it came as no surprise when the Reserve Bank of India intervened to define a set of guidelines to give definition to the role of a Chief Risk Officer (CRO) in NBFCs.

Earlier, in 2017, RBI had prescribed rules for CROs in the banking ecosystem. Purpose of the CRO

As per the recent announcement, RBI has mandated NBFCs with asset size of more than INR 5,000 crores to appoint a Chief Risk Officer who will function independently to ensure the highest standards of risk management. While this is a welcome move, the natural question that follows is – How does an organisation safeguard the independence of the function?

Thankfully, the RBI addressed this very matter by resting this responsibility on the Board of the company. The RBI directed that the Board put in place policies to safeguard the independence of the CRO. In this regard, the CRO shall have direct reporting lines to the MD and CEO/Risk Management Committee (RMC) of the Board. In case the CRO reports to the MD & CEO, the RMC/ Board shall meet the CRO without the presence of the MD & CEO, at least on a quarterly basis.

In our experience of driving senior leadership searches in the risk management domain, one of the first enquiries that an accomplished CRO makes is to understand how the risk function is positioned within the organisation. It was not uncommon to see raised eyebrows at the mention of the function reporting into the Business Head (Retail or Wholesale).

By clarifying that the CRO shall not have any reporting relationship with the business verticals of the NBFC and that he shall not be given any business targets, the RBI has addressed a very important concern which is at the core of sound risk management practices.

We are already witnessing similar changes in large, legacy banks and financial institutions which have learnt their lessons and are bringing in the necessary structural changes to risk & internal control functions to ensure that the organisation adopts prudent risk management practices that help prevent any inherent conflict of interest and help maintain better asset quality trend across cycles.

Role of the CRO As stated by the RBI, the primary role of the Chief Risk Officer will be the identification, measurement and mitigation of risks.

All credit products (retail or wholesale) shall be vetted by the CRO from the angle of inherent and control risks. According to the RBI, the CRO’s role in deciding credit proposals shall be limited to being an adviser. Further, there shall not be any ‘dual hatting’ i.e. the CRO shall not be given any other responsibility.

In a traditional NBFC, the retail risk organisation is typically comprised of the following functions: Policy, Fraud Risk, Collections, Analytics, Credit Operations and Underwriting.

Especially in Microfinance and Housing Finance entities, setting up a strong collection of frameworks and developing systems and processes aimed at bringing in more collection efficiencies become crucial.

Although the CRO is tasked with maintaining the overall health of the portfolio, we believe the risk culture of an organisation takes shape when the business also drives prudent decisions enabling the CRO to be an effective leader and a force to reckon with. The CRO will need to continue as a business partner sharing the ownership for stable growth as much as the other CXO stakeholders in the system.

Such is the magnitude of focus on maintaining a good quality book that even P&L leaders are being evaluated against. The Way Forward

Conversations about risk management are not in isolation anymore, stake-holders across the board keep reviewing if their risk management infrastructure can withstand the current stress of the market while also being future-proof. It will be interesting to see how NBFCs respond to the RBI directive and if it will be similar to the ripples that we see in the banking industry at the moment. The larger question being - Is the requisite talent available in the market?

Our clients in the retail lending space have increasingly veered towards bringing in CROs who are in tune with the disruption in business models backed by new-age technology that can identify the best practices to combat future risks.

Successful CROs of the future should have the ability to foresee and address new challenges. They should have the affinity to work with huge data sets and must have a solid understanding of risk & collections analytics. They must also simultaneously be able to harmonise cross-functional teams. These qualities will differentiate a modern-day CRO from a traditional one. The new-age CRO is expected to leverage digital technologies (AI, Data Analytics, and ML) to transform underwriting & decision in order to help build a robust risk management organization for the company.

The Indian lending ecosystem has seen the emergence of CROs who come from unconventional backgrounds to be a part of a growing market like India. The industrial trend is also indicating an increased appetite for hiring diverse talent among traditional organisations.

Our clients have hired risk officers from companies (Global Banks, FinTech or NBFCs) that have demonstrated agility in areas around Portfolio Management, Analytics, Enterprise Risk Management, Stress Testing and Financial Modelling.

With the changing definition of a CRO’s role, searches have taken a different turn. There is greater integration of operational risk into credit risk management and more emphasis on bringing in a strategic CRO versus a transactional one. As Boards evaluate CROs, it is important to not lose sight of their track records.

Going forward, institutions will have to be more proactive in their approach as only remedial measures may not enough to tide through difficult business cycles. As regulatory requirements, consumer behavior and spending patterns are rapidly evolving, companies with a robust credit risk department will stand the test of time.