Chief risk officers from leading financial services companies highlighted the growing interconnections of risk in banking and the importance of adapting to a new regulatory environment at a recent member event organized by the NYC Chapter of RMA.
Moderated by Jonathan Hummel, CRO for the Americas at Deutsche Bank, the panel included CROs Alex Golten of Goldman Sachs, Charles Smith of Morgan Stanley, Rajashree Datta of BNY, and Edward Fishwick of BlackRock.
Among the topics the speakers explored were the importance of integrating risk management thinking into the fabric of firms; taking a holistic view of risks to account for interconnectedness; and evolving traditional risk practices to incorporate an expanding set of emerging risks.
On the first topic, the leaders emphasized the need to embed risk management, from the top down, into the culture of the entire organization. Guided by a firm’s risk tolerance, managers at every level should take accountability for risk and reinforce similar expectations within their teams. Partitioning risk assignments between first- and second-line staff, one speaker warned, can create artificial boundaries between business and risk functions when what firms really want is to break down siloes and ensure everyone feels accountable.
Taking a holistic approach is essential given the increasing intensity of some risks and their relationships to one another. Cyber risks have risen, the panelists agreed, as have geopolitical concerns, though they noted that markets have, for the most part, ignored global conflicts and politics. “Animal spirits are pretty strong right now,” said one speaker.
When these and other traditional risks are considered together, the threats multiply and get “a little scarier,” said one panelist. Their views reflect a growing acknowledgment among risk experts that risk is increasingly non-linear, volatile, and accelerated, requiring more sophisticated analysis and response planning.
Vendor dependence remains an acute, and often opaque, risk that’s growing more concerning given pervasive use of third-party services within the industry. Regulators expect banks themselves to own and manage nth-party risk. The issue, one panelist said, is that “your ability to get good visibility is tough.”
The group also identified emerging risks to incorporate into traditional risk practices, including artificial intelligence (and the likelihood of an AI bubble), private credit, and cryptocurrencies/stablecoins.
On AI, the panelists discussed both the operational considerations surrounding responsible rollouts and the strategic imperative for firms to modernize effectively while maintaining strong controls. Regarding stablecoins and other digital-asset models, panelists agreed that each structure carries its own unique risk profile requiring careful assessment.
The roles of risk
When it comes to the regulatory environment, regulators’ latest philosophical shift will shine the spotlight most intensely on major risks contributing to banks’ safety and soundness, though risk leaders will need to remain vigilant in areas where the regulators have said they will focus less. Panelists agreed that proactively managing reputation risk remains essential, regardless of shifts in supervisory focus.
While pointing to regulatory relief as a tailwind for the industry, panelists argued that with this greater freedom comes greater responsibility in their roles. At the same time, it brings opportunities for more creativity and innovation, which can inspire CROs to further excel in their jobs.
What’s clear is that this new regulatory approach will force risk leaders to take a more active and independent role in their decision-making and in shaping risk culture at their institutions. Personal accountability, business judgment, and innovation will become even more important for the role. As regulation shifts from process to substance, CROs will have the opportunity to focus more on strategic risk management and less on straight compliance.
Panelists warned that banks easing up on compliance risk turning small issues into big blowback from regulators. “Today’s observation [a formal assessment without expectation of disciplinary action] is tomorrow’s MRA [Matters Requiring Attention],” one speaker said. And while they were generally optimistic about the current state of the business and the economy, they acknowledged that their jobs aren’t about resting on rosy outlooks—they plan for worst cases which, in an increasingly complex world of connected and fast-evolving risks, might be nearer than they think.
