Users of software vary in job responsibilities and also in focus. In the parlance of software developers, users are commonly categorized as representing a particular persona, based on their business role in an organization. In the case of enterprise GRC solutions, some examples of common persona include risk managers, compliance officers, auditors, lawyers, IT managers, operations managers, strategy officers, C-Level officers and the Board.
With the latest release of SAS Enterprise GRC, users can design their own customized Home Page. This can help users to be more organized and focused, and saves both time and effort. To make this a bit more concrete, let’s consider what a home page might look like for a bank Chief Risk Officer (CRO). First, I will characterize the CRO’s role, reporting relationship, and main responsibilities.
What is the role of a CRO in a bank?
The CRO is responsible for developing, implementing, and maintaining the risk management function of the organization, including a strategy for managing all aspects of risk (market, credit, and operational). The CRO is the principal control officer of the organization and he/she must maintain the independence and integrity of the risk management system and all of the controls that both support it and emanate from it.
What is the CRO’s organizational reporting relationship?
The CRO may report directly to the BOD, with a dotted line to the CEO. With respect to the BOD, the CRO may have a dual reporting relationship to the Chairman of the Board Audit Committee and the Chairman of the full Board. In some instances, the CRO reports to the CEO or CFO. In smaller institutions, the CEO and the CFO may share the duties of the CRO. Reporting to the CRO area are a variety of functions, including Audit, Compliance, Credit Administration, Legal, OREO, and Security. This list may vary, depending upon the size of the institution. If there is a balance sheet management division, then it may also report to the CRO or CFO.
What are some of the main responsibilities of a CRO?
- Provide risk management thought leadership, underscored internal controls philosophy and vision for the organization.
- Develop and maintain a risk management system encompassing all types of risk confronting the organization
- Establish a Risk Management Committee consisting of key management executives throughout the firm who are tasked with reviewing and making recommendations on all risk-related matters. The key executives include the CEO, CFO, and Top Line Executives.
- Ensure that the committee system of the bank is working properly. In addition to the Risk Management Committee, the CRO may chair corporate committees, e.g. the Compliance Committee, Capital Planning Committee, Privacy Committee, and so on. The CRO may also serve on other committees, such as the Asset/Liability, Pricing, Disclosure, and so on. Finally, the CRO may serves on Board Committees, e.g. Audit, Compliance, and/or Risk Management.
- Develop a risk limitation system, which seeks to identify, measure, monitor, and control risk in accordance with the organization’s risk preferences.
- Implement a reporting capability which provides management and the BOD with the ability to understand current and anticipated risk exposures, their associated impact on the organization, and provides helpful contexts that facilitate transparency and enable a deeper understanding of those exposures.
- Foster a risk-based portfolio optimization approach to managing the firm, which includes capital budgeting and allocation for the lines of business and for key organizational initiatives, and the use of insurance and alternative risk transfer vehicles.
- Documenting the firm’s risk profile and explaining it to the Board of Directors, regulators, stock analysts, rating agencies, and business partners.
- Develop and enhance the information technology infrastructure and processes which encompass data acquisition, data pre-processing, data warehousing, analysis, and reporting in support of the risk management function.
Now, back to the CRO home page I have designed (pictured below):
Anatomy of a bank CRO GRC dashboard
TOP
At the top I put a section for tasks, which might relate to oversight of some key risk mitigation action plans in play, or review of recent alerts where there is potential for significant customer impact, or more routine items, such as preparation for committee meetings, activity prioritization, and so on.
MIDDLE
Below, and in the middle, there is a dashboard of key risk and performance indicators which relate to attainment of corporate and department objectives and a 360 degree view of the enterprise spanning governance, operations, finance, risk management, compliance, social and environment responsibility, market and competitive forces, and business strategy execution. For instance, we see on the dashboard in question that we have risk exposure that exceeds appetite (as signified by the red dial) and we might also have a number of underperforming KPIs (which would be reflected by a yellow dial).
LEFT
To the left of the dashboard is a section for shortcuts to functions of the software solution, e.g. creating various business objects (such as a policy, an action plan, an issue, a risk, a control, an audit plan, a compliance review); or checking status on action items or workflows; retrieving the latest version of a policy or procedure and noting when it was last modified, by whom and whether the changes have been approved; or reviewing open issues and findings, and so on.
RIGHT
To the right of the dashboard are referential links to reports (such as special mention and classified assets, OREO, foreclosures, policy exceptions, concentrations, market rates and yields, daily statement of condition, flash report on financials, division control books, balanced scorecard, capital plan, latest 10k filing), more sensitive information (SAR filings, unresolved regulatory exam findings, outstanding issue log of Board Audit Committee, summary of pending lawsuits, summary of committee actions), and external URLs (e.g. sites relating to economic analysis and outlook, OCC Canary Report, FFIEC home page, OCEG home page, Institute of Internal Auditors home page, Complianceweek, NACD home page, RMA home page, GARP home page, PRMIA home page, SNL Financial, Lexus Nexus, a rating agency website).
Your Take
What would you like to see on a bank CRO home page? (Note: I have intentionally left a gap or two for you to fill in, so please "Have at it!")













Credit Risk Assessment: The New Lending System
The Risk of Investment Products - From Product Innovation to Risk Compliance