Stepping into the role of chief risk officer (CRO) comes with a lot of questions: Where to start, what to prioritize, and how to make an impact? The way new CROs approach these questions in their earliest months shapes their ability to achieve long-term success.
To understand the mindsets, skills, and practices that work best for new CROs, McKinsey conducted in-depth interviews with more than 30 current and former CROs of major financial institutions; each of them spent at least five years in the role. These discussions are the basis for a series of articles on risk leadership and the CRO role.
In the most recent article in our series, we examine how top CROs set their objectives, mindsets, and operating models. Our research led to the identification of three CRO archetypes: the architect, the protector, and the business accelerator—each with its own motivations and ways of working.
Underlying these archetypes are six habits that take root early in a CRO’s tenure and shape their success in the role. We discussed these habits in the first article in this series. To sum up: Be explicit about a risk and resilience North Star; invest in, empower, and create the next generation of leaders; engage deeply with C-suite leaders and the board; treat supervisors as partners; focus on what only the CRO can do; and monitor CRO personal effectiveness.
In this article, the third in the series, we focus on the challenges and opportunities that CROs face in adopting the six habits in their critical first few months in the role. We discuss the strategies that drive early success and the pitfalls that constrain progress. And we show how leading CROs strike a balance between taking stock and taking action to build resilient risk organizations.
Habit 1. Ensure clarity on the risk function’s North Star, strategy, and culture
Adjust the North Star. The new CRO should move quickly to take stock of the risk function’s mission in the context of the institution’s overarching strategy. In some cases, there may be no recognizable North Star at all, which one seasoned CRO sees as a risk in itself: “[Without a North Star], real risk management becomes regulatory risk management, which is an adjacent but different vector.”
Successful CROs take early steps to align the North Star with their vision. In doing so, Brian Leach, former top risk executive at Citigroup, said it may be necessary to foster new attitudes in the risk function. “The biggest thing for me was that my team conceived of themselves as advisers, not decision-makers,” he told us. “I did a bunch of programs to shift this mindset. And there are some people who you suddenly realize have been advisers their whole lives and are not decision-makers.”
Once the North Star is established, CROs told us their priority was to proactively cascade this guiding principle throughout the organization.
Adapt the risk strategy to enable goals. Guided by a North Star, successful CROs turn next to the practical consideration of the organization’s strategic and business goals. This means working closely with the CEO, CFO, and business executives to identify where the risk function is contributing and where it may be a source of unnecessary friction. According to Trevor Adams, former group CRO of Nedbank, an effective approach is to think much more strategically. “It is about optimizing risk,” he said. “And it’s as much about maximizing the upside as it is about minimizing downside risks.”
In some cases, changes to the risk strategy may be required, for example, to reflect changes to the business context. This may be about establishing new key risk focus areas, risk innovations, checks and controls, enhanced reporting mechanisms, and/or strengthened escalation. On becoming CRO, Adams told us he established a new risk type called “strategic execution risk” and appointed an executive head of strategic risk to the group risk executive committee. This was designed to elevate the strategic emphasis and impact of risk management across the organization and help colleagues successfully execute on the ongoing unprecedented level of change across the business.
Articulate risk culture ‘from–to.’ Interviewees agreed that an effective risk culture has to be embraced by the entire organization and not just the risk function. Successful CROs clearly articulate their expectations and encourage buy-in with training and incentive systems. Antonio Le Feuvre, CRO of Banco de Crédito e Inversiones, made risk culture a responsibility not just of risk managers but of the entire business. To get there, he arranged for extensive training, and he reinforced risk variables in employee scorecards.
Then, there is the question of how to sustain this change in the long run. Whether you are shifting the risk organization from advisers to decision-makers, as Leach shared, or pushing another cultural change, our experience working with risk organizations suggests four common steps that can help make cultural change stick: (1) role model desired behaviors; (2) create understanding and conviction by explaining the what and the why; (3) develop systems that reinforce desired behaviors; and (4) nurture confidence, backed by training if required.
As an example of an effective system (step three above), Don Truslow spoke of his early days as CRO of Wachovia: “There was a very strong risk culture, as well as an orientation that fostered bad news traveling fast and rewarded people for fixing problems. There was zero tolerance for people who tried to hide or spin problems.” At the root of the culture was the mindset that everyone is a risk manager, which was consistently reinforced through transparent communication, training, rewards, and consequence management.
| Take stock | Take action |
| What is the risk function’s current North Star and how is it perceived by stakeholders? | Adapt the North Star as needed and communicate and cascade the objective throughout the organization. |
| What are the organization’s long- and short-term strategic goals and what role should risk play in achieving them? | Determine risk strategy initiatives that support long- and short-term goals. |
| What are the strengths and weaknesses of the organization’s risk culture? | Articulate the “from” and the “to” and identify key levers to transform the risk culture. |
Habit 2. Optimize the risk organization
Optimize organizational structure. Leading CROs take a moment early on to consider whether the risk organization’s structure supports their priorities. Shaun Dooley, former group CRO of National Australia Bank, aligned his organization’s risk team with lines of business and resourced his risk team up or down based on the maturity of the corresponding first-line team. He created a structure with three CROs in Australia reporting to him, each responsible for different customer divisions and supported by four risk teams.
Move fast on team changes. Many interviewees said that the best place to start building an aligned risk organization is to conduct a review of talent. This may be about shuffling positions or creating new roles, for example, in fast-growing topic areas such as cyber risk. And the “how” is as critical as the “what.” When it comes to taking action, the general rule is to move fast to get the right people on board.
Leach recalls the beginning of his tenure, when he met individually with each of his direct reports: “I interviewed every person and all the high potentials in the group, and I asked them a bunch of open-ended questions. More than half of them answered that I should just tell them what to do.”
In light of those responses, Leach made some hard decisions, bringing in new leaders—some internal and some external—who were more aligned with his view of risk professionals as decision-makers.
Adjust the operating model. Finally, shaping the risk function requires the new CRO to ask whether the current operating model supports the organization’s needs. Ryan Zanin, CRO of Westpac, said it is about “getting real clarity on what a risk function is supposed to do, compared to what it has historically done, and freeing up people to check, challenge, oversee, and manage policy as a true second line.”
The new CRO has a major role to play in fostering the attractiveness of the risk function and its value proposition. Alexandra Boleslawski, CRO of Crédit Agricole Group, told us that she took action early in her tenure to revamp career paths, as well as to build stronger bridges between the business and risk. In a similar vein, Boleslawski reinforced the standing of the risk function, developing clear personalized learning journeys to make it more attractive to talent.
| Take stock | Take action |
| Is the current structure of the risk organization, including the number of CRO direct reports, effective? | Optimize the list of reports to reflect the company’s business model and match the CRO’s management style. |
| What is the quality of talent in the risk organization? | Move fast on team changes and swarm top talent and rising stars. |
| Does the current operating model support the organization’s needs? | Adjust the operating model to ensure people are spending their time on the highest priorities and to attract top talent. |
Habit 3. Establish relationships with the board and executive team
Strengthen board relationships and create common agendas. To be effective, new CROs must quickly forge productive relationships with their executive team peers and the board. Our interviewees highlighted the benefits of both listening and learning, through which they were able to establish effective reporting and communication channels and tailor their communications to stakeholder expectations.
Strong relationships and honest dialogue will boost effectiveness and efficiency. “I try to avoid at all costs having a conversation with the board where the CEO is not present,” said Nigel Williams, former group CRO of Commonwealth Bank of Australia. “If you get caught between the board and the CEO, it’s very difficult, so you have to be uncomfortably transparent to both.”
Often at the heart of effective risk management is a high level of trust between the CRO and other executive team members. Mark Hughes, former CRO of the Royal Bank of Canada (RBC), suggests developing a plan to get more face time with the CEO and CFO. “The ad hoc [meeting] is the most important thing to be successful,” he said. “If you have to make an appointment, then it doesn’t work so well.”
Identify go-to contacts across topics. Successful CROs develop a clear idea of the board’s risk-related skill sets and capabilities. It can be helpful to ask the outgoing CRO and other senior leaders for insights into their experiences. Often these conversations spark new ideas, said the CRO of a major bank. “When we started working on operational resilience, one of the [risk committee] members who had come from a tech firm said, ‘Why don’t you go and look at companies in other sectors [that] do a great job in managing resilience?’ That was a great suggestion.”
Find the right cadence for reporting. Assessing board reporting practices can both reveal weaknesses and foster trust in the risk function. Successful CROs spend time with the risk committee chair early on to understand the types of communications they value from the risk function and how they like to be engaged, both for business-as-usual and at times of crisis. This cadence may further benefit from being revisited and adjusted over time as the new CRO gets more experienced with the board dynamic.
| Take stock | Take action |
| What are the board’s and executive team’s perceptions of the company’s risk profile and of the risk function? | Build relationships and create common agendas with other executives. |
| What are the board’s and executive team’s skill sets and capabilities relevant to risk and resilience? | Develop a board capability/expertise map to identify key resources across different topics. |
| How well do board and risk committee reports meet their needs? | Find the right cadence and adapt reporting to reflect board priorities. |
Habit 4. Establish relationships with supervisors
Establish a proactive and transparent supervisory engagement approach. When it comes to taking action, first impressions matter. In early meetings, leading CROs proactively engage their supervisors on a spectrum of issues, aiming to strike a balance between listening and sharing their priorities. Others emphasize the value of setting a cadence for engagement. “I would have a call once a week with OSFI [Office of the Superintendent of Financial Institutions] chief adviser,” said RBC’s former CRO Hughes. “To a large extent, it would be a heads-up [about what might be on the horizon].”
Some CROs were clear on the importance of maintaining strong relationships after initial contact. “When we don’t succeed, the first people we pick up the phone to are the supervisors,” said Ryan Zanin, CRO of Westpac. “And we don’t start with hiding information and litigating. We start with being transparent.”
Reprioritize ongoing efforts. Taking stock of ongoing regulatory matters will mean speaking regularly with executives and project managers, rather than relying solely on reporting, as well as being ready to challenge where necessary. Taking early action should be defined by effective prioritization, ensuring the most important projects are taken care of first and seeking extensions when necessary.
Incorporate supervisory input. Determining what to prioritize demands that CROs are mindful of the forward-looking priorities of supervisors. Amanda Norton, former CRO of Wells Fargo Bank, said, “I think one of the really important things with the regulators is to listen. For example, they may not be explicit, but if they keep asking you about customer harm, it could mean they want you to assess current practices and ensure customers are being appropriately protected, likely resulting in something really positive in that area.” CROs that laid early foundations for success told us they benefited from being explicit on what changes were needed, including pushing their team to create project plans and assigning specific project managers to soft spots, as well as pivoting to do more proactive remediation.
| Take stock | Take action |
| What is the organization’s history and relationships with supervisors? | In early meetings, strike a balance between listening and sharing. |
| What is the status of ongoing regulatory efforts? | If necessary, ask for extensions to previously approved plans. Prioritize those that are behind schedule and proactively communicate with supervisors. |
| What are forward-looking supervisory priorities and potential findings? | Make plans for proactive remediation and listen to supervisors for clues on priorities. |
Habit 5. Be intentional about what only the CRO can do
Plan your legacy. It may seem counterintuitive, but many CROs start thinking about their legacy right from the start. Marlene Debel, MetLife’s CRO and head of MetLife Insurance Investment, put it like this: “The goal is to build a way of working in terms of capabilities and business partnership that drives responsible growth and will benefit the company for years to come.” Still, looking far into the future requires an initial phase of reflection. Before they make changes, leading CROs pause to consider how they want to build the organization for the next generation of risk leaders.
Having taken stock, the next step is to think about the CRO’s role in creating long-term impact, including the milestones that will mark progress toward goals. “I definitely wanted Airbnb to be one of the most trusted brands out there,” said Naba Banerjee, former global head of trust and safety at the company. “By the time I was done with that work, fraud and safety incident rates were down more than 50 percent.”
Set top priorities. With the legacy in mind, a useful early exercise is to take stock of new and existing priorities. The new CRO can then reprioritize based on long-term plans. Helga Houston, CRO of Huntington National Bank, said, “One of the things that we’ve tried really hard to do is to be forward looking. Our strategy isn’t a maintain strategy, it’s a growth strategy.”
Redefine working rhythms for efficiency. Part of formulating priorities is to fully understand the working rhythm of the risk organization and to judge whether the current mix of stakeholders and governance enables effective and timely decision-making.
By taking stock of what is mission critical and what is not, new CROs can make space to create impact, said Mahesh Aditya, CRO of Santander Group. “We decided which committees were absolutely nonnegotiable for me to attend, and we came up with maybe four or five.” Implementing change may involve new approaches to knowledge sharing and potentially new routines for meetings and committees. Jason Schugel, former CRO of Ally Financial, said established ways of working may not be productive. “People have a desire to sit in meetings, but the reality is often it’s a waste of their time,” he said.
| Take stock | Take action |
| What do you want the CRO legacy to be? | Set targets for and regularly evaluate how to spend time and how not to let the urgent overtake the important. |
| What are your top priorities as CRO? | Reprioritize initiatives to address the most critical priorities and decide which projects should be delegated. |
| What working rhythm with different stakeholders and committees is required? | Redefine committees/memberships in the risk function to free up time. |
Habit 6. Monitor personal effectiveness and reevaluate the personal operating model for long-term success
Shape your remit. Being CRO is one of the most demanding roles in financial institutions, and many CROs are unprepared for the intensity they will face every day. Thus, a priority for many CROs in the first few months is to assess learning opportunities. “The importance of learning reflects just how much falls under the remit of a CRO, and how dynamic the function is,” said Craig Broderick, former CRO of Goldman Sachs. “You need to bring resources to bear that help you learn and stay abreast of everything.”
To lighten the load, successful CROs proactively delegate. One long-time CRO said, “I was reacting to the incoming while being deliberate on the outgoing. One of the best things I did—and this was tactical—was that I got myself an executive assistant who was a real gatekeeper. I also appointed a chief of staff and a chief operating officer. By empowering them, I freed up my own time to focus on the bigger picture.”
Make time for personal priorities. With the CRO job being so all-consuming, especially in the first few months, successful CROs make it an early priority to take stock of the organization’s operating model and strategic priorities. NY Life’s Ben Rosenthal recalls the significant impact it had on him to hear a former CEO articulate his priorities as: “God, family, work, and golf—with the last two being interchangeable.” Rosenthal took this as personal advice to stay focused on what really matters.
CROs stressed the importance of regularly reassessing how they allocate their time and adjusting their schedules to dedicate energy to the right priorities. “Figure out what’s important,” said MetLife’s Debel. “Know your priorities so you understand what to focus on and what to tune out.”
Review your personal board. Successful new CROs take time to evaluate their “personal board”—a group of close confidants and advisers—if they have one, and whether it meets their needs in the new role. They question whether they would benefit from additional advisers who can challenge and offer candid advice. They may also join peer and other industry groups. Ally Financial’s former CRO Schugel recommends spending time with peers: “When you think about a risk and regulatory environment that’s constantly evolving, having those relationships with your peers, having those forums where you can talk about things, is so important.”
| Take stock | Take action |
| Is your working rhythm effective and sustainable, and what do you need to learn? | Shape the CRO remit, preempt problems, and delegate effectively. |
| Do you have the right work–life guardrails and support structures in place to manage your time? | Identify and free up time for important nonwork activities and people. |
| Do you have a trusted set of advisers to counsel you? | Create a personal board, or review your current one’s composition. |
Making the most of the first few months
Early on, new CROs should be prepared to both take stock and take action, capitalizing on the moment of change to ensure risk management is a strategic enabler for the institution. With their teams expecting a reset, successful CROs waste little time in assessing what is working well and what can be improved. They lay strong foundations by setting the strategic direction, making changes to their team and established working rhythms, and building relationships that will benefit the organization during their tenure and beyond.
