Yesterday was a fascinating day full of presentations on risk in the morning from a bunch of old CRO's (Chief Risk Officers) followed by a lunch with a crock of CIO's (Chief Information Officers). In fact, there was even one CIO who became a CRO ... and that's something that might happen more often on the basis of what was discussed.
For example, Juan Yanes, Deputy Group Chief Risk Officer at Grupo Santander, kicked off discussions with a presentation entitled "Risk Management and Value Creation: Challenges for the Risk Function".
Now, you may already be losing interest at this point having seen such an exciting opening line but DON'T!!! Juan's presentation was really interesting, and that's saying something for a Deputy Group Chief Risk Officer. After all, you know when you've met an extrovert Risk Officer in a cocktail bar ... he's the one looking at someone else's feet.
So, back to Juan's presentation.
Halfway through his slide deck, he had a slide that looked at the relationship between risk management and the business functions. His conclusion was that there needs to more of a business orientation of the risk function, and more of a risk orientation of the business.
In other words, risk management is not a function but a culture.
Funnily enough, I then went into a separate lunchtime conversation with CIO's focused upon information vulnerability, business continuity, phishing attacks and so forth; all of which are Group Risk issues.
The CIO's lamented the fact that many people in the business did not understand the risk of data loss.
The fact that taking a laptop home could be a serious data breach, as it might have customer data on that laptop.
The fact that the CEO does not implement a standardised policy across the board and that he/she can apply the policy favourably for some and not for others.
The fac that branch staff cannot take information home but Head Office line managers can.
The fact that the CEO needs to take a single data risk policy across the business and apply that policy to every person in the same way.
In other words, information is a core Risk in the business and needs the CEO and the enterprise to understand and manage these risks.
This brought us back to Juan's message.
His message is a business orientation of the risk function, and a risk orientation of the business. The CIO's message is a business understanding of information, and an information understanding of risk.
The CIO's message is a difficult one though, in that ask any senior representative about the data risks of their blackberry or laptop and you get a pretty offensive response.
My walk-away is that there needs to be a major cultural shift to get to a world where Risk and Information become synonymous. In fact, the only way we'll get there is if the CRO's and CIO's work together to make it happen.
IT and Business alignment ... Risk and Business alignment ... one and the same.
Chris
Chris M Skinner
Chris Skinner is best known as an independent commentator on the financial markets through his blog, TheFinanser.com, as author of the bestselling book Digital Bank, and Chair of the European networking forum the Financial Services Club. He has been voted one of the most influential people in banking by The Financial Brand (as well as one of the best blogs), a FinTech Titan (Next Bank), one of the Fintech Leaders you need to follow (City AM, Deluxe and Jax Finance), as well as one of the Top 40 most influential people in financial technology by the Wall Street Journal's Financial News. To learn more click here...
