The future of the CRO function

Looking into the future, we see new emerging risk domains that will drive Chief Risk Officers’ (CRO) agenda



Jean-Philippe Peters - {Sponsoring} Partner - Risk Advisory - Deloitte

Arnaud Duchesne - Director - Risk Advisory - Deloitte

Jules Ndambu - Manager - Risk Advisory - Deloitte

Published on 12 February 2020

Share this article


In this article, we briefly review the evolution of the Chief Risk Officer (CRO) function in recent years before analyzing the emerging risks and responses that will shape the role of CROs in the near future.

The development of the CRO role

The late ‘80s and early ‘90s saw the emergence of sophisticated derivatives products. Globalization as a trend gained momentum and it fostered the interconnectedness of capital markets. This increased complexity, combined with deregulation, heightened the vulnerability of financial institutions.

The CRO role emerged in this particular historical context, out of a need to have an integrated approach to risk management. The key task of the CRO was to create a holistic picture of all risk exposures faced by the financial institution and support the CEO in understanding the complex interaction and interdependence between various risk dimensions. According to literature, the CRO title first appeared in August 1993 when GE Capital gave James Lam a job, which encompassed the management of credit, liquidity, and market risks. Since then, the role has evolved in line with the market’s environment[1].

[1] Economist Intelligence Unit, 2005, The evolving role of the CRO

During the mid-90s to 2000s, high-profile corporate governance failures hit financial institutions[A1] and drove acute attention towards the management of non-financial risks, which led to the addition of operational risk within the Basel II Accord. The key challenge for the CRO back then (and still today) was to grow the historically quantitatively-driven risk management framework to also include hard-to-measure operational risks.

During the global financial crisis of 2007-2008, taxpayers had to bailout systemic financial institutions in order to safeguard the stability of the global financial system. In response to the crisis, major regulatory reforms have been activated (including Basel III and the various regulations around recovery and resolution) and is shaping the way financial institutions must operate and, in turn, the role of the CRO. Unsurprisingly regulatory compliance has become the top priority on the CRO’s agenda while capital and liquidity planning have gained significant importance and are now the cornerstone of the post-financial crisis agenda.

The financial crisis also gave rise to an unconventional expansionary monetary policy to ensure economic recovery with the aim to cut the key monetary policy rate to a level below zero. Negative interest rates combined with regulatory constrains to hold more capital and high quality liquid assets, have eroded financial institutions’ margins and forced them to rethink their business model.

In parallel, the digital economy and its multiple facets (including tech savvy clients, machine learning, big data, and advanced analytics) have also emerged in the last decade. The increased digitalization of financial services has led to the emergence of financial technology firms or FinTechs and to heightened exposure to cyber risks, which will altogether influence the role of the CRO moving forward.

Since the 2016 Paris Agreement and the commitment from the world’s largest economies to cut CO2 emissions, there is also an increased expectation from various stakeholders (incl. politicians, investors, and the public) to see financial institutions play a pivotal role in the support of a low-carbon economy by discouraging investments in fossil fuels. The integration of climate risk into banks’ operating model will have a major impact on financial institutions in the future. Clearly, this area will require CROs’ attention.

Finally, increased scrutiny of anti-money laundering (AML) and the financing of terrorism will continue to affect financial institutions. For example, non-compliance with AML/CFT requirements may lead to extremely severe reputational risks in the future that may be disruptive for institutions.

Based on the above developments, we expect the CROs’ agendas to be driven by a series of emerging challenges such as the management of ICT risks (operational resilience, cyber security, AI robotics and analytics), climate risk or strategic risk (e.g. management of disruptive factors).

How can the CRO respond to identified trends and challenges of the future?

Technology is shaping customers’ behavior and their interaction with financial institutions. Compared to traditional clients who opened an account at a bank’s branch and maintained physical contact with their relationship manager throughout their customer journey, the new generation of clients are tech savvy. They use smartphones more than computers and are very active on social media. They expect fast onboarding and instant access to their accounts and services from any device with limited physical interaction with the bank.
With the increased use of digital distribution channels, financial services face greater risks of cyber-attacks, such as identity thefts, ransomware, or phishing. The inclusion of IT risks into the risk management framework will represent a major challenge in the next few years. It requires CROs to add specific skills and tools within their teams to address the challenging task of understanding, assessing, and monitoring IT risks.

Machine learning and big data offer an opportunity to financial institutions to create more robust models than traditional ones. With these new techniques, CROs will have the ability to learn from each incremental piece of data that becomes available and improve their predictive power. Nevertheless, the use of machine learning will increase model risks and CROs should support the business and regulators in addressing this risk. For instance, despite their high performance, machine learning models can sometimes become a “black box” and blindly trusting the relationship between explanatory factors and the dependent variable can be misleading. Another risk resides on the difficulty to back-test and ensure appropriate model validation.

A possible solution is to create a hybrid model, combining the advantage of machine learning to complement traditional models with a few simple business rules derived through machine learning for a sub-set of the total population.

We believe that within the next five years, CROs will “have to do more with less”. This implies the need to revisit the Target Operating Model (TOM) for the risk function if they want to address emerging risks identified above. This TOM prioritizes investments in areas that will produce high return and costs reduction in low yield domains. Investments into the simplification programs of IT and data infrastructure and the automation of manual recurrent regulatory reporting processes can lead to substantial cost savings in the future. The simplification program will enable risk, treasury, and finance functions to have a “single source of truth” in line with BCBS 239 when it comes to risk reporting data. This in turn will reduce the need to allocate resources on an ongoing basis to tedious manual reconciliation processes. Additionally, the automation of regulatory reporting in-house or through outsourcing for smaller financial institutions will enhance risk teams’ capabilities on focusing scarce resources on the new emerging risks, which are difficult to measure.

Within this new Target Operating Model, the CRO will add more value to the business. By reducing the weight of manual internal controls, the CRO could further allocate resources to internal developments for the long-term sustainability of the institution.


The market environment in which financial institutions will operate over the next 5 years will be increasingly digital and extremely competitive. The negative interest rates and their pressure on margins will continue to justify the implementation of cost optimization programs which will further penalize the business development. Digitalization will continue to fundamentally change clients’ behaviours and the emergence of new FinTechs will further challenge incumbent financial institutions.

All those developments will reshape the environment in which CROs will evolve. Non-financial risks such as cyber security, AI, robotics and analytics, climate risk and strategic risk will become hot topics on the CRO’s agenda. Overall, the CRO will be expected to rethink the risk function’s operating model and to do more with very few resources. The new environment will imply a deeper involvement of the risk function into strategy design, a shift from traditional independent second line of control function to an in-house consultant that supports the business. In order to achieve this transformation, CRO will have to promote a spirit of innovation and optimization within the institution to reduce the impact of controls on the performance of the institution while keeping its risk profile within the tolerance level.

Share #DeloitteInsideNow


Financial Risk Services

Deloitte's Risk Advisory practice in Financial Risk provides leading financial institutions with customized solutions covering all aspects of finance and risk management. Our goal is to help our clients achieve their current and future challenges by developing best practice governance, methodologies, processes and infrastructure to measure and manage risks and financial performance.

© 2021. See Terms of Use for more information. Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see to learn more about our global network of member firms. The Luxembourg member firm of Deloitte Touche Tohmatsu Limited Privacy Statement notice may be found at