Clifford Rossi, Tyser Teaching Fellow, Center for Financial Policy at the University of Maryland
How does a chief risk or credit officer for Citi, Washington Mutual, Countrywide Bank, Fannie and Freddie end up teaching college finance class?
I had been an adjunct professor in the business school at the University of Maryland for about eight years while I was full time at Freddie Mac and later on at some point the stars aligned and I could afford to do it. Once TARP came along in the wake of the financial crisis it became enormously stressful and teaching full time seemed like a rewarding career move. So I came to teach finance and they also thought I could help with UMD's new Center for Financial Policies in D.C. I still do some work for Citi and stay active in all facets of the risk side.
What does a chief risk officer at a big company do all day?
The CRO of any company is responsible for the enterprise-wide risk exposure of the firm including the credit risk, the market risk and interest rate risk, the operational risks, and maybe even the legal and regulatory compliance risk. The job is about three things: identification of risk; measurement and recommendation of risk tolerances or appetites for the company; and the management of risk, how you lay off or transfer unwanted risk given the appetite for risk at the board of director level.
You must need to be good at delegating duties.
You do have a variety of different groups reporting in: policy-making groups for credit and underwriting decisions at the individual level for a loan or for a counterparty you're doing business with. You have people who do all sorts of analytical modeling to value and size up the level and likelihood of risk. You have a ton of statisticians and econometricians augmented by strong MIS reporting capabilities and some very strong IT and data management professionals. Risk guys know if you don't have good data, it's game over, you might as well go home. At the heart of everything, you quantify what you can, and for anything you can't, you need to set up risk boundaries through policies, rules, limitations, etc.
What are the important skills of the job?
You need to be very task oriented but at the same time have a strategic view of what needs to be managed from the top of the house for risk-taking purposes. In a financial institution for example, the focus is on being compensated for a risk that you're taking. Where there is no risk, there is no value to the franchise. If you take too many risks you wind up, unfortunately, like many of the institutions I worked at.
Are you saying there are limits to a chief risk officer's ability to control risk?
I believe most everybody in the industry to a certain extent was guilty as charged of missing the huge structural change that was taking place [in the recent financial crisis], particularly in the mortgage market. [We were] adding on what we called risk-layered assets, assets in which we compounded the risk by, for example, having people state their incomes rather than verifying income; allowing people to put variable down payments on mortgages or allowing people with spotty credit records to buy. All those things together create risk layering.
We didn't understand the degree to which the last 10 years of data was not going to be the same as the next 10 years. We really underestimated the impact of those important changes in credit policy were going to have on the overall risk. But beyond that, we were still calling out the high risk taking and asking our production folks to kind of slow that down.
My sense is that yes, there are some greedy people out there, but by and large I think they were misguided by seeing such a long and good period of performance out there that many of the most senior people probably said, "How can you tell me that you're going to have any kind of risk event when home prices are going to rise at double digit rates?" So I think a lot of it comes down to people looking into the rearview mirror and seeing smooth sailing for the next five years.
It sounds like you are saying the chief risk officer advises on risk more than he or she can actually control.
You need an enormous capacity to negotiate and communicate to senior managers who may otherwise be very aggressive and wanting to pursue views counter to yours and will act accordingly. During the time leading up to the financial crisis, the places I was [employed] at were led by very strong-willed individual production teams that had enormous power of control over the firm to the detriment of the risk officers. As we saw later, that really put them in a particularly bad spot if the institution goes down for excessive risk taking. Risk managers are only there to advise [about] levels of risk. A CRO cannot stand up and say, "I will not allow this to happen." He or she could certainly say, "I do not support this and I will not sign off on this decision," but of course the CEO and the board have every right to override that view.