Anuratna Chadha of Mashreq Bank, Chris Matten, former partner at PwC Singapore, Elbert Pattijn, former DBS group CRO, and Yasman Moghaddam of Moody's Analytics touched on new risks and how financial institutions should perceive the interlinked risks in digitalisation, climate risk considerations, and services provided by third parties.

Chadha elaborated on Mashreq Bank's digital transformation. In his experience, it adds a layer of complexity to the business. With his experiences in the DBS digital transformation, Pattijn stressed the importance of the role of CRO and what processes are critical to ensuring control and setting key performance indicators (KPIs). According to Chadha,  CROs can contribute to the design and warranting of governance to ensure data quality and alignment with IT. Pattijn also added that financial institutions need to guard innovation by upgrading the status of IT, adjusting the organisation's skillset with new hires, and using up-to-date methods for organising work.

Moghaddam emphasised several challenges with building risk expert organisations and suggested ways to enhance the data processing capabilities and modelling capacities of financial institutions to respond to new risks. Chadha added that the spectrum of both financial and non-financial are expanding, which requires a new rationale for CROs. He believes the role of CROs is transiting from backward-looking to forward-looking.

Matten delved into the importance of designing relationships between the risk management office and the compliance office as more financial institutions receive fines for relatively simple wrongdoings. Matten also suggested how financial institutions may avoid such penalties. Moghaddam said financial institutions could also use technology to reduce potential distances caused by design choices. According to her, technology offers the opportunity to reduce the number of manual processes. Financial institutions can also attain information that can give immediate insights into ongoing events and support monitoring of activities, tasks typically placed on the compliance and risk functions, respectively.

The experts also agreed on the importance of staying atop third party risks as regulations are not cutting financial institutions slack for threats emerging from outsourced services. Given rising cost levels, financial institutions could consider insourcing over outsourcing. Moghaddam argued that climate risk still requires financial institutions to rely on third party provided data and estimations of risks, e.g., transition risk. According to her, one challenge is that the required data may not exist. Another challenge is that financial institutions may lack the appropriate processes to fetch the data through customer interactions. Financial institutions often lack processes to measure the climate impact of such data as another example of a challenge.

The panellists also discussed the following key points:

• Present risks come mainly from fragility of supply chains, geopolitical tensions, inflation, cybersecurity
• Banks are putting in place data-driven architecture across the entire organization to better respond to challenges
• Organisations need to have extended data resourcess and address shortcomings in modelling
• Widening spectrum of risks emanating from digitalisation, and climate change
• Appropriate governance gives risk managers means to address novel risks.
• Risks from third party service providers can be mitigated by testing controls

Alex Rad (AR): Good afternoon and welcome to Asian Banker’s virtual dialogue on the chief risk officer (CRO) outlook for 2022. We have a distinguished group of senior risk executives from some of the leading financial institutions and companies, and they represent Asia Pacific, Middle East and Europe. They will share their respective perspectives with us. I'm Alex Rad, senior research analyst at The Asian Banker.

Mobasher Kazmi (MK): And I'm Mobasher Kazmi, head of research at The Asian Banker.

We have a distinguished group of panelists with us today: Anuratna Chadha, senior executive vice president and group chief risk officer at Mashreq Bank. Joining us as well is Elbert Pattijn, former group CRO at DBS, with him is Chris Matten, ex-partner of PwC Singapore, and Yasman Moghaddam, director, risk and finance solutions ESG and climate risk lead for Asia Pacific (APAC) and Middle East (ME) at Moody's Analytics.

AR: We're just going to kick off with a light question. I'm going to read out the question and we're going to give you some options.

The question is as follows: How do you feel about the outlook for the world? The options are the following: A. Are you worried?  B. Concerned? C. Positive?  D. Optimistic?

Why don't we start with you, Yasman?

Yasman Moghaddam (YM): It's a bit of a tricky question, Alex. We could probably pick all of the choices but I'm going to go with optimistic. I mean, where we sit in terms of having risk, being exposed to risk. Obviously this is not going to change, every day we're faced with new challenges, so to be honest, from the world's perspective and the outlook, I want to pick optimistic.

AR: Chris, over to you.

Chris Matten (CM): I agree with Yasman that it's a very mixed picture and you could pick all of them. I would put myself more in the concerned camp. There are some positives out there. It seems like, at least in certain parts of the world, people are learning to live with COVID and maybe hopefully coming out the other side. COVID is not going to go away but we might just learn how to live with it like any other endemic problem. There are a whole bunch of other things out there, whether it's on the economic side, inflation is a big concern. So, yes, I put myself in the concerned camp.

AR: Anuratna, what do you pick?

Anuratna Chadha (AC): My vote would also be with optimistic. We’ve come out of a lot but at the end of the day, human creativity and innovation is something that will see us through, we've got to believe in, and that's why I'm optimistic.

AR: Elbert, how about you?

Elbert Pattijn (EP): I'm probably in the more worried to concerned camp. There isn't much that can go right. The pandemic, we just kind of burrowed our way out of this, we haven't resolved it. Combining that with climate risk, inflation, issues around cryptocurrency, and particularly issues around social issues, such as disparities between countries and disparities within the countries. Generational disparities, I think, will lead to some growing unrest, and potentially populist politics.

I think there is an awful lot that has the potential to go wrong, and some of these things will go wrong.

MK: Looking at the range of responses that each of you have shared with us, I'd like each of you to take a couple of minutes to think about and to share with us in the audience in terms of what keeps you awake at night as a risk leader?

I'll kick off with Yasman. What keeps you awake at night?

Present risks come mainly from fragility of supply chains, geopolitical tensions, inflation, cybersecurity

YM: The types of risks that we're also still dealing with is actually a lot more different to what it was before. We need to be aware of, account for, quantify, and mitigate a whole different array of events, and array of risks that we're used to or traditionally have been doing.

One example is the pandemic, we just talked about it. No one could have predicted the severity and the impact that a tiny virus would have had, not only on our health and the health of people around the world, but the economies and the whole financial institutions, the financial system as a whole. It was really an event that tested the resilience of all organisations, and I want to emphasise all because everyone has been impacted to some extent, if not actually quite severely.

What I really want to say is that something that keeps me awake at night is perhaps the unknown or the unpreparedness. Not having the tools or capabilities to actually anticipate or deal with such events, and that's basically one of the key things that keep me awake.

It could be a climate event. It could be an environmental event that could, again, put us to the test, actually test us and test the resilience, and so on. It's all about the approaches, the understanding of the types of impact that different organisations really need to meet to understand. To be honest, where we are today, I would say we're probably, to some extent, in the infancy of understanding of what else is out there, what other kinds of risks, what other exposures and how we deal with that.

MK:. Chris? Your thoughts.

CM: I certainly wouldn't want to be the CRO of a bank that had a large exposure to the Chinese property market, for example.

MK: Elbert?

EP: I worry about how fragile the supply chain has become. For years, we had this just-in-time inventory system and everything went very smoothly. You can see that it can get shot not only by a pandemic, but also by weather events, climate type of events as we've seen, or other events like Fukushima had a big impact, flooding in Thailand had a big impact.

If you now look at the world, there are basically only three companies that make chips. That's already a vulnerability but there's only one company in the world that makes the machines that make chips. I think our supply chain needs to be, and this is what CROs need to worry about. They need to talk to their clients saying how fragile is your supply chain? Do you have a rope? Do you have it diversified? Is it robust? Is it local? Is it international?

I think digitalisation, cyber risk continues to be high because, again, it can really bring a bank to its knees from a financial and  reputational point of view.

Inflation is not good for anybody and you either have high inflation or higher interest rates. You can pick your poison but they're not good for growth, other than, maybe, for the banks themselves for a while but definitely not for their clients.

And I worry about the growing disparities. That there's going to be within countries a lot of angst and unrest, which make these countries–and we see it in Europe–almost ungovernable. I mean, it took my country more than a year to form a government.

Banks are putting in place data-driven architecture across the entire organization to better respond to challenges

AR: Let us talk about the kind of leadership CROs can exercise. We're talking about potential events and events that have occurred in the past, and usually they generate data and require modelling analytics and decision-making. Now, we know that banks operate with multiple data sets, and potentially there are problems with silos. Sometimes banks are working to build data-driven architecture across the entire organisation.

Anuratna, when it comes to Mashreq Bank, where is the bank on this journey? How do you, as the bank CRO, contribute?

AC: Like you said, at Mashreq, we embarked on a digitisation journey a couple of years ago. As part of that, strategically organising data is mission-critical. We've chosen to do this like a lot of other organisations, on the cloud, in the form of a cloud-based data lake.

We are formulating institutional-wide data governance to make sure that we have the right architecture and governance around this. As CRO, we are a very critical partner in enabling this transition and making sure that we have single sourcing of risk data and making sure that we have the appropriate set of controls around this.

Our preference, initially, was to go down the centralization route, and then equally making sure we are driving improvement and quality through talking about consistent data quality measures.  Initially, when we started talking and thinking about it, it seemed simplistic and to be expected, but given the time that it took us, it was obvious to us that different stakeholders in the organisation saw this differently.

Initially, it took us a while to get everyone singing off the same hymn sheet but we got there.

Those have been some of our priorities and challenges as we transition down the road.

MK: For you, Elbert, how can the CRO really lead the analysis and be open to these different and new and emerging risks, and also accommodate other stakeholders’ points of view?

EP: Actually, the question is, how can the CRO lead and be open. I think it's not optional. This is the job. This is what you need to do. The question is more on how to do this. You have to try and be open to all kinds of ideas. I'm a big believer in collective wisdom. A bank is a complex beast. There are many specialized jobs there and these people have awareness of risks that no single CRO can all know on his own, it just doesn't work like that.

You got to leverage offyour people and you got to make time for it. You can't just have conversations around the water cooler. You actually have to diarize this and aim for it. DBS, and I think most other banks as well, actually have in their annual report, or at least in their internal policies, an agenda item for the board risk committee, it was called new and emerging risks. That alone forces you to think about what can go wrong because as we heard before, people tend to worry, and rightly so, about the things that they don't know because that can hit you in ways that you never imagined before.

You got to really set that as an agenda, leverage off the collective wisdom, and then subsequently start putting in parameters, start putting in policies and start managing and measuring these things. The moment that you manage and measure them, they will improve.

Organisations need to have extended data resources and address shortcomings in modelling

MK: Yasman, looking at these different emerging risks, what do you believe is an effective strategy in terms of building those modelling capabilities that really enhances the CROs risk responsibilities?

YM: From a modelling capabilities perspective, first and foremost, what you need is knowledge and subject matter expertise. With a very broad range of risks that we're now having to quantify, it's important to have experts around the table for those different areas and having and trying to meet all of these capabilities, sometimes even within the organisation alone, is something that's a bit of a challenge for most organisations, unless you have a very large organisation with very well-equipped and large teams that can essentially cover all of these elements.

If I take climate risk as an example, I wouldn't call it an emerging theme, because we've known about it now for a number of months, there's quite a lot of activity around it, but if we take climate risk models, to develop these types of models, we need different types of people. We need economists, we need climate scientists, we need credit modellers to be at the table, so we can actually assess the financial impact to the portfolios.

To be honest, I just gave some examples but not all organisations will have these types of capabilities built in so it's important to think, in terms of what are the kind of knowledge and what is the kind of expertise that you need to bring to the table.

In addition to having the expertise, secondary to that, or just as important as having the data, is a good data, access to data. This is something that we hear a lot about today as well, so we had those different initiatives to actually make access to data a lot easier. In reality, for the majority of model development activities, what we find working with different institutions, that data within organisations is sometimes not efficient, or not sufficient. They don't go back far enough or can't be accessed in a way to facilitate both the development exercise, because we're talking about the modelling exercise here, or even the running of the models themselves.

We can talk about some examples here but I think the key point in your question was more around responsiveness. That's probably key because, obviously, another aspect here is that model development is an exercise that takes time. We do, for example, work with banks and organisations that go from model design, step all the way to implementation, and these can take in excess of a year. I'm not saying this is true in all cases, but probably it resonates with most people around the table here.

This doesn't necessarily have to be a challenge until the responsiveness comes in. Some of these themes and events can happen quickly so it's important to have the analytics or have the resources in place, or be able to source them in time to actually be able to address these challenges, or address the emerging themes that are coming up, or actually generate to be able to utilise the models in time, because postback after the pandemic has happened, it's too late for us to kind of quantify the impact. These are some of the points that I just wanted to cover.

Widening spectrum of risks emanating from digitalisation, and climate change

AR: Anuratna, we just heard that climate risk is a new kind of risk in financial institutions. Would you like to elaborate on management of new threats, which are linked to the role of CROs?

AC: If we just step back and look at what's happened with the business, with the industry strategically, CROs, back in the day, were mostly managing financial risks. We then got to a point where non-financial risks became more important. They deserve our attention, and several of those were referred to by my colleagues at the beginning of this discussion, be it fraud, technology, cyber risk management, operational.

More recently, what CROs as risk leaders are spending more and more time on is what I refer to as strategic risks, what are the risks arising out of the strategy the business or the organisation is pursuing. Climate has just been referred to, geopolitics has been referred to.

I'd submit that if the strategic risks are not identified, and managed adequately and appropriately, no matter how well we manage our financial risks or operational risks, we will have challenges for the organisation or the business. As CROs, we've got to be very focused on those, and that really talks to how the evolution of the role has taken place. More backward looking, now more forward looking. And who knows, the same conversation this group is having, taking place one year from now, I'm sure a couple of other potential concerns or risks would have been added to the list. Clearly, I'm seeing more and more time being spent by the universe of CROs on the strategic risks these days.

AR: Now, we're just going to move into the next set of questions. Perhaps we can hear from you, Chris, regarding the position of CRO with respect to the compliance.

CM: If we look at the traditional model that many banks had and some banks still do have, if you have a legal and compliance department, and a risk department, the legal and compliance department typically reports to the chief legal officer, who is by nature, a lawyer. Lawyers are trained to tell you what you can and cannot do legally, and what are the legal consequences if you do or do not do that. What they are not trained to do is to find out whether you actually did that or not.

Most compliance issues have come about. If you think about them, the amount of fines that have been levied since the financial crisis. I don't have the exact number but it's something in the order of $200 billion, it’s a lot of money. Whether this is for misselling, breaches of know-your-customer (KYC), breaches of anti-money laundering, essentially, they're all compliance issues. I would regard compliance as very much part of operational risk and it is a very material risk for financial institutions.

What we've seen over the past, particularly 10 years or so, is the compliance function being taken away from legal and put into the risk function, because the risk function is much better trained at ensuring the necessary controls are in place, the monitoring is in place, and so on, leaving the legal department to do what it’s best at, which is simply opining on what you are legally permitted to do or not permitted to do, and what are the consequences if you do or do not do that. So yes, we have seen this move. There are still a number of banks that have the traditional legal and compliance model, but a lot of organisations in the recent years have embraced that shift. Personally, I think it's the right way to go.

AR: Very good. Yasman, what are some of the use cases of advanced technology that can improve the bank's compliance capabilities?

YM: There's quite a lot of areas that can be supported by what we call advanced technology and essentially automation. At the moment, any technology that can minimise the manual processing, manual intervention, minimise operational risk, and so on within a bank or within the risk teams, are activities that should, in my opinion, should be considered, should be looked at.

Banks are no strangers to behavioural models for credit decisioning but, obviously, also to support certain elements like, for example, actors early warning models, identifying risky customers and portfolios before, let's say, a credit deterioration activity has happened, and really geared towards improving portfolio quality, asset quality, and so on. Another area that we use AI technology–again this could be considered as early warning as well–is leveraging public data using news articles to really gauge the sentiment, and in particular credit sentiment, for a particular obligor, for a particular name, for portfolios, and so on.

This is really something that's been proven to predict the default way before a credit event has happened, and this is something that quite a few of our clients are actually leveraging now. Beyond that, other use cases using AI technology to support one of the key processes like the spreading, credit spreads, and so on, that a lot of manual intervention, manual processing of financials is involved in, and that's something that we do use technology for.

Another one is an area that we've discussed quite a lot, and it's something that's probably a key point or a key area that CROs are quite concerned with is around the KYC and anti-money laundering (AML) space and we do within our solutions, within Orbis, within Grid that we're using, we're already integrating artificial intelligence (AI), machine learning algorithms and so on, to both ensure that we support compliance and help banks do the assessments more quickly and efficiently.

This is using AIs in names screening as part of the onboarding process, where the solution can actually do the screen itself. It is using customer name, matching to potential articles or persons of interest, matching against sanctions lists and then using the technology to contextualise it into risk categories and profiles.

It doesn't sound impressive because this is something simple that we can do as a person, but if you're looking or if you're faced with certain challenges like a common name, like John Smith, or based on the region, Muhammad is a name, it’s something that's quite a common name, there are different ways to spell it, trying to look up these elements and trying to match it within databases, it has endless possibilities.

The technology and the algorithms that are in place need to be effective enough to follow the various thought process steps that a person would follow and apply. These are just an example of some of the areas that we leverage, but areas are endless so there are many examples that we can incorporate here.

MK: With that in mind, we'd like to ask, perhaps we'll start with Anuratna, if you can also share some of your experiences with this application or implementation of various technology projects. How is the CRO office, at Mashreq for instance, run these different technology implementation decisions?

AC: Like what has been mentioned directly, indirectly by my colleagues, risk can be a direct or an indirect stakeholder in some of these discussions, depending what part of technology is being changed, upgraded, so have you.

Appropriate governance gives risk managers means to address novel risks.

From the perspective of a CRO, what I would really like to call out is the importance of appropriate governance, and I think that cuts through all technology implementations, strategic or tactical, how do we make sure we have the right governance framework to make sure that we are successful and have the right outcomes as part of that specific implementation. That covers the full gamut of resources, individuals, partnerships with people like vendors, decisions around making versus buying, and when we have things not going on track, how do we do midcourse corrections.

For me, I think appropriate governance is mission-critical. There are examples of when this has been done well, we've had great outcomes, and when this has not gone well, we have had not so good outcomes and conversations has been like pulling teeth. From a CRO perspective, I'd like to always look at and focus on appropriate governance.

MK: Elbert, drawing on your experience at DBS, looking at how you've taken the initiative in terms of selecting various projects for implementation, can you share any learning or insights in terms of the optimal strategy for project selection?

EP: The way to do that, traditionally in DBS, is by setting appropriate key performance indicators (KPIs) at the beginning of the year. You set the KPIs for the CEO and everything cascades from that. In those days, everybody had IT initiatives on their KPI. If you want to get your bonus, you then better do it.

What was helpful in making this transformation was essentially three factors. We actually spent money on hiring people who could help us transform. Bankers from our age, we are quite set in our ways already so you don't just change automatically. You need help in the journey, that was critical.

We also changed our relationship with IT, rather than just use them as a sweatshop, we’ve actually partnered with them. We called it two in a box, and both the IT head and the business head should be able to speak on all the topics when it comes to the IT projects. That forces people to work together, rather than just treat them as an employer/employee kind of thing.

The other thing that we did in the middle of this, the way that we ran the IT projects moved to–what is now a bit of a buzzword agile processes. What does it mean? In practice, we start cutting down the projects in smaller bite sizes, rather than having a three-year project. At the end, you'll find out whether you run out of budget and time and you still haven't delivered. We have smaller milestones. We have smaller meetings that people just get together for 15 minutes, not every meeting has to be an hour. Even if you fail, you got to fail fast, that’s fine, too. Fail next month, don’t fail next year.

Because of these transformations, people helped us speak the same language as well. The results were very good. In a relatively short period of time, this change in approach has showed that my teams’ delivery of their IT was four times as high as the baseline. In the meantime, it's ten times as high as the baseline so it really worked.

You got to have a mentality change. IT is our business, you got to future proof everything. You've got to think about what you deliver from the point of view of the client, rather than what the bank would like to have. You actually have to look at what we call the client journeys. No client wants to have a mortgage, a client wants to buy a house, that's got to be the epicentre of what it is you're trying to bring to them.

Risks from third party service providers can be mitigated by testing controls

AR: Chris, what are some of the most significant risk concerns with third parties? And the follow up question to that, from a risk mitigating perspective, what do you believe is the most effective strategy to address third party risks?

CM: I think you always need to remember that, at the end of the day, it's your business, so if something goes wrong, you're going to suffer. Even if it's the third party that screws up, it's you that suffers, it's your business that suffers. By the way, no regulator will ever accept that as an excuse. “Oh, we didn't make a mistake. It was our third party supplier that got it wrong.” No regulator will let you off the hook with that excuse.

Particularly, when I look at the Monetary Authority of Singapore, they are very strict, and tight rules and guidelines around outsourcing, and about what controls need to be in place. Obviously, you've got to think very hard about what it is you're outsourcing to third parties. Is it really something that you need to outsource or something you better keep in house? Secondly, who are those third parties? Have you done proper due diligence on them? Thirdly, does that third party have the level of control, backups, whatever, that you would expect them to have?

Let's say they've got weak cybersecurity, but they're hosting some of your customer data, your customer data gets stolen, you're in big trouble. There are ways around that. A lot of the big auditing firms do offer assurance services, there's a standard called ISAE 3000, International Standard on Assurance Engagements, which enables you to bring in a third party to ensure that – sorry – to bring in an assurance firm to ensure that the third party you're outsourcing to has all the necessary controls and those controls actually work. They are not just telling you, “We got these controls.” But you can actually test them and see, whether they actually do work properly or not, before you outsource.

AR: Perhaps we can also hear from Elbert. What was your experience of managing third party risk at DBS?

EP: I think that the one thing that springs to my mind when I think about outsourcing risk, and Chris will know this, early 2000s, DBS outsourced their whole IT department to IBM. Somewhere in 2010, somebody in IBM used the screwdriver incorrectly and our whole retail network went down. Our ATMs, our branches–nobody could get money out of the bank. That probably explains why, as Chris says, the MAS has relatively strict guidelines around outsourcing.

We've had smaller incidents as well, particularly around data privacy. The data of our clients wasn't as well protected with the outsource vendors as it was with us. This is kind of a weak link structure. Your weakest link determines how good it is. So now, we have–and aided by some regulation, to be fair– pretty strong upfront policies around this that some of them you can actually find on the internet because we tell our providers what our requirements are. We have upfront requirements, we have KPIs, there is ongoing monitoring, and as Chris said, it's all driven by the fact that whatever risk events they have are my risk events, not anybody else's. You got to treat it as strongly as if you would do it yourself. You're delegating it, you're not abdicating it.

Now, I'm not sure where the direction is going to be because with the increasing requirements around IT, there is probably a stronger desire to keep everything in house, you want to keep it in your cloud. And every time that you buy a piece of software, you spend an inordinate amount of money on integrating it with your own, then every time they do an upgrade, you have to pay for the upgrade, and you have to pay for the reintegration.

I think banks are moving more in the direction of insourcing this and run it like their own IT. It is just very hard to outsource something, but then still keep the same level of control. Also, in your commercial relationship with your vendors, they don't necessarily want you to know everything. It will still happen, but it's a headache. The preference will probably be to insource.

AR: Yasman, what has proven to be the most appropriate setup for financial institutions' relationship with third parties when it comes to climate risk?

YM: What we are faced with at the moment is actually a very big gap in what is needed within organisations, in terms of data, in terms of processes, versus what needs to be there. If I just break it down, if we take the data that is needed to do the quantification, do the risk assessments, support the more sustainable finance activities that banks are gearing towards and actually do the disclosures, those are elements that don't exist. For example, I'm talking about the transition risk data, physical risk data, hazard level of data to help measure transition and physical risk exposures, and actually try to understand concentrations, or even climate scenarios to support the scenario analysis exercises and activities of banks. That's from a data perspective. We know that's a big gap so going to third parties is inevitable.

The other gap is actually in the processes themselves. Processes to capture this data so that banks can start building on what they currently have to expand their databases and start collecting this data from their customers or other sources as well.

ESG and climate risk data traditionally are not the type of information that banks request from their clients as part of onboarding. Essentially, the processes that we have at the moment, the capabilities that exist at the moment are just not mature enough and not there. We don't have a full understanding of what is the kind of data that needs to be there versus what is being captured as well, typically within organisations.

Given that these practices are not mature enough, the actual data that the banks need, and this is data that needs to be provided by customers, provided by obligors, may not necessarily exist. It's not just about being able to collect it, but from the other angle, the customers don't necessarily have this type of data. If you have the bank's portfolio, you will have SME customers which for a typical bank, SME portfolios probably constitute a large proportion of it–and these types of customers may not necessarily know what their carbon emissions or carbon footprint is.

This represents a very big gap, so what is needed are data providers who can provide both the data, and also bring estimation approaches to give the banks a chance, give them a starting point to start their climate risk management journey.

For example, as Moody's, this is something that we support our clients with, we do provide ESG data, carbon emissions data, physical risk data, but also have the analytics to actually build on what is already there, so be able to address any data gaps that are inherently there as well. This is data that is maintained and updated by us and it can be utilised in a number of ways. If we look at it from a climate risk perspective, I think working with third parties, working with external providers, it's something that's inevitable. It's going to take us a number of years before banks internally have the capabilities to do all of these elements themselves.

AR: It has been a question of what is happening with the role of CROs. One main observation is that the role is extended into new risk areas. It’s also moving outside the immediate organisation of the bank and the financial institution.

Another observation is that CROs are dealing with much more abstract type of risks and they're moving away from risks that can be in a very granular way. Analyse, too, risks that are maybe related to societal goals and actually goals that are not related to the financial institutions shareholders’ requirements and demands but what the society is demanding. Managing those risks also requires new kind of relationships, and these relationships need to be established, they also need to be managed.

I hope you all agree with me. Do you have any final comment in relation to my observations of how the role of CROs is changing?

EP: You’re right. When I started as a CRO in 2008, my day-to-day activities were very different from 10 years later. I'm sure they will evolve further, which is the attraction of the job, to be fair, because being a CRO isn't always easy, because whenever there's a problem, it’s you. But the saving grace is it's actually a very interesting job, which is not static, where you can use, hopefully, your powers to connect the dots and spot new potential problems. That has to be the attraction of the job so you've got to have the right guy or girl for that kind of job. It will continue to evolve for sure.

AC: Alex, I just like to make one comment. Over the last 15 years, this is the third time I'm in a CRO role, in a different part of the world, each time with a different organisation. I think the common thing amongst the three roles that I have to employ every day, is to have a very high degree of tolerance for uncertainty and change.

Reflecting on a lot of things that were said over the last 45, 50 minutes, I think the whole mindset the CRO has to lead in the risk management and broader organisation is that large part of the agenda and issues we are talking about and managing today may evolve and change 12, 18, 24 months down the road and that's okay. This  mindset change is mission-critical. I think the leadership that the CRO can provide is very important in that regard, and absolutely hope for the best, but prepare for the worst. That needs to be embedded in the DNA of the organisation, both within risk management and outside. These are the things that I have seen and had to use in each one of my three CRO stints, 15 years apart.

AR: Thank you all for contributing to today’s discussion. I definitely appreciate the fact that we could highlight the CRO role and its evolution and whatever it's waiting for. I definitely think this role will be much more stronger going forward. I hope this knowledge sharing event can contribute to that. I hope to see you around next time.