Profile: Mick Leonard, former chief risk officer, Commonwealth Bank of Australia
After more than 20 years in the risk management field, Mick Leonard is bowing out of the top risk job at Commonwealth Bank of Australia. Stuart Fagg spoke with the outgoing RMA chairman about his career
Describe your former role at CBA?
The chief risk officer (CRO) role at Commonwealth Bank of Australia (CBA) covers all areas of risk management (credit, market, operational, compliance and insurance) across all the businesses, domestically and internationally – providing a very broad overview of the operations of the whole business. The CRO role is accountable for the design and development of the risk management frameworks and overviews their implementation by the businesses. It also has accountability for the centre of excellence in credit management, involving a focused approach to clients who may be experiencing difficulty.
A major part of the role is the ongoing monitoring and reporting to executive management and the board of the risks in the businesses and the effectiveness and efficiency of the risk management practices. Recommendations for changes to the risk appetite or tolerance may be an outcome of this work.
How does it fit into the overall structure at CBA?
Risk management at CBA is embedded in the businesses, with the risk frameworks designed and developed centrally, but implemented by the business with the assistance of the risk specialist sitting in the business. From my perspective it is important that the management of the various risks present in the business be ‘owned’ by the business with the support of a risk specialist. The view of risk today is very broad, with greater focus being placed on operational and compliance risks. Historically risk has been more thought of in terms of credit and market risk. Management of the businesses now take the broader view of risk management.
What elements of your role did you find challenging?
A very interesting question. The need to continually address change springs to mind. The challenges of a CRO role vary somewhat with the environment, including the stage of the credit cycle, global financial events, (eg 1998 ‘Asian Crisis’), the technology stocks ‘bubble’ and changing regulation (eg Basel II, Anti-Money Laundering and Counter-Terrorism Financing Act (AML/CTF), Financial Services Reform Act). The challenge at the end of the day is to be able to meet an ever-changing environment, being flexible enough to deal with the unexpected.
One constant is the need to ensure that the organisation has appropriately experienced and skilled people, involving ongoing recruitment, development and retention. Risk management roles have changed substantially; today there is a higher level of sophistication and greater use of quantitative techniques. Thus new or changed risk management roles have evolved. In Australia it is a challenge to fill a number of these roles, with recruitment from offshore used to selectively meet the requirements
How did you begin your career in risk management?
My time in risk management, although it was not known as such at the time, started when I carried out lending roles in branches as part of normal career progression. That goes back some 35 years now. I started doing consumer lending – personal loans and home loans. Over the years the complexity and types of loans changed from reasonably simple working capital lines for domestic companies to global capital markets and structured facilities for internationally operating companies. I was appointed the chief credit officer for CBA in 1998.
My initial exposure to market risk was through meeting the requirements of my clients; I needed to understand the workings and risks involved in various derivative products and foreign currency borrowings. Some years ago I was made responsible for the traded market risk management function for the bank’s institutional banking business and then in 2000 was made accountable for the bank-wide market risk management function.
From an operational risk perspective, I was part of a team put together some 10 years ago to design and develop the first formal group operational risk framework. I took over accountability for the operational risk and compliance functions of the group in 2001–02. Both operational risk and compliance have developed substantially since that time.
Experience in insurance risk has been more recent and as challenging as the others.
Sorry, for a reasonably lengthy response here, but as I said earlier, risk management has many limbs and my involvement with each risk type developed at different times and to a stage where I was charged with the responsibility for the integrated risk management function of the group.
What do you see as the major challenges ahead for risk management professionals?
There is no doubt still many challenges ahead.
The demands of the business will always be there – the growth in sophistication and complexity of the financial industry seems exponential. Risk management professionals will have to ensure that they remain relevant to the business, particularly in the race to meet client needs. In doing so they will need to be able to express and quantify the components of risks in the simplest form possible so that all involved – from the customer to a member of their own board – can understand it. There can be a tendency to over-complicate things.
Also they will need to be able to clearly demonstrate to management that they (risk management) are providing value that is measurable to the business. This is not easy, particularly over periods of relatively benign risk conditions.
Another major challenge that exists today and will likely always be there is for the risk management professional to be able to say ‘no’, to clearly explain their reasoning and to be able to get acceptance of their position. This should include the options that were considered to see if there was a way to say ‘yes’. Some risk exposures are long enduring and at times the lure of the short-term gains in a non-volatile environment may overshadow the risks of a future more volatile period.
What are the ideal skills to become a chief risk officer?
A CRO role is in my view not an easy one, and if you look at global financial institutions it is one of relatively short duration, may be due to the many things that can go wrong.
My time tells me there is no substitute for experience. There are many in the financial industry today that have not seen a credit downturn, a major market risk event or such like. Such learning is invaluable.
The CRO role today requires a good understanding of all risks, including how to identify and measure such risk in order to express them in terms of the risk appetite and tolerance as approved by the board.
Equally, the CRO has to possess strong people management and communication skills as they have extensive interaction across all areas and levels of the business. Also they are required to be a spokesperson on risk management issues to external parties, including regulators, rating agencies, analysts, investors and of course customers.
What would your advice be to someone starting out in risk management?
As a starter, remember that risk management is part of the business, it is not a standalone self-supporting function – you have customers whose needs are your lifeblood.
Less philosophically, risk management can be a rewarding career in itself or it can be an important source of knowledge and experience for other roles in an organisation. It’s helpful, although not a necessity, for a new starter to understand which of these paths they wish to pursue, not the least to help in the formulation of their own development plan.
Another choice that may need to be made is what risk management specialisation (eg credit, market, operational, etc) they might wish to follow, or alternatively, whether they want to be more of a risk management generalist. Greater specialisation has occurred in risk management roles due to the growth in these roles but I believe it is still beneficial for all risk management professionals to develop a working understanding of each risk area.
From then on there is a lot of learning to do, both through on the job experience as well as more formal programs/courses. It won’t always be exciting, at times there are ‘chores’ to be done but learnings can also be taken from these tasks.
One other thought, view issues from the customer’s perspective. This is not saying that the customer is always right but it is saying that the customer is always the customer. Taking such a perspective provides some valuable insights.
What do you see as the key future trends in risk management in Australia?
Interesting that you have added “in Australia” to your question as a fair amount of what happens from a risk management perspective in Australia is imported – eg a lot of regulatory change is as a result of global regulatory changes (Basel II, AML/CTF).
Risk management has had a lot of focus over the last decade. I don’t expect this to change, although the emphasis should now move to extracting the value from all the investment that has been made over this period
I expect regulatory requirements will still be of a high order, whether it is in the form of global requirements or some more domestic issues. The bar for risk management (and the business generally) has been lifted by the regulators and by the rating agencies over the last 5–10 years and I expect more to come. The challenge is to address these changed requirements in a ‘business as usual’ manner, causing as little disruption to the business as possible – not an easy task. Value has to be extracted from the regulatory changes to substantiate the cost of implementation.
A continuation of the use of more sophisticated approaches would be expected, with application of such approaches becoming more common across the risk types. This may lead to more benefits being derived from the synergies that result.
What I can’t predict is the ‘unexpected’. It will happen, I just don’t know what and when; I could have a guess at some but have as much chance as being wrong as right.
One thing I am sure of is that change will be ever present.
How much is implementing Basel II changing the way banks approach risk?
I am generally positive on the outcomes of the Basel II requirements.
Basel II has already had and will further have major impact across the spectrum of risk management, more so than I expect anyone realised it would have when the guidelines were first released some five years ago. The timeframe for implementation in itself speaks volumes for the amount of work required to implement the Basel II requirements.
From a credit risk perspective the advanced approaches in Pillar I employ a methodology that requires a very granular and long series of data for the measurement of credit risk; such data has to be supported by experience. Some banks have been historically employing the methodology but the granularity and long series of data requirements have been a challenge. The end outcome for these banks should be a much better understanding of credit risks at a client, segment and portfolio level, leading to better credit decisions, capital allocation and pricing for risk.
Basel I had little, if any, focus on operational risk management. Those banks adopting the advance measurement approach have, I believe, taken the opportunity to redesign their operational risk management frameworks to strengthen measurement, but more importantly the management of operational risk. This should lead to improved effectiveness and efficiency in their daily operations.
The requirements for interest rate risk in the banking book are yet to be finalised but again will require changes.
Benefits will also result in the understanding of possible/probable impacts on the business of selected events through more rigorous scenario and sensitivity analysis. Such work may lead to early actions to improve the outcomes from such events should they occur and allow for better contingency planning.
The Pillar III disclosure requirements are also yet to be finalised but more reporting – particularly external reporting – on risk and capital will result. I believe a major challenge for the banks and the regulators will be to ensure that the ‘market’ can appropriately use this greater level or reporting.
Mick Leonard was chief risk officer at Commonwealth Bank of Australia from 1998 to 2007
News