One of the things I enjoy most about my role is engaging with stakeholders across the industry. I’ve been speaking to a number of CROs recently about their key areas of focus, and in particular how their role is evolving in light of the FCA’s growth agenda and what this means for the way firms think about and manage risk.
Some themes from those conversations that I suspect will resonate with many CROs.
Risk frameworks need careful review
Most risk frameworks were designed in the aftermath of the financial crisis, when the regulatory environment demanded stronger controls and less risk-taking. Those frameworks have worked well. But they have also created risk cultures where caution can dominate decision-making and innovation struggles to pass governance.
The FCA is now signalling that risk management should not unintentionally suppress responsible innovation. Increasingly, the message from the regulator is about supporting responsible, managed risk-taking to drive growth and innovation, enabled through more outcomes-based regulation.
For CROs this raises an important question:
How do you enable appropriate risk-taking without weakening the controls that regulators expect? Have you reviewed and rebalanced your risk frameworks to reflect this evolving regulatory mindset?
Consumer Duty has quietly changed the role of risk
Many firms initially approached Consumer Duty as a compliance programme.
In reality, it represents something more fundamental. Consumer Duty has shifted the regulatory focus away from rules and controls towards customer outcomes.
That shift has important implications for risk functions.
Risk is no longer simply about monitoring policy adherence or control effectiveness. Increasingly it involves incorporating customer outcome metrics into governance, risk reporting and board oversight.
How have you embedded outcomes monitoring into governance and reporting?
Does this extend across the full product lifecycle and customer journey?
Culture is now a risk issue
The FCA’s growing focus on non-financial misconduct reflects a wider regulatory view: cultural weaknesses often precede governance failures. For CROs this means working much more closely with HR, conduct and compliance functions to understand the behavioural drivers of risk, not just the control environment.
Few traditional risk frameworks were designed with culture risk in mind.
How are you capturing cultural indicators within your risk framework?
And how confident are you that emerging culture risks would surface early enough?
The regulator is becoming more data-driven – risk functions must follow
The FCA is investing heavily in data-led supervision. That means firms that appear as statistical outliers (whether in complaints, identification of vulnerable customers, pricing, product value, monitoring levels by Compliance etc), will be identified much more quickly.
Traditional risk reporting has often focused on process compliance. The regulator is increasingly interested in data evidence of outcomes.
Do your risk dashboards provide the same level of insight that the regulator is likely to see?
So where does this leave the CRO?
The role is clearly evolving.
CROs are increasingly expected to help the business take the right risks, challenge strategies that could lead to poor customer outcomes, oversee culture and behavioural risk, and use data to anticipate regulatory concerns before supervisors do.
In short, the CRO role is shifting from guardian of the framework to strategic risk leader.
I would be interested to hear whether these themes resonate with other CROs. If you would welcome a discussion on any of these areas, please do drop me a line. A virtual coffee to chew the fat on some of the critical changes taking place in the risk landscape is always enjoyable.
Paul Scott – Managing Director
