Talk Story with Mary Sellers of Bank of Hawaii
Sellers joined Bank of Hawaii in 1987 as an officer in private financial services and has worked in various management roles since then. In 2003, she assumed responsibility for the risk management division and was promoted to vice chairman and chief risk officer in 2005. She explains the role of CRO.
The job of CRO was developed in the 1980s in response to corporate crises and market issues happening then. How long has Bank of Hawaii had a CRO and do most banks have one?
Our first CRO, my predecessor, Bill Nelson, joined us in 2001, soon after Mike O’Neill took the helm in 2000, following some of the challenges the company had when it expanded beyond its Hawaii footprint.
CROs have become much more common in banks and the major banks in town all have one. It’s expected these days, but, in very small banks, the CEO functions as the CRO because he or she has the ability to cover the breadth of the organization and stay on top of the company’s risk. But as you go up in scale and size, things get more complex. The complexity of the environment you’re operating in, the regulatory complexity, everything amplifies. So, at that point, it’s imperative that you have someone dedicated to overseeing it or you can lose sight of what’s happening across the organization.
What’s your role as CRO?
I’m responsible for working with the board and management to set the strategic vision for how we manage risk. You really can’t delink risk management from the business, as it’s embedded in the business process. So we set a risk-appetite statement that aligns the board and management’s vision of how much risk we take and how it’s managed across the organization. From there it gets down into more tactical things, such as governance, policy, procedures, how we measure and monitor risk, how we communicate risk, how we report it and calibrate it. I’m also responsible for making sure we’re communicating this with our constituents: shareholders, directors, customers, employees and rating agencies. We make sure we’re staying on top of it and driving it to a maturity level because the more you’re able to make it seamless in your business, the more of a competitive advantage it becomes.
When we think of risk, we think of it as something that must be avoided. But banks make money by taking risks, right?
That’s exactly correct. We are in the business of managing risk and we manage it to be a competitive advantage. I think we’ve done that and if you look at how we’re evaluated by our shareholders, rating agencies and customers, it plays out.
There are certain things that are totally unacceptable, such as anything that will damage our reputation and the potential value of our franchise. It can’t impact our clients adversely. We need to thoroughly understand any risk we take on.
What has been your biggest challenge?
Managing risk is dynamic. It’s complex and the environment is global. Influences are happening all the time and everything’s changing, so it’s challenging to stay on top of it.
If you think about the pace of change in terms of delivery to our clients through electronic channels and what you see happening there from just fraud and a tax on our infrastructure, we’re moving at a pace that you wouldn’t have even envisioned five or 10 years ago. Regulatory issues, coming out of the financial crisis and new legislation, are changing how we do everything. The dynamic nature is a challenge because employees like certainty. What worked yesterday, may not be OK today. The challenge is helping employees understand what’s changed and why we need to adjust or calibrate what we’re doing. And that moves on a dime.
What’s your approach to risk management?
Balance. Banking is a regulated industry and there’s a lot of formality around certain things we’re required to do. We need to balance that infrastructure with the business needs. Risk management is integrated into this and not a separate process.
There needs to be flexibility and you need to understand what works. You need to take a look at what’s really critical and how to manage it.
There’s no one model that’s absolute, so within banks you’ll find different models as to how it’s done. It has to be aligned with your business culture. If you’re in a lower-risk banking niche, then you may not need a CRO. But if you’re doing something that’s high risk, like subprime lending, you probably need 50 CROs. All the local banks do it a little differently.
How does the company culture at Bank of Hawaii help you do your job?
I think it began back when the bank came out of the financial difficulties we had from overstretching our infrastructure.
When Mike and Bill came on board they started to build the framework and lay the foundation. I think it’s just continued to be built on, from training, policies and procedures, committees, task forces to education. What we communicate around our strategy and what’s important to us as a company, is the key. Clearly whatever message is coming from management as to what we value and what is important, that is what people hear.
So I think that is the triumph of the company and not any one individual. I happen to be the champion for it and the one charged with ensuring that we stay on track. It truly has translated to value for the company and people see that. Through the financial crisis, I think our employees and customers saw that people wanted to move their money to Bank of Hawaii. It was a safe place.
Our culture is one where everyone is a risk manager. We don’t shoot the messenger. The whole thing is to communicate because we can usually fix anything. We can’t be everywhere in the organization so just getting people to feel comfortable saying, “I’m not sure” or “I think you should be aware of this” is important. From the teller who’s touching our customer, to (president and CEO) Peter Ho, everyone’s managing risk.
(This interview was edited for clarity and conciseness.)