RBI has mandated vide its notification dated 25th June, 2021 that every primary urban co-operative bank having asset size of Rs.50 billion or above should appoint a chief risk officer in their organisation. Further instructions are given below:
- The CRO shall be a senior official in the bank’s hierarchy and shall have adequate professional qualification / experience in the area of risk management.
- The CRO shall be appointed for a fixed tenure with the approval of the Board. The CRO can be transferred / removed from the post before completion of the tenure only with the approval of the Board and such premature transfer / removal shall be reported to the concerned Regional Office3 of Department of Supervision, Reserve Bank of India.
- The Board shall put in place adequate policies to safeguard the independence of the CRO. The CRO shall have direct reporting lines to MD/CEO or Board or Risk Management Committee of Board (RMC). In case the CRO reports to the MD/CEO, the Board or the RMC shall meet the CRO, without the presence of the MD & CEO, at least on a quarterly basis.
- The CRO shall not have any reporting relationship with the business verticals and shall not be given any business targets. Further, there shall not be any ‘dual hatting’ i.e. the CRO shall not be given any other responsibility such as CEO, COO, CFO, Chief of the Internal Audit, etc.
- In UCBs that follow committee approach in credit sanction process for high value proposals, if the CRO is one of the decision makers in the credit sanction process, he shall have voting power and all members who are part of the credit sanction process, shall individually and severally be liable for all the aspects, including risk perspective related to the credit proposal. If the CRO is not a part of the credit sanction process, his role will be limited to that of an adviser.
- In UCBs which do not follow committee approach for sanction of high value credits, the CRO can only be an adviser in the sanction process and shall not have any sanctioning power.
- All credit products shall be vetted by the CRO from the angle of inherent and control risks.
3. The CRO shall support the Board in establishing an integrated risk management system, capable of identifying, measuring and monitoring all types of risks on an ongoing basis. This will include developing the organisational risk appetite and a framework that will translate the Board’s strategy into clearly laid down monitorable risk limits at the aggregate and at granular levels. The CRO shall also be involved in actual monitoring and mitigation of risks.
4. It is emphasized that the primary responsibility of risk management lies with the Board. In order to focus the required level of attention on various aspects of risk management, UCBs meeting the eligibility criteria specified in para 1 above are advised to set up a Risk Management Committee (of the Board) by March 31, 2022. The Board shall decide the membership, scope of work and frequency of meeting of the Risk Management Committee.
5. UCBs meeting the prescribed criteria as on March 31, 2021 shall appoint / designate a CRO by March 31, 2022. UCBs which may fulfill the criteria at the end of the current or subsequent financial years shall appoint / designate a CRO within a period of six months from the end of the financial year concerned.
6. A copy of this circular should be placed before the Board of Directors of the bank at its next meeting.
7. The Board2 must clearly define the CRO’s role and responsibilities and ensure that he/she functions independently.