Back in the New York groove: BNY CRO’s risk revamp

Senthil Kumar, the chief risk officer (CRO) at BNY Mellon, sees risk everywhere. Not just from a potentially crippling cyber attack or the actions of a rogue employee, but in the small things.

“When I drive home from work, I take a risk,” he says. “When I decide to take the train instead, I take a risk. When my son asks me about trying a different activity, I tell him to try to understand the pros and cons.

“It’s a simple life principle: we take risks in everything we do.”

And it’s a life lesson we’ve all had to learn lately. Covid-19 has forced society to walk an awkward line, minimising exposure to others, while trying to get back to activities that seem healthy and normal. We’re forced to parse risk on a daily basis in a way we hadn’t countenanced before.

It’s the same ability to evaluate risk and reward in every action that is critical to building a healthy risk culture at a bank, Kumar argues – and helps staff to take “intelligent risks”.

This philosophy is at the core of a risk-culture revamp at BNY that Kumar has been leading. It hasn’t just been focusing on staff traditionally seen as front-line, such as salespeople or relationship managers, he says. He cites the example of an important IT upgrade that takes place over a weekend: if it fails, it could have dramatic consequences for the bank and its clients.

[IT staff] must own the risk of their business decision and their management of that risk, and that’s why cultivating a strong risk culture and risk ownership is superimportant

Senthil Kumar, BNY Mellon

“Where does the risk for a technology change sit? In the first line or second line, or somewhere in between?” he muses. “[IT staff] must own the risk of their business decision and their management of that risk, and that’s why cultivating a strong risk culture and risk ownership is superimportant.”

This concern about operational risks partially stems from the risk make-up of BNY Mellon. As the world’s largest custody bank, administering over $45 trillion in assets, the bank’s risk-weighted assets (RWAs) are more heavily geared towards operational risk than market or credit risk. Advanced operational risk RWAs for the third quarter of this year make up 39% of total RWAs at the bank, compared with Bank of America’s 27%, Citi’s 24%, just 20% at Goldman, 26% at JP Morgan and 21% at Morgan Stanley.

But Kumar is also interested in people. He has strong views on the proper formulation of the first and second lines of defence, and in making sure there is accountability across the organisation. He has overhauled the way in which revenue opportunities are assessed relative to risk – and is keen to see his staff develop and diversify their skills to encourage greater resilience in the risk function.

Since joining BNY Mellon in 2019, Kumar has introduced three individual, award-winning training programmes.

“Risk culture is the most important pillar that supports an organisation’s goals,” he says. “Risk cannot be delegated: when you’re taking risk, you own it.”

Many years since I was here

Kumar graduated from the University of Madras, earning a degree in mathematics and statistics in 1985, then a certificate in accountancy from the Institute of Chartered Accountants of India. After joining KPMG in India for a short stint, he was hired by Samba Bank in Saudi Arabia, a Middle Eastern bank then majority-owned by Citi.

Initially in the audit function, Kumar eventually shifted to a trading role, helping to set up a new unit that invested in alternative assets such as private equity, real estate, hedge funds, collateralised debt obligations and collateralised loan obligations among other assets.

The experience was a good one, he says, with a large trading account affording him a real sense of global market dynamics.

In 2003, Citi sold its stake in Samba Bank and offered positions to some of the staff. Kumar took the chance to join Citi Alternative Investments in New York as an in-business risk manager. He was later tasked with helping take in the assets of Old Lane, a hedge fund Citi purchased in 2007 and of which Vikram Pandit was co-head. Before the year was out, Old Lane would be wound down and Pandit appointed CEO of Citi. Kumar had a ringside seat.

It was also during the acquisition that he met Brian Leach, who went on to become CRO for Citi. Leach drafted in Kumar to become head of the bank’s alternative assets risk management, just as banks plunged into the global financial crisis of 2008.

“Citi had a very large pool of over 5,000 assets globally, and I was involved in managing down that portfolio and making sure we got it to the right place,” he says.

After a brief stint as head of financial institutions and public-sector risk management that began in 2012, Kumar became CRO of Citi’s vast institutional client group in May 2014. He stayed on for five years before joining BNY Mellon as CRO in July 2019.

“The way risk was looked upon at Citi was mostly on the financial side,” he says. “As the market moves, how much we are going to lose on a banking deal or a loan or on market positions I’ve taken.”

And while markets and credit exposure are still high priorities at BNY, Kumar adds, there is much more of a focus on resilience.

“What happens if my systems are not able to handle the large volumes that come in suddenly because of market volatility?” he says. “It’s a very different focus.”

This place was meant for me

The challenge of managing such a massive operational risk book is what led Kumar to take the job at BNY Mellon.

“I ran the largest credit and market risk book at Citi, but BNY Mellon has the world’s most complicated operational risk book,” he says.

Less than two years later, the default of Archegos Capital Management focused industry minds on the importance of good risk culture and of creating clear, empowered roles for the three lines of defence.

A report on the event, drafted by law firm Paul, Weiss, Rifkind, Wharton & Garrison, indicated the concerns about Archegos’s positions were flagged by an employee in the second line, but that they were not acted on swiftly enough. It also highlighted the importance of preventing employees in the first line focusing on revenues without owning the attendant risks they have taken.

Rather than relying on an empowered second line of defence, Kumar suggests that employees in the first line must take their roles as risk managers seriously.

“When I used to trade, I was the first one who knew whether my trade was working or not working,” he says. “The person in the second line will only know about it at a much later stage. There is a reason we call it the first line.”

When I used to trade, I was the first one who knew whether my trade was working or not working … There is a reason we call it the first line

Senthil Kumar, BNY Mellon

First-line employees must remember that just because they interact with a client does not mean they are not risk managers, too.

“The second line must make sure the risk culture is right, and that the right kinds of tools to help make those decisions are available,” says Kumar.

Part of this equation involves all staff becoming acutely aware of the risks they are taking at all times, and whether or not the revenue at stake is worth it. Making sure staff would parse risk and reward in this way meant implementing a new framework at BNY Mellon, based on three pillars to which all staff must adhere. These are: understanding exactly how much upside a business decision can have; the potential loss associated with the decision; and how to mitigate the risk of that loss if things go wrong.

Front-line staff are usually well aware of the potential revenues that can come from new business, says Kumar, so the first parameter is taken care of. It’s an understanding of the second and third pillars he tries to encourage throughout the organisation.

Under Kumar, BNY has been working on upgrading its second-line oversight function, and changed its risk and compliance organisation structure to cover specific risk types such as credit and market risk, as well as region and legal entity risks.

Staff also need to understand the consequences of bad conduct when things go wrong, and that involves a close relationship between risk and human resources, Kumar adds.

Supplementing these changes are the three training programmes he introduced to make BNY’s risk teams more resilient.

The first is an executive development programme for diverse candidates at the director level. The second, a cross-training programme, involves staff from different risk disciplines spending 20% of their hours working on another risk desk, to encourage a diversity of skills within the bank. Around 100 staff took part in the programme last year.

“My team and I devised this programme at Citi when I had a very small team,” he says. “When someone went off on vacation, I was left without anyone else.”

The third programme is a mentoring initiative that helps risk managers accelerate their careers with input from dedicated mentors.

With a fistful of dollars

Beyond risk culture, Kumar is most concerned about cyber risk, especially since the Covid-19 pandemic “dramatically increased entry points” into the firm’s systems. Nation states have also become increasingly sophisticated in cyber hacking, and BNY is particularly focused on combating ransomware.

To meet cyber risk threats, Kumar has ramped up hiring efforts in the discipline, adding a new chief technology risk officer, Dimi Stratakis, among other staff.

If the firm’s systems are compromised, part of its risk mitigation involves setting up systems within the same network not to trust each other, but to authenticate before data is exchanged.

“Our data is appropriately safeguarded so that even if someone breaks in, they won’t be able to find what they’re looking for,” says Kumar.

He has also been focused on risks stemming from climate change – as banks grapple with increased scrutiny about the projects they finance and the assets in which they invest.

“We manage $2.3 trillion of assets, and a lot of our customers have specific requirements on [environmental, social and governance, or ESG] that we need to manage,” says Kumar. “There’s a lot of focus on ESG within the organisation, and we are trying to get to the right place.”

In November, the Financial Times reported that BNY Mellon was to offer servicing to Adani Group’s controversial Carmichael coal mine in Australia. It was subsequently reported that the bank would no longer take part in the Queensland project.

Kumar declines to comment on the incident, but he does say that BNY has developed a climate framework that was used to assess risk factors.

“I do look at concentration risk from an ESG point of view,” he says. “[For instance,] I don’t want us to build a huge service centre in a place which is prone to flooding.”

He has hired a global ESG chief risk and compliance officer, Clare Davies, whose role is exclusively to handle the bank’s ESG exposures.

“We have a well-thought-out strategy as to how we are going to operate in an emergency,” he adds.

“We have a resiliency strategy that we have put in place, which is, in my mind, significantly better than what I’ve seen in other places. It’s part and parcel of how we think about being a resilient organisation.”

*Update, January 6, 2022: a previous version of this article stated Citi sold its stake in Samba Bank in 2004. In fact, it was 2003. It also stated Senthil Kumar subsequently served as head of alternative assets at Citi; in fact, he was head of alternative assets risk management.