CRO Recruitment at Challenger Banks and Dual-Regulated Firms

CRO Recruitment at Challenger Banks and Dual-Regulated Firms

The Chief Risk Officer role at a challenger bank or dual-regulated financial institution carries a set of demands that do not exist at FCA solo-regulated firms or at non-regulated businesses. Dual regulation by the FCA and PRA means the CRO must maintain constructive supervisory relationships with two regulators simultaneously, each of which has distinct priorities and supervisory approaches. The PRA’s prudential focus — on capital adequacy, credit quality, operational resilience, and the firm’s ability to withstand stress scenarios — sits alongside the FCA’s conduct focus on customer outcomes, market integrity, and the firm’s treatment of retail clients. The CRO must be credible in both registers.

At challenger banks specifically, the CRO appointment carries additional complexity. Challenger banks are typically at earlier stages of regulatory maturity than their established banking peers — their risk frameworks are still being built, their supervisory relationships are being established, and their risk culture is being formed under conditions of rapid commercial growth. The CRO at a challenger bank is not simply managing a mature risk framework. They are building one, often under time pressure and in a commercial environment where growth ambitions create significant internal pressure to accept risk that the regulatory framework may not permit.

The PRA’s Expectations of the CRO at a Dual-Regulated Firm

The PRA’s supervisory approach to the CRO function at banks and insurers is more intensive than the FCA’s approach at solo-regulated firms. The PRA’s supervisory statements on risk management governance set out specific expectations for the CRO’s role — including that the individual has direct access to the board and the PRA, that they have genuine authority to challenge business decisions that exceed the firm’s risk appetite, and that their remuneration is structured to support independence from the business lines they oversee rather than creating financial incentives to align with commercial outcomes.

The PRA pays close attention to the CRO’s appointment at significant banks and insurers, and for CEO, CFO and CRO appointments at complex firms, a PRA regulatory interview is a standard part of the approval process rather than a discretionary one. The interview focuses specifically on the candidate’s understanding of the firm’s prudential risk profile — their knowledge of the credit book, capital model, funding structure, and the specific regulatory capital requirements that apply to the firm’s activities. A CRO candidate who has strong conduct risk credentials but limited experience of prudential risk management will face significant scrutiny in a PRA interview, and the outcome may affect the firm’s supervisory relationship with the regulator if the appointment proceeds with residual concerns unaddressed.

Challenger Bank CRO: The Build vs Manage Distinction

One of the most important questions in a challenger bank CRO search is whether the firm needs a risk builder or a risk manager. These are genuinely different profiles, and the best risk managers are not always the best risk builders — and vice versa.

The risk builder profile is appropriate for challenger banks at early regulatory maturity stages — firms that need to establish their risk appetite framework, build their credit risk assessment methodology, create their operational risk and control environment, and develop the management information and reporting infrastructure that will allow the board to oversee the firm’s risk position meaningfully. The risk builder candidate typically has experience of standing up risk functions from scratch, of navigating the PRA’s model approval and Internal Capital Adequacy Assessment Process (ICAAP) requirements for the first time at a growing firm, and of managing the PRA supervisory relationship during the critical period when a challenger bank’s risk infrastructure is being evaluated against the regulatory standard for the first time.

The risk manager profile is appropriate for challenger banks that have built their core risk infrastructure and need sustained operational excellence in risk oversight. The risk manager candidate has deep expertise in running a mature risk function — managing credit concentrations, monitoring the firm’s risk appetite utilisation on an ongoing basis, chairing the risk committee effectively, and maintaining the PRA’s confidence in the firm’s risk management quality over multiple supervisory cycles. The two profiles overlap, but the balance between strategic infrastructure building and operational risk management capability is different, and appointing a risk manager profile when the firm needs a builder, or a builder profile when the firm needs a manager, produces predictable and avoidable governance problems.

The ICAAP and ILAAP: CRO Accountability at Challenger Banks

The Internal Capital Adequacy Assessment Process (ICAAP) and the Internal Liquidity Adequacy Assessment Process (ILAAP) are among the most significant regulatory deliverables for any PRA-regulated bank, and the CRO’s role in both is central. The ICAAP requires the bank to demonstrate to the PRA that it has identified all material risks, assessed its capital requirements under a range of stress scenarios, and maintains a capital buffer adequate to absorb those stressed losses. The ILAAP requires a parallel assessment for liquidity risk. Together, the two documents are the primary mechanism by which the PRA evaluates whether the bank is managing its prudential risks adequately.

For a challenger bank CRO, responsibility for the ICAAP and ILAAP is one of the most demanding aspects of the role. The PRA reviews these documents intensively and will challenge the bank’s stress assumptions, model methodology, and conclusions where it believes the firm’s self-assessment is too optimistic. A CRO who cannot defend the ICAAP to the PRA in a Supervisory Review and Evaluation Process (SREP) meeting — who cannot articulate the firm’s credit concentration analysis, explain the capital model’s key assumptions, or engage credibly with the PRA’s questions about the firm’s liquidity risk management — is creating a supervisory relationship problem that the bank’s senior leadership will find difficult to manage.

The SMF4 Approval Process at Challenger Banks: PRA and FCA Dimensions

SMF4 approval at a dual-regulated bank requires approval from both the PRA and the FCA. The two regulators assess the candidate against their respective supervisory priorities — the PRA against prudential risk management capability and the FCA against conduct risk oversight. For most CRO candidates at challenger banks, the PRA assessment is the more intensive and the more likely to involve a regulatory interview.

The combined PRA/FCA approval process typically takes longer than FCA-only approval. A realistic timeline for a CRO appointment at a growing challenger bank — accounting for the more intensive PRA assessment of a building-stage institution — is twelve to twenty weeks from Form A submission to approval. Boards should build this timeline into the search process from the outset, with interim risk coverage arrangements confirmed before the search begins rather than addressed reactively when the vacancy arises.

The regulatory references required for the Form A submission add complexity for CRO candidates who have worked at multiple regulated firms over the previous six years, which is typical for senior risk professionals with the career progression profile the PRA expects. Managing the collection and review of multiple regulatory references simultaneously, in a way that allows the board to understand their full content before submitting the Form A, requires dedicated process management that Exec Capital provides as part of every regulated firm search.

What the Challenger Bank CRO Profile Looks Like

The candidate profile for a challenger bank CRO appointment combines elements that are individually not rare but whose combination is genuinely scarce. Banking prudential risk expertise — direct experience of credit risk management, capital framework oversight, and ICAAP/ILAAP responsibility — is the technical threshold. Without it, the candidate will not pass the PRA’s approval assessment and will not have credibility with either the PRA supervisory team or the bank’s risk function.

Challenger bank or high-growth environment experience — having operated in a context where the commercial growth agenda creates persistent pressure on the risk function, where the risk infrastructure is being built or improved under time pressure, and where the CRO must balance the regulatory requirement for independence with the commercial reality of being part of a leadership team trying to build a competitive banking business. Candidates whose entire risk career has been at large, established banks may find the challenger bank environment, with its higher volatility and more intense commercial pressure, significantly different from what they have experienced.

PRA supervisory relationship experience — having managed the PRA relationship as the named CRO, including SREP meetings, capital dialogue, and the management of supervisory concerns where they have arisen. This experience is a significant differentiator among challenger bank CRO candidates because it cannot be easily developed in a second-line advisory role — it requires having been the individual in the room when the PRA is challenging the bank’s risk assessment, and having managed that interaction successfully.

Working with Exec Capital

Exec Capital places Chief Risk Officers at challenger banks and dual-regulated financial institutions — permanent and interim, with a specific understanding of the PRA/FCA dual approval process and the prudential risk management capability requirements that distinguish the CRO role at regulated banks from the same function at other firm types. Call Adrian Lawrence FCA on 0203 834 9616 to discuss your CRO search.

The CRO’s Role in Capital Planning at Growing Banks

Capital planning is one of the most consequential dimensions of the CRO’s role at a challenger bank, and it is one where the tension between commercial ambition and regulatory prudence is most directly felt. A growing bank that is expanding its loan book, launching new products, or entering new markets is consuming regulatory capital at a rate that requires continuous forward planning to ensure the bank maintains adequate buffers above its minimum capital requirements. The CRO is responsible for ensuring that the board and the PRA have a clear and honest assessment of the bank’s capital position under both base case and stress scenarios — and for escalating concerns when the commercial growth plan would result in capital consumption that the bank’s current capital base cannot comfortably absorb.

At challenger banks that are pre-profitability or in the early stages of profitability, capital planning is complicated by the limited internal capital generation available to fund growth. The CRO must balance the commercial case for continued growth investment against the prudential requirement to maintain capital adequacy — and must be prepared to present an honest view to both the board and the PRA, including where that view is that the current growth plan is inconsistent with maintaining adequate capital buffers under stress. This is the kind of independent challenge that the SMF4 designation is designed to mandate, and it is precisely the kind of challenge that commercial pressure creates the strongest incentive to avoid.

Managing the PRA Supervisory Relationship as a Challenger Bank CRO

The PRA’s supervisory approach to challenger banks reflects its assessment of the prudential risks specific to early-stage banking businesses — concentrated loan books, limited track record of credit performance through a full credit cycle, funding models that may be less diversified than established banks, and governance frameworks that are still maturing. The CRO at a challenger bank is the primary management interface with the PRA on prudential risk matters, and the quality of that relationship directly affects the bank’s supervisory risk profile and its ability to execute its commercial strategy without regulatory friction.

CROs who build constructive, transparent relationships with the PRA supervisory team — who proactively communicate material risk developments before they appear in regulatory data, who engage substantively with the regulator’s questions about the bank’s risk model, and who demonstrate that the bank’s risk governance is genuinely independent rather than commercially compromised — consistently produce better supervisory outcomes than those whose relationship with the PRA is reactive and information-limited. Building this relationship requires both the personal credibility that comes from a strong technical risk background and the interpersonal skills to manage a supervisory relationship that is inherently asymmetric in the regulator’s favour.

Adrian Lawrence

Adrian Lawrence FCA is the founder of Exec Capital. He is a Chartered Accountant and holds an ICAEW practising certificate in his own name with over 25 years’ experience operating at C-suite level, Adrian brings direct executive experience to senior search. His background spans private equity-backed businesses, owner-managed companies, and listed environments, giving Exec Capital a practitioner’s understanding of what leadership hires actually require.