Stronger together: CLS’s chief risk officer on risk culture

Deborah Hrvatin discusses integrated risk management, mega-hacks and model risk

Deborah Hrvatin
Deborah Hrvatin

The scale of the losses sustained by Credit Suisse when a now-infamous client defaulted in March shocked the financial industry. Many things went wrong at the bank to result in the haemorrhage of $5.5 billion, but one of the most unexpected was the fact that the person managing the risk posed to Credit Suisse by Archegos was a former sales and marketing executive, rather than a risk management professional.

A recently published tell-all independent report lists, among other missteps by Credit Suisse, a litany of mistakes made under the leadership of the inexperienced risk manager. These include a failure to invoke liquidity add-ons previously agreed with Archegos and avoidable delays in moving the family office to dynamic margining. The bank’s US Delta One traders – the first line of defence – also come in for criticism for missing multiple red flags.   

The pile-up of errors is an example of the kind of risks that Deborah Hrvatin, chief risk officer (CRO) at foreign exchange settlement giant CLS, has spent much of her career fighting. Before her current role, she held operational risk positions at Citi, Deutsche Bank and Bankers Trust, which was bought by Deutsche in 1999.

“Your second line has to be a credible, independent challenge to your first line, and your first line has to own the risks they are taking,” Hrvatin says. “More widely in the organisation, risk management should not just be the domain of risk teams – the whole organisation must understand and manage risk.”

An overarching risk culture is necessary to bring together the core pillars of operational, financial and other risks, she argues.  

“If you don’t have a good risk culture, the rest of the individual parts of your framework will not gel together,” Hrvatin says. “A lot of firms have siloed their risk management activities, but I believe the industry needs to move towards integrated risk management.”

This involves a shared risk taxonomy, which everyone from the first line to the third line must understand, and requires everybody at the firm to think like a risk manager. It also helps when the CRO has a hard reporting line to both the chief executive and the board, which raises the profile of the risk function and helps improve the risk culture from the very top of the organisation, she says.

A lot of firms have siloed their risk management activities, but I believe the industry needs to move towards integrated risk management
Deborah Hrvatin

Hrvatin’s other belief mirrors the distinctive approach of her former boss, as well as mentor and friend, Deutsche CRO Stuart Lewis. When he became CRO of the bank’s notoriously aggressive investment banking division in 2010, he repeatedly raised concerns about the way the business was run. Lewis continued with this proactive approach when he was promoted to CRO of the entire bank in 2012, managing to keep the trust of five successive chief executives that have headed the bank since then.

Hrvatin takes a similar view.

“As a CRO, you have to be forthright and you have to really influence the organisation to adapt and understand that a certain behaviour may have an impact on a broader [business] goal, or the ecosystem at large,” she says, adding that, as a market infrastructure firm, CLS needs to be particularly conscious of its potential impact on the financial system.

Supply chain and model risks

Hrvatin displayed the same prudence when she decided to significantly increase the scrutiny of CLS’s fourth and fifth parties, to get advance warning of the risks stemming from its third parties. She believes that cyber criminals are focused on large technology vendors because, through them, they can infiltrate the numerous organisations the vendors serve.

A striking example of this is the hacking of SolarWinds last year, which gave criminals a way into the US government agencies and large companies that used the provider’s software.

“As soon as we see a vendor has been impacted by a cyber attack, we immediately try to determine if they had a relationship with our primary third parties. We interrogate that data daily,” Hrvatin says.

“We are putting just as much rigour into investigating fourth parties as we do when checking our own third parties. That’s why I prefer to call it supply chain risk, because the risk extends further, and closer scrutiny is needed to ensure operational resilience.”

Equally, Hrvatin and her team clearly put a lot in during the FX market convulsions set off by the Covid-19 pandemic last year – sources say CLS handled the crisis well.

We want to be able to run our own fully independent challenger models in-house
Deborah Hrvatin

Smooth sailing was a tall order during that turbulent period. The average daily traded volume submitted to CLS in March 2020 was a record $2.19 trillion, up by around one-fifth compared both with February that year and March 2019. And Hrvatin coped with the trading spikes with only a few months’ experience as a CRO under her belt, as she joined CLS in November 2019 in her first such role. According to the firm, its settlement services were available 100% throughout 2020.

Another area where Hrvatin has already left her mark is CLS’s model risk management.

“This is an area where there used to be a lot of outsourcing,” she says. “But I need the subject matter expertise in-house, so I’ve been investing in our team significantly to improve the balance. We want to be able to run our own fully independent challenger models in-house.”

Hrvatin has recently hired two model risk managers as part of her drive to reduce reliance on external consultants. CLS currently uses the services of around 14 PwC advisers to support model validation.

“I think I’ll always use outsourcing to some extent because it’s really easy to scale up when we need to,” Hrvatin says.  

Including the two new model risk managers, she manages five people in this function, as well as seven liquidity and market risk managers, four credit risk managers, three enterprise risk managers, four information security risk managers and 16 operational risk managers.

All hands on deck

Hrvatin’s position as a CRO builds on her previous experience working across all three lines of defence. In addition to other roles, she has worked as a risk and capital strategist in the first line risk function at Deutsche and as a bank examiner at the Federal Reserve Bank of New York, which some see as a fourth line of defence.  

Hrvatin’s role at CLS also gives her exposure to a market that’s new to her – and she moved to the firm partly because she found the challenge of minimising settlement risk in the vast FX market “exciting”.

Via its main service, CLSSettlement, CLS stands between banks in the market and guarantees the delivery of currency trades, releasing currencies between counterparties only once all involved have delivered what they promised. Owned by many of the world’s largest financial institutions, CLS also reduces the size of massive global currency flows by netting down firms’ trade-by-trade gross obligations to more manageable amounts they must deliver in each currency.

Although praised for reducing settlement risk since its establishment in 2002, CLS has faced calls from its members for two main changes. One involves making it easier for non-banks to join CLS, while the other concerns extending CLS’s settlement service to the emerging-market currencies it does not currently cover.

CLS is addressing these calls. As it evolves, Hrvatin will want to make sure her team is an integral part of the process.

“When risk culture is right, risk management isn’t seen as preventing business from advancement, but helping business move in the right direction, aligning with the strategic goals set by the business,” she says.

Put another way, Hrvatin doesn’t want risk managers to be pitted against direct profit-generators, such as traders – instead, the two groups should work together towards the same goals.

The consequences of not doing so are plain to see.  

Biography – Deborah Hrvatin

2019–present: Chief risk officer, CLS

2017–2019: Global head of operational risk management for Institutional Clients Group, Citi

1996–2017: Risk and operational roles, latterly Americas head of operational risk, Bankers Trust and Deutsche Bank

1991–1996: Senior bank examiner, Federal Reserve Bank of New York

Editing by Olesya Dmitracova

  • LinkedIn  
  • Save this article
  • Print this page  

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact customer services -, or view our subscription options here:

You are currently unable to copy this content. Please contact [email protected] to find out more.

You need to sign in to use this feature. If you don’t have a FX Markets account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an indvidual account here: