Chief risk officers come in all shapes and sizes. Some are responsible for avoiding losses, others are responsible for optimising return. A few of them police risk taking throughout the firm across all risk types, and have reporting relationships with human resources, legal counsel and IT, as well as the business lines. Most don’t.

Norman Swick, chief risk officer at Washington Mutual (WaMu) – the seventh-largest bank in the US, with $247 billion in assets – is proof that banks expect very different things of their CROs. For a start, Swick has no responsibility for credit and market risk, the aggregate management of which has come to be seen as a cornerstone, if not the embodiment, of the CRO’s role.

“In the industry at large, there is no job description for this position,” he says, and offers the example of a get-together organised by Deloitte & Touche in Miami recently, which brought together CROs from a range of different institutions. Commercial banks, investment banks and insurers all had their own iteration of the CRO position, he says.

In a mirror-image of the accepted wisdom that sees CROs as market and credit risk gurus who still lack influence when it comes to operational and business issues, Swick acts as the nemesis for a whole range of unwieldy risk management bugbears. However, market and credit risk are still managed in silos by the company’s treasurer and chief credit officer respectively.

Swick is responsible for risk in the areas of corporate security, data and intellectual property protection and business continuity, and runs the firm’s insurance programme, as well as overseeing due diligence examinations of prospective merger & acquisition targets. He also heads WaMu’s enterprise risk management (ERM) programme.

“My unofficial title is the Bad News Bear,” he says, and this is typical of the relatively informal approach WaMu takes towards risk management, an approach that the ERM programme will modify, although not dispel. Swick, and others in WaMu, have a healthy distrust of codified risk management. They hope instead to alter the culture at the bank so that existing strands of risk management, which Swick asserts are already strong, are brought together and embedded in the company’s operations.

“You have to understand the company’s background and culture for it to make sense,” he says. “Historically, we operated a matrix management structure, in the belief that no single person was smart enough to figure out what was going on by themselves. As we’ve grown, we’ve moved away from that, and separated into business lines, but some of the old philosophy has stayed.” As a result, he says, there is a lot of cross-disciplinary consultation within the company – one of the central tenets of ERM – but it just hasn’t been formalised.

There are dangers here, though. No one at WaMu wants to see a shift to risk management by committee, says Swick, who argues that this can place all responsibility for risk in the hands of risk officers and committee members, relieving others of their ongoing duty to think about and manage risk. But things are changing at WaMu, largely because its rapid growth means a loose, elastic approach to risk is no longer appropriate.

“Because we’ve grown so much over the last several years, old-line guys like me now recognise that the company’s too big for us to see any more. We need some help, and an enterprise-wide approach to risk can answer that,” Swick says.

WaMu, still a dark horse in US banking circles, is also something of an anachronism. It is officially classified as a thrift institution, despite dwarfing the country’s other thrifts and being comparable in size to super-regional banks such as Wells Fargo, Bank One, First Union and FleetBoston. It achieved its current stature via a series of quick-fire acquisitions in the mid-to-late 1990s. “We’re the seventh-largest bank in the country. Not so long ago, we were the sixth biggest bank in the state of Washington,” Swick comments.

Unlike a FleetBoston or a Bank One, WaMu is a specialist consumer bank, offering nothing for large commercial and institutional customers. It does offer business loans, as well as insurance and funds, but is primarily a mortgage lender – the largest originator and servicer in the US and the third-largest holder of mortgages behind Fannie Mae and Freddie Mac – and a savings institution. This fairly unglamorous mix of businesses has still delivered some eye-catching growth.

WaMu’s second-quarter results, released on July 17, boasted record earnings of $798 million, up 63 per cent compared with the same quarter last year, and the latest in a string of consecutive earnings records for the firm. It is another side of what Swick characterises as WaMu’s “Jekyll and Hyde” tendencies – an unglamorous company that can deliver rapid growth; a cautious company that can seem to develop a sudden appetite for risk.

In many respects, he says, the company is very risk-averse. It is unwilling to change its culture to suit acquired firms, for example, and feels no overwhelming need to update a technology infrastructure that has apparently prompted new hires to suggest that it hasn’t yet joined the 21st century.

“We might be a bit plodding at times,” he says. “But when we understand a situation and see an opportunity, we’ll move forwards very boldly and very quickly into areas that others might be a bit cautious about.”

WaMu’s huge appetite for mergers in the 1990s is the most obvious example of its frequent bursts of energy – and lack of indigestion is illustrative of a risk discipline that Swick feels the firm has mastered.

“In 1993, we were a $10 billion institution. We did our first doubling transaction that year. We did our second when we moved into California in 1996. We did our third seven months later, taking us from $40 billion to $90 billion. And our fourth big deal took us to $160 billion, 15 months later. In the space of four years, we grew 16 times larger and we lived to tell about it.”

WaMu’s haste tripped it up on one deal. “We moved a little too fast on one acquisition in California,” says Swick. “As it turned out, we didn’t have people who were big enough to keep up with the acquisition in the wake of the transaction, and they got behind the curve.” The end result was an account reconciliation problem, which had to be rectified by a $10 million write-off – the firm’s largest loss on an operational risk issue, he says.

The secret of WaMu’s success with its M&A programme, Swick says, is “minute attention to detail”. As an example, the three-day ‘conversion weekends’ that accompany every deal, during which data from a new acquisition is migrated into WaMu’s systems, are scheduled on a minute-by-minute basis. “We have folks whose specific job is to worry about where we are on that schedule, and there are red alert procedures to make sure we take corrective action if we start slipping behind that schedule.”

Swick has been with WaMu since 1980, during which time he has been involved in the due diligence on every deal the company has made – there were 27 in the past decade. But his role encompasses more diverse assignments and he describes himself as a resource for CEO Kerry Killinger, CFO William Longbrake and others in the company to call on when something isn’t working as it should be.

Swick freely admits that he has to think about how to define his role, an issue that is part and parcel of WaMu’s drive to implement an enterprise-wide approach to risk. He is hiring Gregory Young, former global head of risk at insurance firm Aetna, to assume the title of first vice-president (a rung below Swick in the corporate hierarchy) and the responsibilities for managing WaMu’s corporate risk management unit.

“His responsibility initially will be to help build the corporate risk function, and then, when it becomes more routine, to maintain it, allowing me to continue working as a resource for the board,” says Swick.

Currently, his daily work can take him from ethical issues (this week, the company’s whistle-blower programme alerted him to an employee who had accepted gifts from a customer) to data security.

“We typically release our earnings at the end of the day, but at 11am yesterday we had to deal with a situation where one of the news agencies had our results and was prepared to publicise them early – unfortunately, they had gone up on our site prematurely. We had to deal with that in terms of the SEC and the New York Stock Exchange’s fears about the release of information, and advanced knowledge and that kind of thing. We had to worry about it from a public reputation standpoint, and from an information security standpoint.”

Two problems of a distinctly awkward nature have attracted recent attention at WaMu. Its move into the New York retail banking market through the planned purchase of Dime Savings Bank has raised the company’s media profile, simultaneously raising the stakes for its reputation.

“Even though we already operate in 45 states, we’re suddenly playing on a larger stage because we’re coming to New York, and that made us realise that, as hard as we’ve worked to build our brand elsewhere, that value could disappear in an instant, and that’s one of the things we’re addressing in-house,” Swick says.

In February, the bank was shaken in a different way entirely, as an earthquake of magnitude 6.8 hit the Northwest US, centring on the Seattle area. The 55-storey Washington Mutual Tower, the city’s third-largest skyscraper, escaped unscathed, as did most of the newer buildings. Still, says Swick, “it scared the bejeebers out of me”.

WaMu is no stranger to earthquakes. When the Northridge earthquake struck the West coast in 1994, it flattened one of the company’s two data centres. “A good portion of the company has knowledge of what it takes to come back from a quake like that – they were literally working outside on the parking lot, using folding tables and chairs in order to get the business running again.” Feeling the company’s headquarters shaken by Seattle’s quake this year, though, has prompted further planning. “I’ll be honest: we’re not where we need to be,” says Swick.

Drawing all of these strands together into a cohesive, procedural framework will take up to two years, Swick anticipates, but he says there is a general understanding that the path the company is taking will result in a stronger and potentially more profitable organisation. “It’s a value proposition,” he says. “I completely buy that idea, and although it’s going to take some time, there’s plenty of low-hanging fruit we can pick on the way.”