Derek Johnston on making risk management an enabler

Derek Johnston has spent 35 years in financial services with the majority of those in risk management across all three lines of defence: from large banks to Scottish Building Society, the world’s oldest remaining building society, founded in 1848. His view of the CRO role is clear: the job isn’t to say no. It’s to say yes, but.

In a recent conversation with Claire Rees, Financial Crime Regulatory Specialist at ThirdEye, Johnston shared what he’s learned about navigating regulatory change, building partnerships that actually work, and preparing for threats that keep evolving.

Scottish Building Society is the only building society headquartered in Scotland, serving members across the UK with mortgages and savings products. When Johnston moved from a large bank to a mutual, the pressures shifted, but not as much as you might expect.

“You don’t have the pressure of shareholders and working in a big PLC, but you still have members to serve. You’ve still got to run a business as efficiently as you can, you’ve still got the risks to consider, and, you’ve still got to potentially make a profit,” he explains. “So, you can return that money to members, and then you can invest in the Society to make sure that it remains relevant.”

The implementation of Consumer Duty showed Johnston’s approach to building a risk-aware culture in action. Rather than treating it as a compliance exercise that everyone else had to tolerate, his team made sure business heads and senior management were involved from the start.

“We led it and made sure we met the deadline and the requirements. We linked in with externals and made sure that what we were doing wasn’t too much and it was proportionate to our size, but really putting the onus on the senior leaders within the Society to make sure that they had that responsibility and accountability.”

The shift stuck. “When we talk about Consumer Duty, I can hear them talking about things they’re doing, and they reference the duty, and they reference the requirements.”

This cultural shift extends beyond senior leadership. Johnston’s team has invested in upskilling frontline staff to recognise and prevent authorised push payment (APP) fraud, equipping them to act as the first line of defence.

One relationship centre manager exemplified this when a member requested to move a substantial sum. Through thoughtful questioning, the manager verified the transaction’s legitimacy while demonstrating genuine care for the customer’s financial safety.

The member returned the following day with flowers. “I reflected on our conversation and I’m really appreciative of how you are protecting me and protecting my money,” they said.

The persistent threats remain cyber and fraud, now complicated by artificial intelligence. “You’ve now got good AI and not so good AI, which again adds that new dimension into the cyber threat that we all face,” Johnston notes.

The society’s business model provides some inherent protection. They don’t offer current accounts or unsecured loans that might attract fraudsters, and their closed-loop system means customer money comes into accounts and leaves back to the same account. But they still see attempts by fraudsters to establish a foothold, making robust controls and intelligence-sharing essential.

When Consumer Duty required an annual board assessment, the building society sector needed a template. Rather than each institution developing its own approach, Johnston and his peers at the Building Societies Association worked together.

“We were asking the question, and it was a case of ‘great idea, would you mind leading on it?’ And we said, well, we can lead, or at least could we get a few of us together and do a bit of collaboration and start to work up some ideas.”

The result was a standardised pro forma that the sector adopted.

Johnston applies similar collaborative thinking to supplier relationships. “What we look to if we’re engaging with a supplier is, they typically have engagement with other societies or other institutions. So, we’re not asking for secrets, we’re just asking for the insight and understanding of what others are doing.”

Scottish Building Society is working with a local AI company to analyse customer call transcripts over a 12-month period, identifying reasons for calling, customer sentiment, levels of frustration, and staff interactions.

Johnston sees multiple potential benefits from the AI analysis. The insights could inform consumer duty compliance, identify staff training needs, or reveal whether business processes need adjustment based on what customers are actually saying during calls.

The project also tests whether the Society can work effectively with an AI company while managing data privacy and security concerns.

The Society already captures standard metrics like call volumes, call duration, and how long customers wait before speaking to someone. But as Johnston explains, “now we’re going to lift the lid and see what’s actually said in the middle.”

Johnston acknowledged the temptation to apply AI everywhere but stressed the importance of thoughtful project selection. “We’ve just got to be very thoughtful about the projects we engage on, the money we spend, and just to make sure that there is a real return on that investment.”

Asked what he’d fix with a magic wand, Johnston pointed to data integration. The society uses multiple systems: a governance, risk and compliance platform, ThirdEye for financial crime monitoring alongside other fraud-defence systems, and a variety of other tools. Each contains valuable risk data, but pulling it together takes effort.

“If I could wave a wand, it would be, how can we pull all that data together so that we’re getting real, real-time insights? What’s the profile going up, down? Is there anything that we would do differently?”

The information exists. Condensing it into something usable remains the challenge.

Johnston’s view of essential CRO capabilities goes beyond technical knowledge. He emphasised patience, resilience, and a growth mindset. “You don’t know everything. So learning, continually learning.”

The role demands breadth across credit risk, financial risk, operational risk, compliance, conduct, and regulation. He referred to an article he recently read that suggested a CRO needs to be “a strategist, a technologist, a regulatory whisperer, an ethics guardian, a people leader, a teacher.”

Equally important: consistency. “You don’t overreact, you don’t try and gold plate things.” This includes knowing when good enough is genuinely good enough.

And risk needs a seat at the table from the start. “Where does the business want to go? And we’re engaged in those conversations so that we can offer up an opinion or some insight at the outset rather than being brought in at the 11th hour.”

For those considering the role, Johnston offered practical guidance.

Understand the culture you’re entering. “Are you going into a culture where they recognise the importance of managing risk and they see it as everyone’s job rather than just being the CRO’s job?”

Assess the team. “Do you have that capability, and do you have the quality and the skills both for now and in the future? Because if you’re going into a team that is under-resourced or they don’t have those skills and capabilities, you are going to be facing a fairly big uphill challenge.”

Understand the industry and its specific risks. “In this role, there’s an expectation that you know stuff and you can do the job from day one. Identify the gaps and train up.”

And think about legacy. “Part of my job is to try and build a legacy or a succession for who comes in after me. Can that be homegrown? Can I recruit somebody and have people in my team who are CROs of the future?”