Banks all over the world – many of them hit recently by fines for a multitude of reason concerning poor governance – are looking to change the culture within their organisations when it comes to risk. Without the right focus, however, only marginal improvements will be made.
The escalating fines and reputational damage from conduct breaches across many major banks globally, following on from the major losses in the global financial crisis, are driving regulators and bank boards to focus on how to change banking culture. An EY/Institute of International Finance survey on risk governance – Shifting focus: risk culture at the forefront of banking – shows that 50% of the global systemically important banks sampled have had operational events costing more than $500m in the past five years, driven significantly by weaknesses in controls.
Many banks are embarking on programmes to change their culture, but it is important that these programmes are well focused. The theme of my recently published book Risk Culture and Effective Risk Governance* is that many different strands must come together across ‘hard’ risk management capabilities to ‘softer’ people frameworks to change culture effectively, and that any approaches that are too narrowly focused are likely to fail.
Taken from the top
One important message from the book is that although focusing on formalised statements, structures and frameworks is essential for banks it is not enough. Messages read into the behaviour of those at the top or middle of an organisation are more important in influencing the way others perceive the values than statements written on walls. If the senior management, when faced with stark choices, always chooses the option that will give the highest return, that will be seen as the overriding priority. Strong and consistent leadership at all levels is therefore essential.
Similarly, although compensation mechanisms that reflect risks and behaviour play an important role, they can be undermined by reactions within business units or by management to profit-making activities conducted in breach of internal rules. Making bonus reductions attendant on rule breaches automatic, as in red flag systems, would help, but it has to be recognised that reward comes in many forms, including local kudos. Communications and training need to focus on acceptable and non-acceptable behaviour, rather than just values, and the consequences of not meeting expectations need to be clearly set out. There is some evidence that the most effective training is case study based, where difficult situations are posed and individuals have to decide in groups how they would react.
Avoiding risk creep
Of course, not all risk culture failings are related to poor behaviour; the story in the run up to the crisis was one of excessive and not fully assessed risk taking accumulating over time. One message here is the importance of a clear set of measures to prevent risk creep. This is the role of embedded risk appetite statements. In businesses such as banking or insurance, where the product is risk, there needs to be a clear view about how much risk can be taken and, within that, how much the board wants to see being taken.
But it is not enough for this to be set at the bank level and linked to strategy. It is essential it is cascaded down to risk appetites for individual businesses and set out in clear statements, limits and tolerances with clear accountability of the revenue earners. The need to achieve more effective ownership of risk in the frontline (not just a responsibility for not breaching limits) is leading to a reworking of the three lines of defence model in some banks. The regulatory requirement set out by the Financial Stability Board that non-financial risks such as conduct and compliance should be added to risk appetite creates real challenges but should ultimately enhance accountability.
Risk transparency is an essential facilitator of a strong risk culture. If the senior management does not know about the risks then risk culture mechanisms will be undermined. This means being open to bad news and ensuring it is passed up through the organisation as well as prioritising spending on essential mechanisms such as stress testing, systems and data. However, this is a two-way street: if the culture does not value risk information, the necessary budgets for risk systems and data will not be made available. Boards have an important role to play here.
The range of factors affecting risk culture, and the importance of behaviour at all levels in the organisation in both influencing and demonstrating culture, magnifies the challenges that firms face. But given the financial and reputational costs of risk culture failure, the industry has no choice. Weaknesses must be identified and addressed.
Patricia Jackson is advisor on bank risk governance and financial regulation at EY.
* Risk Culture and Effective Risk Governance. London: Risk Books
