Risk culture as a major element of modern risk management
In the first BankingHub article about risk culture, we referred to the incremental consideration of risk culture as a significant element of modern risk management. The key messages can be summarized as follows
- The last financial market crisis has shown that quantitative risk models must be expanded to include qualitative aspects in order to ensure comprehensive risk management
- Qualitative aspects generally manifest in the risk culture of a company, based on the behavior of its employees
- Thereby, the risk culture of a company can be tailored depending on the respective business model, risk appetite and the organizational structure
- Additionally, the topic has also already been addressed by regulators and will gradually be integrated into audit practice (FSB guideline, SREP guideline)
Risk culture is a crucial factor when it comes to the daily business of handling various risks, especially in the financial industry. The long-term success of a team can only be ensured if the team is aware of potential risks and considers the effect of their actions and decisions in accordance with corporate values. Good risk culture therefore not only supports fulfilling regulatory requirements, but has another much more significant objective, given market transparency for financial service providers: gaining a competitive edge.
When trying to highlight these potential benefits, the following questions arise:
- What constitutes “good risk culture”?
- Which factors determine risk culture?
- How “good” is the risk culture in my company?
- And how can risk culture be influenced or changed?
What constitutes “good risk culture”?
Risk culture is multifaceted and affects all functional levels of a bank. Throughout the course of this article, we will shed light on the four main components of the topic: i) Tone from the Top ii) Effective Communication and Challenge iii) Accountability and iv) Incentives.
In a first step, senior management — the tone from the top — is the pivotal element, when it comes to acting as a role model. The management level of an institution not only defines the respective risk appetite, but also defines the measures to ensure a certain risk capacity isn`t exceeded. Additionally they must design an incentive structure that encourages employees to comply with relevant targets and guidelines. Especially consistency of senior management actions when dealing with the rules of the respective institution is a decisive factor; simply communicating the desired values is not enough.
Effective communication and challenge within the organization constitutes the second cornerstone of effective risk culture. Primarily it is important to facilitate communication between all staff members at eye level. This does not necessarily mean that a company must endorse flat hierarchies in order to implement effective risk culture; it simply means that individuals—regardless of their functional level—should not be afraid to give their opinion or speak their mind about the actions of others or about specific processes. The result is a corporate culture that promotes lateral thinking, appreciates feedback and welcomes challenge.
This inevitably leads to each employee taking responsibility for the consequences of their actions. Individuals can only reinforce their position in the company and sustainably contribute to the bank`s risk culture and thus the success of the company, by gaining comprehensive understanding of the company’s values and via strict identification with these values.
Finally, the incentives for each individual play a major role in a company`s risk culture profile. The organization faces the challenge of striking a balance between risk awareness and profitability. In order to implement sustainable risk culture, however, the desired increase in risk awareness needs to be taken into account, when motivating employees. Rather than trying to penalize misbehavior as a form of negative incentive, the objective must be to influence employees` actions through positive reinforcement of desired, risk-appropriate behavior.
Which factors determine risk culture?
When talking about the main components of “good risk culture” as described above, it becomes apparent that risk culture cannot be controlled or steered by adhering to classic risk management methods; quantitative models and limit frameworks play a subordinate role. The determining factors of an organizations risk culture include clearly defined processes, transparent codes of conduct and values and especially the associated behavior of staff.
This means that the desired conduct regarding risk-appropriate behavior must first be anchored in the organization’s governance framework. Therefore, appropriate guidelines, processes, functions and systems must be implemented and existing framework conditions must be evaluated regarding conformity to the desired risk culture.
The bigger challenge, however, is ensuring that the risk-appropriate framework conditions are integrated into daily business. Guidelines and processes that only exist on paper and are not followed are just as obsolete as functions and systems that do not support the desired conduct. Examples include audit functions that only relate to risk aversion, or incentive programs that are not focused on risk sensitivity and sustainable contributions to corporate success. At the same time, it must be ensured that the desired risk culture is also adequately communicated within the organization. Consequently senior management must ensure that its messages regarding risk culture are properly received throughout the bank and not diluted or even misunderstood.
How “good” is the risk culture in my company?
The Board of Directors must be able to answer the key question regarding the status quo of risk culture, not only within their respective organization, but also to satisfy the requirements of supervisory authorities. There are two general indicators that need to be addressed:
- How is risk culture anchored in the governance framework?
- How is risk culture adhered to in the organization?
Question A can generally be answered by analyzing the existing risk governance framework with a (special) focus on risk culture. First and foremost, (minimum) regulatory requirements must be met. However, modern risk culture exceeds these minimum requirements and focuses on best practice approaches in order to realize the competitive advantage mentioned at the beginning of the article.
A different approach needs to be selected to answer question B, which relates to “soft facts”, such as, behavior-related aspects. An analysis of the perceived risk culture thus requires feedback directly from the source of an organization´s culture, the people, which can be obtained via staff surveys. These can be conducted either online or in dialog situations, either way confidentiality is key.
For this purpose, zeb has developed a comprehensive risk.culture.assessment.tool (zeb.RCAT). The tool leverages best practice approaches and benchmarks from a variety of projects in the areas of risk management and human capital management. A structured approach is taken in which the various aspects of risk culture are analyzed and transferred into a numerically harmonized assessment ranging from 1 to 5.
This harmonized assessment facilitates the aggregation of results along the described main components of risk culture, separated into “hard facts” (question A) and “soft facts” (question B).
The derived key risk culture indicators (KRCIs; see Figure 4) enable,
- benchmarking the organizations status quo both against the target picture and against regulatory requirements or best-in-class implementations (diagram area)
- a comparison of the status quo for each factor in the governance framework compared to the risk culture perceived in the organization (diagram areas in columns 1 to 4)
- an evaluation of the total score related to the degree of implementation in the risk governance framework and in daily business (diagram area in column 5 “Total”)
After linking analysis results and questions to the main components, a drill down can be conducted to find and analyze detailed information about the respective KRCIs. The findings then reveal possible deficits of the current risk culture which can subsequently be improved through suitable optimization measures.
How can risk culture be influenced or changed?
While improving a company`s risk culture or during any cultural change, it is important that the management board fully commits themselves and the company to the planned changes.
Companies have a number of measures available to choose from for actual implementation. We therefore distinguish between ad hoc / one-off measures, which can be implemented quickly and primarily contribute to better understanding or reinforcement of risk awareness (e.g. various training measures), and long-term measures, which are not only determined by their time line, but also by their contribution to the long-term implementation of risk culture (e.g. anchoring the expected conduct in guidelines and policies or establishing evaluation and control processes). Finally, there are ways to validate the effectiveness of certain measures, for example desired behavioral patterns can be checked or tested through specific case studies.
The following factors should receive special attention when defining a measure catalog:
- Completeness: The catalog should not only be focused on areas in which the bank has known deficiencies, but should also reinforce and expand on existing strengths.
- Adequacy: Measures need to be appropriate to the company and its staff. Risk culture and its enhancement is an evolving process during which the company will gradually gain new experience and will need to constantly question and revise its measure catalog
- Flexibility: if certain measures are proven to be more effective than others, then the measure catalog should be adjusted accordingly.
Once the measure catalogue has been defined, the next step is the development of an implementation plan. This plan should contain an appropriate mix of ad hoc, medium- and long-term measures. However, one must keep in mind that cultural change takes time.
Finally, the company should commit to regularly checking and recording the progress of their cultural change. The risk culture assessment described above offers insight into the respective status quo of the company. This can be subsequently used to define a measure catalog and create an implementation plan. Regular assessments are the most effective way to guide and influence cultural change towards the objective of sustainable risk culture.
The early adopters of the banking industry, the evolving audit practices of the ECB as well as the anchoring of risk culture in the SREP guidelines have shown that the topic of risk culture is continuously gaining significance. Extensive initiatives in some of Europe’s largest banks are currently already underway. zeb has highlighted and operationalized the core challenges of the risk culture topic. Through targeted analysis of hard and soft facts, banks can evaluate the status quo of their own risk culture and implement an individually designed target picture. However, banks will only be able to sustainably contribute to their own brand formation by regularly reviewing—using the RCAT tool described above—and constantly improving cultural aspects, subsequently enabling them to achieve the decisive competitive edge in an increasingly transparent market.