Risk culture can be a slippery concept that is hard to define. Even the Financial Stability Board, who provided the standard model for risk culture in 2014, noted no single definition of risk culture exists.
However, many definitions including those established by IIF, HSBC, RBC are broadly similar in that they agree that risk culture should be behavioural norms that relate specifically to the identification and management of risk. Risk culture should be seen as a subset of the overall culture of the organisation.
“the norms and traditions of behaviour of individuals and of groups within an organisation that determine the way in which they identify, understand, discuss, and act on the risks the organisation confronts and the risks it takes.” – International Institute of Finance (IIF) definition of risk culture
2008-2018 A Decade of Disorder
The watershed event- the 2008 global financial crisis, followed by a slew of post-crisis scandals and conduct risk failures from Libor to PPI prompted risk culture to become a focus for businesses and regulators in the years since.
There has been a tendency in the past to concentrate on the quantitative and more easily measured aspects to evidence the strength of risk culture- but this falls short
“Nobody is immune to conduct risk issues and the consensus is that an absence of a strong risk culture was at the heart of the financial crisis and conduct risk failures” – Enda Twomey, Risk and Governance Consultant
Identifying the source of the problem is the easy bit – a 2018 survey conducted by Risk.net suggests that despite risk culture being deemed as important, there are still widespread weaknesses in the way it is addressed.
The Benefits of a Vibrant Culture
With the increasing regulatory focus and heavy fines/penalties that can be incurred, a risk culture should be embedded in BAU. A compliance officer can never stop preaching about the value of a strong culture- it can preserve value and enhance performance in three ways:
- Strong Culture Reduces Instances
If employees have a deep appreciation of how their company defines risk culture and how it wants them to behave, there will be fewer instances of misconduct that trigger investigations, regulatory disclosures, or internal control audits.
- Strong Culture Keeps the Whole Together
Companies with a strong culture avert incidents that can damage corporate reputation. Mistakes and misconduct will still happen but companies with good risk culture can reduce disruption and keep the whole together. Shareholders are increasingly pricing the strength of company risk management into investment decisions.
- Strong Culture Mitigates Exposure
A strong risk culture helps mitigate exposures that come from increasingly complex operational practices (often enabled by technological advances) and the challenges of properly supervising them.
“Strengthening the risk culture of a company is neither easy nor fast but weak risk culture raises pointed questions about the robustness of operational practices and quality of company leadership”
Richard Smith-Bingham, Marsh & McLennan Advantage
What Does Good Risk Culture Look Like?
So, the ideal culture is one that sustains core values and enables proactive identification, understanding and action upon risk, thereby protecting clients and safeguarding shareholders. We know what it is but how do we get there and stay there?
The discipline is still in its immaturity and risk culture is notoriously hard to quantify. This is because of the qualitative and quantitative features of the discipline. There has been a tendency in the past to concentrate on the quantitative and more easily measured aspects to evidence the strength of risk culture- but this falls short. To truly understand the robustness of risk culture the ‘fluffier’ elements of behaviour, attitudes and psychology must be understood and married with the harder edges of traditional risk management.
“Measuring risk culture is notoriously hard. It is difficult to identify a meaningful metric to measure a specific behaviour. At best, metrics can identify risks and trends in behaviours.” –Kim Newell Chebator, Global Clients Division
The Financial Stability Board (2014) offers 4 indicators of sound risk culture:
- Tone from the Top
The board and senior management are the starting point for setting core values and expectations for a company’s risk culture. They must lead by example but also ensure that the culture is relevant and meaningful for all staff, and not an imposed ‘top down solution’.
Ensuring employees understand a company’s core values and approach to risk and are held accountable for their actions in relation to risk ownership and stewardship.
- Effective Communication and Challenge
Sound risk culture encourages transparency and open dialogue at all levels. Company’s must consider a range of views in decision-making processes; challenge current practices; and foster an environment of open and constructive engagement.
Using performance and talent management to reinforce desired risk management behaviour so individual performance is judged both on what is achieved and how.
Big risk culture metrics, such as financial ratios and risk appetite provide a view of an organisation as a whole, while small risk culture metrics such as incidents and limit breaches provide insight into how well risk culture is ingrained at the individual employee level. It is at this individual level where perhaps we may need to move beyond the indicator list provided and consider social and psychological implications. The concept of a ‘just culture’ (rather than a ‘blame culture’) borrowed from other industries such as medical professions and nuclear power, has proved instrumental in the development of risk culture in other areas and can easily be adopted as a framework.
Risk culture remains a developing area, constantly evolving as new models and tools emerge. Tightening or transforming the risk culture of a company is neither easy nor fast but 1RS can help you on your journey.