Main Content

Understanding Risk Culture and its Challenges

Of the issues currently bedeviling financial services firms, risk culture is one of the foremost.

By Patricia Jackson

Of the issues currently bedeviling financial services firms, risk culture is one of the foremost. The buildup in risk exposures preceding the financial crisis forced boards and regulators to question weaknesses in risk governance. Since the crisis, the numerous cases of “bad behavior” in the banking industry, such as the Libor and forex manipulation scandals, have intensified focus on the broader concept of risk culture.

Janet Yellen, Chair of the Board of Governors of the Federal Reserve System, recently spoke of “excessive risk-taking which led to the crisis” and the compliance breakdowns that “undermine confidence in firms’ risk management and controls.” Together, these two aspects highlight the institutional challenges of managing risk culture. What causes failures in risk culture? What actions can strengthen it? This article will draw on examples from a range of industries to examine the overall nature of risk culture.

What Is Risk Culture?

The Financial Stability Board, which sets international standards for the financial services industry and provides advice for national regulators, released a paper, “Guidance on Supervisory Interaction with Financial Institutions on Risk Culture,” in 2014 that defined risk culture as “the norms, attitudes and behaviors related to risk awareness, risk taking and risk management.” The FSB considers risk culture effective when it promotes sound risk-taking, addresses emerging risks (beyond risk appetite), and ensures employees conduct business in a “legal and ethical manner.” The FSB paper highlights the importance of subcultures across the organization adhering to consistent high standards and values.

William Dudley, President of the Federal Reserve Bank of New York, in an October 2014 speech, “Enhancing Financial Stability by Improving Culture in the Financial services Industry,” made clear that improvement in the industry’s culture was an imperative. He wanted to see a cultural mindset of “what should I do, and not what can I do” – in other words, a shift from meeting the letter of the rules and the law to what was appropriate. He also asked whether the size and complexity of large financial institutions have made it harder for management to see large problems originating in small corners. This question puts the onus on the industry to demonstrate that risk culture can be effectively controlled across complex groups, which demands an understanding of the wider causes of failures in risk culture.

Causes of Risk Culture Failure

My book “Risk Culture and Effective Risk Governance” identifies a number of causes of failure in risk culture. Some relate to factors at a corporate level and some to individual behavior:

Lack of focus on known but unlikely risks – Failure to give sufficient weight to potential extreme events or poor outcomes was one of the characteristics in the run-up to the financial crisis. Stress tests were not sufficiently rigorous, and considerable anecdotal evidence suggests there was pushback when more severe tests were suggested. The pendulum has now swung in the direction of conservative risk assessment.

Trade-offs leading to too much risk – All organizations have to make trade-offs. Goals have to be set, whether it is to increase profits, reduce costs, or increase efficiency. The effect on risk must be fully recognized in order to avoid risk creep. A number of individually sensible decisions may be made, but the overall effect could be an excessive buildup in risk. This is true of all industries. A study of risk and safety culture failures across a range of industries found different physical causes but similar root causes: “mindless cost cutting, incentive schemes that divert attention away from safe operations and failure to see the safety implications of organizational changes.” (Hopkins, A. (2009). Preface, Learning from High Reliability Organizations) A clearly defined risk appetite, against which decisions can be measured and aggregate risk tested, is essential to counter these causes.

Failure of management to uncover risks – Senior management and boards may simply be unaware of the buildup in risk. Individuals who are lower in the organization may not have flagged the increased risk to senior management, perhaps because individuals decided that the risk is implausible. A good example is the structured investment vehicles (SIVs) used by international banks in London preceding the crisis. The pools in the off-balance-sheet vehicles contained illiquid higher-risk structured products, and they were funded through three-month commercial paper – but organizations removed the backup commercial paper lines to boost return. This decision was, in a number of cases, made at a fairly low level and not highlighted to senior management or boards because the risk that the commercial paper market would dry up was deemed implausible – even though the consequences for the bank’s liquidity or reputation might be very severe. Organizational complexity makes it harder to uncover risks and makes the processes and controls to do so even more important.

Risk containment not seen as a corporate priority by employees – Value statements from the board and senior management are important, but employees believe the actions of senior management, not the words. If management always chooses the path of greatest profit, then profit will be seen as the number one objective. A good example comes from the transport industry. In a study that discusses a Washington D.C. subway incident, Dov Zohar cites the finding of the National Transportation Safety Board that workers perceived moving trains on time as the highest priority, rather than safety, given the demonstrated priorities of the organization’s leadership.

Individual bad behavior – We must unbundle the factors that lead to detrimental behavior. In some cases corporate targets influence risky behavior. Improper sales practices, strongly influenced by sales targets at some banks, led to substantial costs and reputation damage for the industry. Clearly sales goals are important, but considerable effort also needs to go into assessing the behavior that the targets engender.

Avoiding “Cabbage Culture”

Cass Business School in the U.K. produced a 2014 report on the culture of British retail banking that cites a bank where sales targets for retail products had led to the creation of “cabbage culture.” To incentivize low-paid staff at the business unit level, each week individuals in a unit who had met their targets were given a cash bonus, while others who did not meet their sales targets were publicly given a cabbage. The sales-culture-driven incentive schemes in the industry were, in the view of U.K. regulators, “likely to drive people to mis-sell to meet targets.” There are examples across the global markets of inappropriate target-driven selling of products.

When businesses are under intense profit pressure such behavior is likely to worsen, in some cases because the business model is not wholly viable or in others because shareholders are seeking even higher returns. Mechanisms to monitor behavior and the buildup of risk are essential. Boards also need to question the targets set for different business lines.

Other types of bad behavior relate to individual bonuses or, in some cases, a desire to cover up mistakes. In the Barings Bank case, a loss triggered the trader’s actions to cover it up. Incentives need to be viewed holistically. Dudley cites the comment made by James O’Toole and Warren Bennis in the Harvard Business Review that “ethical problems in organizations originate not with a few bad apples but with the barrel makers.” This does not mean that everyone in the firm is engaging in bad behavior but that the pockets of poor behavior may be a manifestation of aspects of the firm’s wider culture. In this case, as Dudley suggests, “the solution needs to originate from within the firms.”

Regulators have put considerable emphasis on risk-compatible monetary incentives and on reinforcing risk culture throughout an employee’s career path. Dudley points to the need for a comprehensive approach to improving risk culture encompassing recruitment, onboarding, career development, performance reviews, pay, and promotion. Ensuring that promotion and pay reflect wider cultural values is the first step.

Yet pay and promotion are only part of the story. Research by Mark Paradies shows that individuals may be rewarded in a range of non-monetary ways. He finds that monetary reward is one driver of behavior, and saving time is another, but the way an individual’s colleagues react is critical. Immediate local status from breaching the rules and making a profit will outweigh an uncertain negative effect on a bonus. Nuclear power companies have focused on developing a “call out” culture, where an individual’s colleagues will immediately react negatively if he or she breaks rules. The financial services industry lags far behind this level of risk culture. It may well be the case that some cases of poor behavior, like forex manipulation, were more about impressing the peer group than anything else. In the forex case the peer group seems to have been cross firm but in other cases the peer group encouraging the activity might be within the business unit.

The complex range of possible drivers of bad behavior make it very important that firms find a way of identifying business units with a negative sub culture so that the causes for it can be explored. The development of red-flag indicators of whether different business units are “sailing close to the wind” – for example, not training their people, breaching controls, pushing back against compliance – is essential for firms. Management can then assess the drivers of behavior in the highlighted business units.

Firms also need to consider their wider policies and how they influence loyalty. Employees who identify with the firm are probably more likely to give greater weight to possible reputation damage to the firm from their actions. In 100 interviews with participants in the financial services sector, Joris Luyendijk finds lack of loyalty to be influenced by the readiness with which firms sacked employees. Luyendijk suggests that under these circumstances, and given the combination of huge rewards, minimal punishments, and an opaque environment, it was rational to seek short-term gain and avoid reporting the misdeeds of others. On a similar note, Elizabeth Sheedy and Barbara Griffin of Macquarie University, assessing risk culture across 113 business units in three major banks, found that staffers with longer tenure were more likely to display desirable risk-related behavior.

Accountability and Risk Appetite

In an industry where reactions and behavior of colleagues can reinforce or encourage either good or bad behavior, accountability of senior business leaders and middle management for all risks warrants attention. Currently with the “three lines of defense” model, the second-line functions have come to be seen as responsible for risks taken. This is despite the fact that notionally at least the front office is accountable for risk related to their activities at most firms. In practice, when serious cases arise, the head of risk management or the head of compliance is often the one who is forced out, along with junior front-office staff. The FSB and national regulators, including the Office of the Comptroller of the Currency, have made it clear that they want to see the front office and supporting frontline units owning the full risk profile, including nonfinancial risks.

If accountability clearly sits with the heads of the business lines, they can cascade that down the frontline through the chain of command of individuals who can award status to individuals in the business units. However, for this to be successful, the accountabilities and the expected behavior need to be clear. General statements are not sufficient, nor are very broad requirements – for example holding an individual responsible for 7,000 end-to-end controls. An important element of accountability is a clear risk appetite embedded into the business lines. The FSB is looking for risk appetite statements that create a common language across financial risk types to enable them to be compared, aggregated, and embedded in business line decisions. The common language increasingly used for financial risk, is a measure of forward loss in extreme environments. The 2014 EY/Institute of International Finance survey on risk governance showed that 76 percent of banks use a forward loss metric (stress test results, loss in extreme events, or earnings at risk) as a core risk appetite metric at the group level. Limit structures and wider controls can then be tested to ensure they will keep risks within risk appetite – rather than being the risk appetite themselves.

In terms of financial risk, if the risk appetite has clearly set out the amount of forward loss that the firm is willing to incur in an extreme environment, then a portion can be cascaded down to the heads of the business lines and below. Clearly, various questions need to be answered en route – for example, what and whether correlations should be considered and the definitions of a severe environment and forward loss – but these are tractable problems. The heads of the business lines can be held to account for the forward loss projections for their area of responsibility under the stress testing. The business lines would ensure that the controls were effective enough to deliver risks no greater than the expressed appetite of the board and that the strategy was consistent with risk appetite.

Nonfinancial risks could be treated in a similar way by allocating a total operational loss figure to a business line, although this would probably not go far enough to change behavior. Instead, for areas of critical importance to the firm, clear responsibilities should be spelled out. For example, in the case of market manipulation, the heads of the trading lines – forex, fixed income, equities, etc. – could be given two responsibilities: first, to ensure that an assessment had been carried out to see if their markets could be manipulated, and second, in light of the first, to assess whether controls were adequate. In other words, assess the risks, then look at controls. This makes clear the actions that the business line heads need to drive.

Greater accountability for the front line should not be seen as weakening the role of the second-line functions. Risk management needs to look at whether the control structures and limits in place will match the risk appetite. The risk appetite provides the benchmark against which the  risk management framework must be tested – is the framework strong enough to keep overall risk within risk appetite?

Risk Management, Compliance, and Transparency

Financial firms can try to influence corporate behavior directly by establishing values and translating those into acceptable and unacceptable behavior. However, other processes and mechanisms influence risk taking behavior to a significant extent, as illustrated in the diagram of the risk culture framework.  

Sheedy and Griffin find that “good risk structures (policies, controls, IT systems, training, remuneration systems) appeared to support strong culture and ultimately less undesirable risk related behavior.” The strength and responsiveness of risk management processes in effect demonstrate the importance placed on risk culture alongside the linking of financial reward to risk. Without effective risk governance processes, it’s not possible to link financial reward to risks taken, rather than simply to losses incurred.

Essentially, the role of banking and insurance products is to take on and manage risks from the nonfinancial sector. Business heads need to be comfortable with risk-taking (in contrast to other industries, risk takers cannot be sifted out at the hiring stage), and that makes the risk governance processes surrounding the risk taking central. Controls need to ensure that risks taken are commensurate with the risk appetite set by each organization’s board.

Risk transparency must play a central role. If senior management and the board of directors cannot see risks building up in the firm, and in different business lines, or cannot see where behavior is moving away from the desired profile, then the culture cannot be proactive. That means management cannot act to mitigate risks, which in turn may lead individual employees to believe that the risk culture is not taken seriously.

One of the major shifts in banking over the past 20 years has been the development of consistent frameworks and metrics for measuring financial risks. They have not worked perfectly; indeed, risks were not fully perceived in the run-up to the crisis. But there is a common language and reporting of risk that makes it possible for senior management and the board to see trends. The same is not true of nonfinancial risks, and this needs to change. Rather than just viewing compliance from the legal standpoint of whether regulatory requirements and laws are being met or just looking at it from a simple control standpoint (as in, is there a risk, and is there a control), new indicators need to be built to show if intrinsic risk is rising. Better risk frameworks are needed to enable business lines to analyze nonfinancial risk. In the run-up to the crisis, products sold to investors became steadily more complex with the use of structured products, but this did not show up in metrics at the top of the banks.

Product approval processes have been enhanced across the industry with escalation to senior committees if products have higher-risk features. But this is not the same as building bank-wide metrics to show if, in general, product risk is rising. Banks are starting to fill this gap. Some are designing scorecards for misselling risk to track whether complexity and opacity in products are increasing. These scorecards could form the basis of a common framework for assessing the risk across a business line and across the bank, which could then be reported to senior management and the board. Scorecards could also be used for other risks. Markets and types of transaction could be scored for money laundering risk, not as a replacement for the careful screening of individual customers but as a way to supplement it.

Knowledge of increasing intrinsic risk would lead to greater intensity of compliance focus and also more effective reporting to senior management and the board.

This knowledge will require a different mindset and investment. Darren Smith and Andrew Cross, in “The importance of Data and IT for a strong Risk Culture,” (in Risk Culture and Effective Risk Governance) make the point that risk culture shapes the demand for information in a bank and the overall priority given to it. The second-line functions, risk management and compliance, have to compete with the front line for scarce resources. If greater risk transparency is not seen as important, the investment will not be made.

Taking the Industry Forward

To strengthen risk culture, the industry needs to learn from its failures. Some of the problems may be about isolated “bad apples,” but others may also reflect firm-wide incentive structures and the broader risk governance environment. For example, pressure to achieve revenue targets may translate into product selling abuses; although all firms need to use targets, the effect on sales behavior needs to be scrutinized. A “hire-and-fire culture” in some parts of the industry may have engendered loyalty to the individual’s peer group rather than to the firm. This may have led individuals in a firm to pay too little attention to the possible reputation damage to their employer from their actions.

The industry needs to recognize that individuals receive significant reward not just from pay and bonuses but also from reactions within their peer group. Firms need to do more to identify units with borderline cultures and understand their subcultures, such as how individuals within a business unit react if controls are breached or other bad behavior occurs. Firm-wide surveys will not provide evidence on granular behavior of this kind; other mechanisms such as focus groups will.

The quality of risk governance is central to engendering appropriate behavior. Yes, individuals in the business lines need to be accountable for financial and nonfinancial risks, but for this to be effective clarity over what individuals are accountable for, both in terms of areas of responsibility and the acceptable magnitude of risk, is essential. An embedded risk appetite should also focus on the potential for loss or other negative outcomes in the future, not just backward-looking events.

Transparency in the nonfinancial risk space underpins effective risk governance and requires the development of new and better techniques to monitor increases in intrinsic risks in order to focus compliance efforts or change the business model as needed. There is currently a stark difference between the common frameworks across organizations for measuring and reporting financial risks on the one hand, and the legalistic approach to some nonfinancial risks on the other.

In closing, it has become an industry imperative that boards and senior management have reviewed risk culture thoroughly, defined the desired behavior, and put in place the right mechanisms to achieve lasting change. 

The views in this article are those of the author and not necessarily those of Ernst & Young LLP or any other member firm in the global EY organization.