How To Improve Risk Culture

From Open Risk Manual

How to improve risk culture

The task of improving Risk Culture is not dissimilar to other internal programs of change where the organization needs (in broad terms) to:

  • identify its current state, especially along the dimensions of ability and willingness to manage risk
  • decide on its desired state
  • chart a process for migration between the two and
  • ensure it stays sustainably at the final, desired, state

Step 1: Evaluation of risk culture

  • Assessment of firm-wide factors (presence and quality of firm-wide governance, quality of communications)
  • Assessment of homogeneous business (sub)units for their ability and willingness to . This assessment could be e.g., with reference to internal / external benchmarks that take into account geography and business line. This is to avoid unreasonable comparisons and expectations. E.g., firms operating in societies with stronger adherence to hierarchy are less likely to be able to instill behaviors where subordinates challenge senior managers and there is globally enormous variation in related norms and behaviors.
  • Methodology. This can follow common mechanisms for compiling Key Risk Indicators (KR). The methodology must crystallize a set of risk culture factors that are considered important for the particular business line. Some factors may be global across business lines. Similar to other KRI's, the methodology should have sufficient objective / empirical basis
    • Expert Scoring: Self-assessment, manager assessment, peer review, external independent evaluation
    • Empirical: Track record, incident count, near-misses

Step 2: Deciding on a desired state (Setting the tone at the top)

Setting the tone at the top is an important tool for avoiding a number of pathological cultures. Defining the desired state is part of the overall corporate values / risk appetite statement of the firm and responsibility of the board (from BIS document):

  • Setting and adhering to corporate values for itself, senior management and other employees that create expectations that all business should be conducted in a legal and ethical manner.
  • Promoting risk awareness within a strong risk culture, conveying the board’s expectation that it does not support excessive risk taking and that all employees are responsible for helping ensure that the bank operates within the agreed risk appetite and risk limits.
  • Ensuring that appropriate steps are taken to communicate throughout the bank the corporate values, professional standards or codes of conduct it sets, together with supporting policies; and ensuring that employees, including senior management, are aware that appropriate disciplinary or other actions will follow unacceptable behaviors and transgressions

Factors to consider in formulating that target state:

  • Current condition and urgency of change
  • Norms and expectations in the geography and market where the unit operates
  • Granularity of definition and ability to objectively demonstrate progress towards desired state
  • Feasibility, benefits and risks of specifying overly ambitious targets

Formulating a Code of Conduct

A code of conduct is a typical tool to assist members of an organization / collective with avoiding misunderstandings as to what is acceptable, especially around "soft" areas that cannot be hard-coded in numerical frameworks

(From BIS document)

A firm's code of conduct or code of ethics, or comparable policy, should define acceptable and unacceptable behaviors.

While the code of conduct should explicitly disallow improper or illegal activity, such as financial misreporting, money laundering, fraud, anti-competitive practices, bribery and corruption, or the violation of consumer rights.

It should make clear that employees are expected to conduct themselves ethically in addition to complying with laws, regulations and company policies.

Communication channels for escalation

Ensuring there is sufficient bi-directional communication in firms organized around command and control prevents culture of fear situations, i.e., where the risk culture of the firm is lob-sided, junior staff is uneasy with behaviors exhibited by senior staff.

(From BIS Document)

  • Employees should be encouraged and able to communicate, confidentially and without the risk of reprisal, legitimate concerns about illegal, unethical or questionable practices. This can be facilitated through a well communicated policy and adequate procedures and processes, consistent with national law, which allow employees to communicate material and bona-fide concerns and observations of any violations in a confidential way (e.g., whistle blower policy). This includes communicating material concerns to the bank’s supervisor.
  • There should be direct or indirect communications to the board (e.g., through an independent audit or Compliance process or through an ombudsman independent of the internal “chain of command”).
  • The board should determine how and by whom legitimate concerns shall be investigated and addressed by an objective independent internal or external body, senior management and/or the board itself.

Step 3 and 4: Migrating to, and holding on, to the desired state

The migration process is similar to the implementation of other operational risk management processes. There are a variety of tools, their relative importance depends on the current situation and the distance to travel.

  • Communication of the desired state (Tone From The Top)
  • Communications that reward acceptable behavior / stigmatize unacceptable behavior
  • Implementation of internal processes that produce systematic and persistent effects on risk culture, e.g.,
    • Inclusion of related provisions in staff objectives and incentives that rewards staff with desirable behavior
    • Inclusion of related provisions in the hiring / promotion criteria that favor candidates that can exhibit desired risk culture