Risk Culture

Definition

Risk Culture denotes the combined set of Corporate Values, norms, attitudes, competencies and behavior related to risk awareness (perception of risk) and risk taking (active business decisions) that determine a firm’s commitment to and style of Risk Management.

Risk culture influences the decisions of management and employees during the day to day activities and has an impact on the risks they assume. It is strongly related to Operational Risk and Compliance Risk and can be considered to be a Key Risk Indicator for such risks.

Risk culture is an attribute and indicator of the human capital of the firm.

Importance of risk culture

The notion of "Risk Culture" came to prominence after unprecedented fines in the financial industry in diverse business lines (misselling of products, manipulation of market benchmark rates etc.) but is central for the sound and sustainable management of any firm that routinely takes calculated risks as part of its business model.

The risk culture of an organization is likely to:

Determine the degree to which organizational policies are internalized by staff and exhibited into day-to-day behavior
Determine staff response to threats or situations that fall outside well prescribed operating guidelines
Influence the firm's reputation with regulators, clients and the broader market.

The last point is important as good reputation is both a "license to operate" and a "visiting card", therefore it directly influences the ability of a firm to operate and the value of the firm. Depending on the size of the firm, it may also have an impact on its funding costs as a poor risk culture increases the risks to external investors and they may not be able to effectively diversify that risk.

Some risk culture pathologies

It is useful to sketch a range of "unsound" risk cultures as a means to identify relevant failure points, because risk culture can be pathological in a variety of different ways.

Possibly the most extreme pathology is an active rejection culture. E.g., rejection of internal or external risk control guidelines and expectations as irrelevant or inconvenient. The senior management of the firm may be either distracted or tacitly endorses this attitude.
A pathology linked to weak firms with wider performance problems is an under-performance culture. This is linked to ignorance or incomplete understanding of internal or external guidelines and/or expectations due to lack of focus, and deficiencies in governance, risk management personnel, systems etc. There is an unspoken assumption that obscurity or small size or other factors are mitigating for the lack of pro-active risk management
In some cultures there may be a tendency towards formal (appearance oriented) compliance culture. The focus shifts to "letter of the law" compliance and there is indifference towards the "spirit of the law". This can range from a "minimum requirements" compliance attitude, to "hyper-compliance", where every requirement is meticulously met but not really internalized.
A culture of fear. This would concern an overly authoritarian culture where instinctive disagreement of staff is suppressed. Essentially all responsibility for risk management rests with the senior ranks.
An overconfident culture. This is more of a secondary pathology. High performing firms with good knowledge of internal and external guidelines and expectations may make the conscious decision to operate at the margin of safety

Some underlying factors

As usual, a good start for an analytic approach is to categorize these different culture manifestations along the dimensions of ability and willingness of an individual / unit to understand and operate following explicit and implicit norms and guidelines around risk management

Unwillingness to risk manage: Short-termism

Short-termism may be a contributing factor to a variety of the above mentioned pathologies (e.g., rejection of risk culture, overconfidence). With a short term horizon individuals (or whole units) may make a (possibly rational) re-evaluation of their risk buffers for given risk tolerance and decide to magnify gains.

Unwillingness to risk manage: Penalties or lack of reward

Skilled personnel with intrinsically sound risk culture may opt to stay in the sidelines because acting on their views may lead to penalties or be simply ignored. A minimum requirements culture is then seen as a safe haven

Inability to risk manage: Lack of sufficient definition

This is the famous "tone from the top" (or lack thereof). Staff are not clear as to what is the expectation around risk management because this is not clearly defined and/or communicated by senior executives

Inability to risk manage: Lack of skill / knowledge

This can be a significant factor for both senior and junior personnel. For example a formal compliance culture may establish in units where individuals are primarily concerned with not being seen as non-compliant as they do not have the conviction of their own views around risk management. This may lead to a check list approach, which serves as the same time as an educational device

Issues and Challenges

It can be extremely sensitive issue internally as it concerns judgments of ethical and competency levels of staff at all levels of the organization
It is a soft concept and defined primarily in relative terms
It has become a major agenda item only recently and there is thus relatively less focus and experience with a systematic approach
Financial services / banking include a very wide variety of business lines and a uniform approach to defining and understanding risk culture might not be feasible