In this article, our Risk Consulting team examine the topic of risk culture, with a focus on the steps firms can take to strengthen their position in response to the latest regulatory requirements.
Shortcomings in the management and monitoring of risk culture have been a central factor in a series of recent incidents in the banking sector. The significant financial and reputational damage caused has led to heightened levels of public and regulatory scrutiny.
As the European Central Bank demands further improvements, this is an opportune moment for firms to assess their current position and commit to strengthening their governance and culture processes. It is imperative that a robust risk culture is embedded that strikes a balance between alignment of strategic objectives and effective integration.
Regulatory landscape
The European Central Bank – Focus on risk culture
The ‘Draft guide on governance and risk culture’ published in July by the European Central Bank (ECB) emphasised that effective governance and a robust risk culture are not merely niceties: they are necessities. The ECB invited feedback on this draft, and the public consultation period closed on October 16th, with the final guidance to be published thereafter.
The draft guidelines
The ECB stated that the level of progress that has been made to date by financial institutions has “generally not been sufficient”. This is a stark reminder that, despite the improvements that firms have already implemented (such as increased experience at board level and the successful adoption of risk appetite frameworks), the standards expected of banks will continue to rise.
The draft guide highlighted the following key areas of focus:
- The link between governance and behavioural and cultural patterns.
- The development and implementation of effective internal control functions.
- The role and structure of management bodies.
- Good practices for risk appetite frameworks.
Regulatory scrutiny and investigations
The draft guidance issued by the ECB is the latest sign of regulatory intervention in this area. In February, the CBI highlighted the need to address deficiencies in governance, risk management and control frameworks as a key supervisory priority, while also stressing that firms must consider these issues in a holistic way.
In the UK, the FCA used the s166 power to conduct 83 ‘skilled person reviews’, including investigations into the adequacy of controls and risk management frameworks. As the ECB highlight risk culture as a growing priority, this investigative authority may be used to conduct detailed examinations of risk culture practices and procedures.
Firms must be prepared to demonstrate and evidence their adherence to risk culture standards, or risk facing the consequences of a failure to meet these regulatory expectations.
Strengthening your risk culture
Rising levels of public and regulatory scrutiny and the constantly expanding landscape of new risks that firms must prepare for are both examples of ‘push factors’. These are influences that drive companies to bolster their existing risk culture.
However, also consider the benefits that can be derived from developing and implementing a more robust risk culture within your organisation. These include:
ECB key risk culture dimensions
The draft guidance issued by the ECB identified four key risk culture dimensions, all of which must be considered by banks to form a holistic view of priorities in the governance landscape.
Tone from the top
Senior leadership are responsible for creating a robust risk culture. It is impacted by the composition and functioning of management bodies, clear messaging of desired behaviours and values, and effective interaction with internal control functions and supervisory bodies.
Effective communication, challenge and diversity
Fostering a culture where individuals feel safe to voice their opinions and concerns is vital. This is strengthened further by developing a diversity of knowledge, skills and experience at all levels.
Accountability for risks
Responsibilities for monitoring, managing and mitigating risks must be clearly defined and assigned. Systems must be implemented for the escalation of risk and control issues and findings as they arise.
Proper setting of incentives
Incentives must not be too closely linked with short-term profitability. Both financial and non-financial incentive schemes should promote effective risk management and ethical conduct.
KPMG Risk Culture Model
The KPMG Risk Culture Model provides firms with a framework to evaluate their risk culture, assess the top priorities and implement changes to adapt to emerging risks and focus areas.
The model has a proven track record of success, having been effective in many international financial institutions and major corporations in numerous sectors, as well as being adapted by regulators including the European and Dutch Central Bank.
Following rigorous scientific analysis on 150 cases of misconduct within organisations, it was found that there are eight cultural factors (detailed below) that are highly influential in driving behavioural patterns within organisations.
Failure to consider any one of these factors risks weakening the overall strength of the risk culture. By focusing their attention on these factors, firms can promote desired behaviours and respond quickly to highly risky and unsatisfactory conduct.
The eight cultural factors in question are as follows:
- Clarity & communication:
How clear and comprehensive are the expectations of desired, risk-conscious behaviours, values and norms? - Tone at the top and role modelling:
How effective are management and senior leadership teams in setting a good example for employees on risk culture? - Support of employees:
Do employees endorse proper use of assets and display awareness of leadership and stakeholder interests? - Enabling environment:
To what degree are employees enabled to meet the risk culture and behavioural expectations that have been set? - Transparency:
How visible are failings in risk management or instances of misconduct that arise in the organisation? - Openness to discuss dilemmas:
To what extent do employees discuss issues and observations relating to risk and desired behaviours? - Comfort to report:
How comfortable are employees regarding speaking up about misconduct, voicing concerns and providing constructive challenge? - Incentives & enforcement:
How are employees sanctioned for misconduct, and what incentives are in place for meeting the desired expectations?
Alignment with ECB key risk culture dimensions
As seen in the below matrix, the cultural factors highlighted by our Risk Culture Model align with the four key dimensions highlighted by the ECB. This demonstrates that our Risk Culture Model is ready for use in evaluations of organisations’ risk culture in line with the recent ECB guidance.
Critical success factors
Integral interconnectivity
Developing risk culture will invariably have a notable impact on other cultural agendas. A decision made in relation to risk culture may have unforeseen consequences that can disrupt the progress of other activities in relation to key areas such as Environmental, Social and Governance (“ESG”), Inclusion, Diversity and Equity (“IDE”) and the development of AI.
Our research shows that sustainable culture change is only effective when it is aligned to other cultural agendas. Firms must understand the importance of a holistic risk culture that is built to manage the inherent interconnectivity of its ongoing agendas.
A culture that strives to find the optimal balance among these interests is vital to achieve the strategic objectives.
Meaningful measurement
Impactful management is not possible without effective measurement. The measurement and monitoring of risk culture must be subject to regular detailed assessments to ensure that the metrics being used reflect the constantly changing operational and customer landscape that firms face. It is essential that KPIs and metrics continuously evolve to meet the changing demands of both existing and emerging risks.
Failing to implement a dynamic approach can result in an incomplete identification of risks and gaps in behavioural understanding. Implementing qualitative analysis and introducing unobtrusive metrics can assist firms in reinforcing their existing assessment process.
How can KPMG help?
KPMG's Risk Consulting team is ready to provide expert guidance and support to banks as they seek to enhance their governance and risk culture. We have extensive knowledge of industry standards, rooted in our first-hand experience of working alongside industry peers on such matters in recent years. When you choose KPMG, you gain access to a trusted core team with a proven track record of successful delivery.
We can support you in your governance and risk culture journey as follows:
- Design and implement a holistic risk ecosystem through ‘Powered Risk’, our flagship offering for risk transformation.
- Assist with the design and implementation of risk management systems and internal control frameworks.
- Create tailored behaviours and culture frameworks leveraging data from our scientific culture model.
- Engage directors and business leaders on key issues with our Board Leadership Centre and Audit Committee Institute.
- Provide accessible insights relating to our risk culture quality through our interactive risk culture dashboard.
- Develop and facilitate training sessions on risk culture to promote understanding and improve implementation.
Conclusion
On December 6th 2024, the Irish Banking Culture Board (IBCB) published the 2024 éist report. This was the latest in a series of annual surveys of public trust in the banking sector.
Trust levels among both the general public and SMEs were found to be the highest recorded to date, and were net positive scores for the first time since ICBC’s measurement began in 2021.
This upward trajectory signals a growing confidence in these financial institutions from both consumers and business clients. Banks will be encouraged that the progress made to date to address identified shortcomings has been impactful. However, banks must continue their development to maintain this positive momentum.
The IBCB also encouraged caution, noting that the trust levels of Irish banks remain low in comparison to other jurisdictions and industries. As new risks emerge and the technological and regulatory landscape continues its evolution, it will be vital for firms to implement a holistic risk culture that can rise to the challenge.
Deficiencies in governance and risk culture practices will inhibit the ability of firms to respond quickly to these developments and jeopardises the growing public trust in the industry.
Contact our team
If you would like to discuss how KPMG can provide guidance and support on your governance and risk culture journey, please get in touch with our Risk Consulting team below. We’d be delighted to hear from you.
Gillian Kelly
Partner, Head of Consulting
KPMG in Ireland
Shane Garahy
Partner
KPMG in Ireland
Yvonne Kelleher
Managing Director
KPMG in Ireland
Rosalind Norton
Director
KPMG in Ireland
Feargus Campbell
Associate
KPMG in Ireland
