In the current environment, risk management is more important than ever for banks. And risk culture is at the heart of effective risk management.
Risk culture is a key part of a bank’s overall culture and can be defined as the collective set of behaviours and actions that drive an organisation’s response to identifying, assessing, and managing risk.
"Having the appropriate risk culture is paramount in ensuring that firms can identify emerging risks but also minimise the likelihood of any existing risks crystallising, in an ever-changing operating environment."
Bank of England
Poor risk culture has been cited as the root cause of major conduct failings (Bank of England Staff Working Paper No. 912). On the flip side, a strong risk culture plays a crucial role in supporting an organisation’s financial and operational resilience, can drive good risk decision-making, and reduces the risk of misconduct and regulatory action. Recent research by the Bank of England has even shown a direct correlation between good risk behaviours and positive risk outcomes , which ultimately can improve financial performance and drive good customer outcomes and support market integrity.
"If culture is so crucial, then it needs to be managed. If it needs to be managed then it needs to be measured."
Financial Conduct Authority
The question then becomes, how do you know if you have a ”good risk culture”? Organisations have always struggled to quantify a ‘soft’ concept like risk culture. However, measuring it is beneficial, as it helps expose any warning signs and identify where issues may lie.
By proactively identifying weaknesses, banks can take action to transform their culture. Regulators are also increasingly expressing interest in this area. For example, the Australian Prudential Regulation Authority (APRA) has defined an approach to assessing risk culture and set regulatory expectations.
What are some of the things to get right when setting up an approach to assessing risk culture? We’d like to share some of our observations from working with a range of banks in defining their risk culture assessment approaches.
1. Align your cultural agendas
To ensure a cohesive view of risk culture, align the cultural agendas led by HR, Risk, Compliance, and Audit. Your risk culture definition should be consistent with the firmwide culture and strategy. Risk culture is not something separate or standalone, it should be seen as a component part of overall organisational culture. How can you achieve this? Have consistent behavioural frameworks, data points, and assessment approaches across departments. In our experience, data points from Compliance and HR dashboards can be identified and used in a risk culture assessment. The outputs of these assessments were then integrated into overall HR cultural plans. Findings from risk culture assessments can also serve as artifacts in culture audits. This coordination and consistency minimises duplication of efforts. Refer to figure 1 to understand how we see the coordination between HR, Risk, Compliance, and Audit.
Figure 1. Connections between Risk, HR, Compliance and Audit culture related activities
Ownership of risk culture should also be clearly established within the organisation. While the first line of defense has ultimate ownership of the bank's culture (including risk); centralised ownership for its assessment should be defined. Based on our observations across the financial services industry, this responsibility can sit with enterprise risk management, COO functions, or HR.
2. Use unobtrusive indicators
Most banks use self-report methods (employee surveys and interviews) to measure risk culture. However, we have observed a clear trend toward collecting more unobtrusive metrics.
Unobtrusive indicators measure culture by collecting data without directly involving employees (Bank of England Staff Working Paper No. 912). For instance, metrics related to the timeliness of escalations, the number and size of unauthorized limit breaches, a reduction in the impact and/or likelihood of risk events occurring post remediation are all examples of metrics we have seen monitored over time.
Why are unobtrusive metrics so beneficial? Employee surveys can be biased. Employees tend to respond favorably to surveys. They also perceive their own cultural context as normal, even if it leads to poor conduct outcomes, making it difficult to identify weaknesses. Using unobtrusive indicators also reduces resource burden (which is true especially for qualitative methods) and provides a real-time view of risk culture.
While self-report methods have biases, so do all assessment approaches. Instead of replacing self-report methods entirely, we suggest complementing them with unobtrusive data. Identify data points that map to your risk culture definition – they may already exist in your Conduct and HR dashboards.
3. Move from reporting into action
A common challenge we are seeing in the banking sector is the focus of attention solely on the assessment and reporting of risk culture. Instead of being consumed by manual data collection and analysis, banks should focus on using the assessment outputs to identify behavioral interventions. Make sure to feed these into your overall HR culture plans.
To create meaningful and lasting changes in risk culture, leaders can concentrate on behavioral interventions. Let's explore a few behavioural interventions in relation to 'safety to speak up.' For instance, a communications campaign may effectively raise awareness of escalation channels, while a leadership development programme can effectively build the necessary psychological safety for individuals to feel safe to speak up.
However, sometimes behavioral interventions alone won't be enough. Changing organisational systems and processes will be necessary. In our ‘speaking up’ example, implementing an anonymous escalation system can create a safe environment for employees to speak up without fear of retaliation. You should strike a balance between interventions that have the most impact and those that are more achievable in the short term.
Measuring the impact of interventions is crucial. Running regular risk culture assessments help identify trends and evaluate the effectiveness of behavioral change initiatives. If the interventions are not ‘turning up the dial’ on your risk culture, it is necessary to make appropriate adjustments.
Conclusions and next steps
To establish and maintain a robust risk culture, it is crucial to take proactive measures. Risk culture assessments can help identify issues and prioritise areas which require intervention.
There is no ‘one size fits all’ in terms of measuring and assessing risk culture. It will vary based on the analytics capability, size and global reach of the organisation. However, to ensure that you are staying ahead of regulatory requirements, you can:
- Define what risk culture means for your organisation, making sure your definition is aligned to existing cultural agendas;
- Establish an identification and assessment methodology, leveraging existing culture assessment practices within your organisation and unobtrusive data points;
- Move your attention from assessment into action.
Stay tuned for more updates on quantifying risk culture. In our next issue, we will share an insight into what leading institutions are focussing on and some of their challenges in setting up approaches to risk culture assessment.
How can KPMG support?
If you would like to connect with one of our experts to discuss the topic of risk culture further, please do reach out to us. We are here to help.