Diving deep on risk culture

December 2023

Improving bank governance is a long-standing European Central Bank (ECB) supervisory priority – and as we reported in our July article, the issue has been given extra impetus by the collapse of US and Swiss banks this spring. The ECB has identified bad management as the root cause of these bank failures and has promised to keep pressing banks to remedy shortcomings in their governance and risk management.

In a September speech, ECB Supervisory Board Vice-Chair Frank Elderson highlighted one specific area of governance: risk culture. This Elderson described as the ‘software’ of governance, the set of attitudes and norms that influence how individuals actually behave with the formal framework of management structures and policies (the governance ‘hardware’). A healthy risk culture, Elderson argued, will spur innovation and customer service while also promoting compliance with regulatory requirements and internal controls. A bad culture, on the other hand, will encourage bank staff to ignore or disregard risk controls in the pursuit of short-term profit alone – with potentially disastrous consequences.

Elderson argued that by undermining banks’ formal risk management systems, poor risk culture was a key driver of the reckless behaviour that led to the global financial crisis of 2008, as well as more recent bank failures. It is therefore essential, he said, that the ECB scrutinize the software as well as the hardware of governance to ensure that banks remain well run.

To that end, Elderson announced that the ECB is piloting ‘risk culture deep dives’ at a small number of banks. These build on the ECB’s review of management bodies earlier this year as well as the assessment of bank culture conducted by the Dutch central bank (DNB) in 2015, when Elderson was Executive Director for Supervision. That exercise employed organizational psychologists to evaluate behavioural drivers and risk culture through observation, surveys and interviews with staff.

The results of the deep dives, plus a review of international work in this space (Elderson cited the Australian Prudential Regulation Authority’s Bank Executive Accountability Regime and the draft risk culture guidelines issued in February by the Canadian Office of the Superintendent of Financial Institutions as well as the DNB 2015 assessment) will inform a new ECB Guide on Governance and Risk Culture. Elderson announced that this will be published by the end of 2024.

A key challenge, however – both for banks seeking to demonstrate the quality of their risk culture and for supervisors performing assessments – will be measurement. Based on the experience of previous ECB on-site inspections, we expect documentation to be a major focus for supervisors. The ECB will most likely look for extensive documentary evidence that management promotes a positive attitude toward prudent risk management throughout the organization. Types of material that supervisors may review include:

• Internal communications such as all-staff memos and town-hall meetings: do these show bank leaders setting the right ‘Tone from the Top’ and emphasizing the importance of prudent risk management?
• Meeting records: is there evidence of management openness to constructive challenge and diverse perspectives before decisions are taken?
• Training materials: how far is importance of prudent risk management reflected in training for roles across the business?
• Escalation / whistleblowing channels: can a bank show that staff are willing to escalate concerns without fear of consequences?
• Appraisal and remuneration policies: is promoting prudent risk management included in staff objectives, and reflected in compensation decisions?

Thorough documentation will not only help banks prepare for supervisory scrutiny. It will also equip management to proactively monitor their risk culture and ensure that risk policies and controls are followed at all levels of the organisation. 

Risk culture looks set to remain a central element of the ECB’s approach to bank governance. Indeed, it could well be listed as a formal ECB supervisory priority for the coming years, with the risk culture deep dives announced by Elderson serving as a model for on-site inspections at a wider population of banks.

Ahead of any supervisory audits, banks should consider first performing their own risk culture assessment, to understand in detail the state of their current risk culture and identify any shortcomings.

In parallel, banks should review their internal processes and records. This should only be seen as an exercise in gathering evidence to demonstrate the health of their risk culture tosupervisors.

More importantly, it should be regarded as a powerful tool for management to fully understand the culture throughout the bank and drive continuous improvement in their risk culture and governance.