Changing Risk Culture is Hard
A good risk culture has often been identified as a prerequisite for improving risk management in regulated banks, and some regulators have recently called for improvements in the risk culture of banks, especially the large financial institutions considered Systemically Important Banks (SIBs). But the term “risk culture” is not well defined. Instead, it is often described by equally vague concepts such as “tone at the top,” and “walk the talk.” Moreover, industry bodies and systemic regulators alike assume that risk management can be improved by somehow wrapping an all-enveloping cloak of risk culture over a firm. But that approach treats risk as something outside of, and optionally added to, business culture, not as an integral part of almost every business decision. Culture and risk are both bottom-up, not top-down, concepts and therefore have to be built into the foundations of the organization to be effective.
Organizational theorists argue that it is difficult to change an organization’s culture because it is based on deep, often-unconscious assumptions that are taken for granted in daily decision-making. Without understanding these assumptions, changing a prevailing culture will be impossible, especially in large international SIBs with staff and offices around the world involved in a wide range of very different businesses.
The role of a regulator in dealing with culture is particularly difficult. Without a great deal of internal analysis, it is just not possible to fully evaluate a bank’s self-assessment that it does, in fact, have an effective risk culture. As the UK Financial Services Authority (FSA) pointed out, “it needs to be recognized… that a supervisor’s ability to assess true commitment to appropriate values (as against the ability to say the right words) is highly imperfect.”
The experience of the FSA, now reconstituted as the Financial Conduct Authority (FCA), is worth heeding. In response to earlier misconduct issues that now look relatively benign compared to later scandals, such as the manipulation of LIBOR, the FSA has been pursuing an initiative called Treat Customers Fairly or TCF since 2001. The initiative was originally designed to improve selling practices in regulated institutions, but the FSA found that it had little traction initially in enforcing its rules. For over ten years, the FSA, and now the FCA, have been adapting and enhancing their TCF program. At each step, the FCA has come closer to the realization that little will change through regulatory exhortation, and that TCF must become “embedded throughout a firm’s operations and within its culture.” In 2007, the FSA introduced what it called the TCF Cultural Framework as part of its overall risk assessment of regulated firms. Some large UK banks, such as HSBC and Barclays, have implemented the TCF framework and enthusiastically endorsed the approach in their regulatory filings.
Although the jury is out on whether the TCF program has been successful across the board, it should be noted that the UK financial regulator is already assessing at least one dimension of culture.
The TCF Cultural Framework identifies six “key drivers” of culture: leadership; strategy; decision making; controls; recruitment, training and competence; and reward. In addition, the Financial Stability Board (FSB) has identified four key indicators of a sound risk culture that align closely with the TCF drivers, namely “tone at the top” (leadership); accountability (controls); effective challenge (decision making); and incentives (reward). In all, the TCF framework identifies 27 sub-indicators of a “positive” culture, suggesting that culture cannot be measured by a small number of variables and therefore is not amenable to superficial analysis.
In a recently published paper, “A Risk Culture Framework for Systemically Important Banks,” I build upon the positive experiences of the TCF initiative to develop a similar framework for embedding a risk culture into SIBs. The paper uses the six key drivers of culture in TCF and builds on its definitions to create a 36 (6×6) matrix of Risk Indicators that allows assessment of the key drivers across an SIB.
Because changing a risk culture is likely to be (at least) as complex as changing a customer service culture, the experience of rolling out TCF suggests that it is important to plan carefully the implementation of efforts to change firms’ risk cultures. Change won’t happen overnight. It will take many years for evidence of a new risk culture across the banking industry to emerge. This, in turn, argues for considerable research into practical attempts to change cultures before implementation is started. If risk culture is to be taken seriously in SIBs, there is little opportunity for experimentation – and an equally small margin for failure.
Any attempt to change risk culture will require experts in human behavior, particularly those working in human resources departments, to engage comprehensively in efforts at cultural change. In turn, risk management experts and regulators must reach out to understand these softer disciplines and not assume that they know it all already.