Why is the cultural agenda so important?
A key to unlocking why things go wrong in financial institutions similar to all organisations is to understand the norms and the expectations within organisations as to what is normal. Over the past year, the Central Bank, along with other supervisory agencies worldwide, has been focusing on cultural awareness as part of its normal supervisory activity, including a consideration of an institution’s risk culture through continuous assessment meetings, risk management and governance reviews and inspections. Indeed, the Central Bank has recently conducted themed inspections examining “behaviour and culture” at local banks, along with actively inspecting banks’ compliance with the internal governance guidelines set out by the European Banking Authority in its GL44 paper.
“Culture” within an organization relates to its people, its performance, individual beliefs within the organization and its leadership. It encompasses risk culture which addresses the articulation, communication, measurement and management of risk. But it also separately takes into account conduct risk which seeks to identify and address risk in product design, sales practices and behaviour which may have an impact on customers.
There is a recognition now that culture is integral to everything. The financial crisis of recent years highlighted poor risk management practices and clear weaknesses in internal control structures, but it also highlighted deficiencies in many financial institutions’ attitudes towards risk. An assessment of risk culture is thus a core component of the cultural awareness agenda.
The global regulatory body, FSB, was the first agency to draw attention to this topic. It defines risk culture as “an institution’s norms, attitudes and behaviours related to risk awareness, risk taking and risk management, or the institution’s risk culture.” The FSB articulate the view thatb risk culture shapes the values and beliefs which govern how individuals within an institution behave, how they perform their roles, how they take decisions, how they assess risk and do the ethical thing to ensure they operate in a safe and sound manner, and as such is bespoke to each organization.
From a supervisory perspective, the FSB’s Guidance on Supervisory Interaction with Financial Institutions on Risk Culture - A Framework for Assessing Risk Culture published in April 2014 is the main reference document. The FSB states that a sound risk culture will support appropriate risk awareness, behaviour and judgments about risk taking. The FSB does not define a target risk culture but rather gives regulators guidance on how to identify the risk culture within an institution.
The FSB indicates that a sound risk culture is one that:
The idea of an appropriate risk culture in banks is also a theme with the ECB and its approach to this topic is hugely informed by the FSB’s framework paper. Risk culturefeatures prominently in its document ‘SSM supervisory statement on governance and risk appetite’ published in June 2016, which states that expectations are that a strong risk appetite framework will help build a sound risk culture.
The ECB focuses on four main areas:
In June 2016, the Central Bank’s Head of Credit Institutions Supervision, Ed Sibley, referred to the cutting edge techniques of the Dutch regulator in assessing culture and indicated that the Central Bank , in its behaviour and culture inspections’ of banks, would be seeking answers in relation to;
In essence the risk culture allows regulators to assess the soft side of the risk management framework while the risk appetite framework provides the metrics and more quantitative evidence of the firm’s approach to risk taking. Regulators are trying to ensure that risk culture is a driver of the strategy and not the other way round.
The problem facing financial institutions across the various sectors is that “culture” is a nebulous concept, not to mention a subjective one, far removed from concrete regulatory issues such as solvency, credit risk modeling and risk weightings.
Any culture is a mixture of formal and informal practices so the question arises, how can a financial institution embed a risk culture and how can it assure itself that its risk culture is adequate? Ultimately boards will need to embrace this concept and ensure that the correct tone from the top is set. Understanding supervisory expectations and turning this into concrete metrics or deliverables is the challenge. Risk and compliance functions, along with senior and middle management, will need to drive this agenda to ensure that it meets supervisory expectations and that the risk culture is deemed adequate and supportive with internal audit playing a role in continuous assessment.