There has been a lot of talk around risk culture across the financial services sector and this is expected to continue given the current Royal Commission into misconduct in the Banking, Superannuation and Financial Services Industry, and the Prudential Inquiry into the CBA. So why is risk culture something that should be front and centre at your organisation, and what should you be thinking about?
1. What a poor risk culture could cost you
In certain sectors, risk culture is bandied around like risk jargon’s flavour of the month, but the consequences of poor risk culture are real and wide ranging and could hit your bottom line in a number of different ways including:
Losses from fraud incidents
Loss of productivity from high staff turnover
Excessive risk taking
Regulatory intervention and fines
Loss of market share to competitors
2. Regulatory expectations
Under CPS/SPS 220 Risk Management, the Board of a financial institution is now responsible for forming a view on risk culture. This can be a challenge for directors given that they don’t have a great deal of opportunity to interact with staff and often have to rely on management views of how things are on the ground. Despite this difficulty, the onus still rests squarely on directors to form an opinion on the organisation’s risk culture and take responsibility for driving any changes that are deemed necessary.
Regulatory supervisors face the same challenge in trying to form an impression of an organisation’s risk culture. Focus is placed on the institution’s norms, attitudes and behaviours related to risk awareness, risk taking and risk management, which often show up in how the organisation recognises, promotes and rewards risk behaviour.
3. Options for assessing and monitoring your risk culture
If you’ve taken the first steps and decided to make a formal assessment of your risk culture, what options are available to help make this determination?
Inclusion of risk culture questions in employee engagement surveys
Internally / externally facilitated risk culture surveys of directors, executives and staff
Use of research-backed risk culture scales in the survey process
Interviews with key decision makers and staff at various levels within the business by an operationally independent party
Scenario based workshops incorporating a risk culture diagnostic methodology
Application of artificial intelligence in the analysis of business data
Monitoring company emails for the ‘risk tone’ of business communications
While this list isn’t exhaustive, a useful approach to conducting an assessment is the triangulation of data from a number of information sources in order to piece together a more complete view of the internal risk culture.
It should also be noted that sub cultures may exist. It’s important to be aware of them and ensure that they are reflective of the overarching values of the organisation. Identification of key influencers or ‘culture carriers’ within the business is also useful for situations where you identify a need to influence the existing culture.
4. Hidden consequences
While the more obvious consequences of poor risk culture have been played out on the front pages of newspapers across the globe, a number of less recognised consequences could be undermining your organisation’s success.
For instance, a poor risk culture could be derailing your strategic objectives. This could result from lack of staff engagement and drive, or from the public’s lack of trust in your brand.
Your remuneration practices could also be inadvertently driving your risk culture, rather than rewarding staff for acting in a certain way. Remuneration, performance assessment and promotion systems must be geared towards the long-term interests of the organisation and not on short-term revenue generation.
5. Benefits of knowing your risk culture
It goes without saying that knowing your organisation’s risk culture puts you in a stronger position, but why is this more than just a regulatory exercise?
Assessing risk culture allows you to gain greater confidence that your staff will make the right decisions in all situations and that your organisation is supported by a strong ethical framework. Staff will feel confident and comfortable in speaking up and challenging the attitudes and actions that they see.
This is turn will help to reduce future mistakes. A culture of openness fosters an environment where staff feel comfortable talking about errors that have been made in order to learn from them and avoid them in the future.
Additionally, it promotes sound risk taking. Risk management is not all about the minimisation of risk; risk taking can be increased if it’s in line with appetite and strategy. Promoting risk management throughout the organisation that is supported by a strong risk culture will also help to ensure that staff are thinking ahead to emerging risks, or identifying or challenging risk-taking activities that they think are outside the institution’s risk appetite. It’s not enough for staff to know what is inside or outside of the Board’s risk appetite, but to feel empowered and motivated to escalate and address these concerns as well. This will only happen when sound risk taking is valued and enforced in the organisation's underlying risk culture.