Risk Culture: The Quest for the Holy Grail
The concept of a grail emanated through literature as a cup, dish or stone throughout the 12th and 13th centuries, and was woven into the biblical legend of the Last Supper as the Holy Chalice or Holy Grail. The term Holy Grail is now often used to describe an elusive object or goal that is sought after for its great significance (Merriam-Webster Dictionary).
Developing an accurate way to assess risk culture and building a strong risk culture within an organisation can often seem like working towards an elusive goal, akin to the metaphorical search for the Holy Grail. Importantly, though, the benefits of building out a risk culture framework can be significant and can also be achieved progressively. As we trial different methodologies to assess risk culture and implement new initiatives to increase its awareness and reinforce positive risk practices, the conversation on risk culture progresses and broadens within and across various organisations.
This in itself can yield many benefits, including:
> increasing awareness of risk management throughout the business operations;
> enhanced financial and operational performance through the optimisation of risk-reward trade-offs;
> greater appreciation of the impact of corporate conduct and reputational risk exposures;
> better conduct in adhering to regulatory requirements and servicing customers in a way that meets community expectations;
> improved information flows on risk issues at various levels of the organisation;
> increased reporting of breaches and incidents that can provide for learning opportunities; and
> improved collaboration between the first and second lines of the three lines of defence.
Despite this advancement, there remains opportunity to progress further along the continuum of risk management maturity and we continue in our quest to better understand risk culture.
For some time, the Australian Prudential Regulation Authority (APRA) has pointed to the De Nederlandsche Bank (DNB) as being the global leader in its regulatory approach to assessing risk culture. Yet, if you delve into the details of the DNB methodology or speak with the leaders of their culture team, you will discover that the impact of incentives on risk culture has been explicitly and deliberately excluded from their approach. The stated rationale for this is that the inclusion of incentives in the methodology would result in excessive focus and discussion on the impact of bonus structures. However, this seems somewhat incredulous in the context of the drivers of the Global Financial Crisis (which was one of the drivers for the development of the DNB approach) and, more recently, the Royal Commission into Misconduct in the Financial Services, Banking and Superannuation Industry in Australia.
It is also worth pointing out that a 20% cap on variable remuneration exists in the Netherlands, which would impact on the extent to which incentives can potentially influence behaviours. Elsewhere in Europe, much higher caps of 100% of fixed remuneration have been applied and in many other jurisdictions, including Australia, no caps apply at all. Nevertheless, the dollar amount of a 20% bonus on a high fixed salary amount can be considerable and therefore potentially influential to decision making. A 20% bonus on a low fixed salary amount can also drive behaviour and outcomes, as a result of the law of diminishing marginal returns – for example a modest sum to a low wage earner can mean the difference between going on the annual family holiday or not. This relationship has been explored in the experimental research report co-authored by Professor Elizabeth Sheedy at the Macquarie University Applied Finance Centre and titled ‘Are profit-based incentives compatible with a risk culture?’ (August 2017).
In the Australian context, APRA has supplemented the DNB approach with some consideration of the impact of incentives when developing the methodology used for its pilot risk culture review project, which commenced in 2016 but then stalled in 2017. As explained by Wayne Byers at the 4 September 2018 Annual Risk Management Association Chief Risk Officer Conference, “we are currently re-scoping our pilot risk culture assessment program – capturing the areas and techniques where we gained biggest ‘bang for our buck’ in our early work – to endeavour to make it more useable on a wider basis within our overall supervisory framework”.
This outcome is a stark reminder of the dichotomy that often exists between developing a theoretically sophisticated methodology and establishing a practical fit for purpose approach. It can often be said that 90% of the benefits of the most sophisticated model can be achieved via an elegantly simple solution. APRA would thus appear to be headed in the right direction in simplifying the approach, given that APRA would never be expected to receive the resources required to implement the former on the required scale, even after the outcomes of the Royal Commission.
In the case of assessing risk culture, or organisational culture more broadly, the longevity of any sophisticated assessment model is somewhat questionable. As we know, organisations are collections people and people are complex beings. The ways in which the individuals within organisations interact internally and externally changes over time as a result of company specific drivers, demographic changes in the leadership group and employee base, societal changes and technology advances, amongst many others. As such, the detailed factors driving behaviour and cultural norms in one period may no longer hold in any future period, potentially undermining the theoretical approach of the sophisticated model developed.
As a result, when utilising a risk culture survey process, it is necessary to overlay this with a thorough interview and workshop process in order to better understand the true meaning of the indicative results. The numerous sensitivities involved in discussing workplace dynamics and the varying degrees of individual comfort and/or willingness to actively engage with survey processes also mean that a combination of approaches is often superior to one type of assessment technique.
Noting all of these complexities, it has been interesting to observe the recent use of terminology like ‘risk culture audits’ and ‘auditing risk culture’ by some major financial institutions and international regulators. The term audit is defined in International Standards Organisation 19011:2011 Guidelines for Auditing Management Systems (ISO 19011) as being “an evidence gathering process” to “evaluate how well audit criteria are being met”. In the case of assessing risk culture, the extent of subjectivity involved would make the application of any strict audit approach highly questionable. However, many of the approaches being adopted are simply variations of other types of risk culture diagnostic methodologies and it would seem that the terminology has grown from the relevant division responsible for conducting such reviews (i.e. the internal audit function). A number of these institutions are now investing in developing or enhancing their risk culture assessment methodologies and recruiting specialist resources such as organisational psychologists to assist in their own quests for the Holy Grail.
The Hall Advisory view is that we may never find that Holy Grail of risk culture, but that risk management practitioners and regulators alike will continue to become more experienced and effective in drawing together the relevant information from the various available sources to diagnose the material issues and articulate a tailored action plan for further improvement.
As with all regulatory developments, we will await with interest further announcements from APRA on their revised approach for the pilot project, as well as risk culture initiatives and developments from international regulators.