Risk Culture in Financial Institutions: Navigating the changing landscape

The Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (hereafter Royal Commission) which ran for the better part of 2018 has resulted in a number of recommendations for change in the financial services industry to better protect consumer rights and expectations, while also raising awareness of significant conduct issues that have eroded consumer trust. Following the findings released in February 2019, financial institutions are now faced with the task of navigating the potential myriad of regulatory and legislative changes, while attempting to demonstrate to customers that their expectations regarding culture and conduct have been heard.

While the specifics of looming regulatory change may currently be uncertain, it is guaranteed to propel the progress of risk management for the foreseeable future as financial institutions strive to keep pace and demonstrate that lessons have been learnt. Financial institutions that are not actively or publicly acknowledging the issues of misconduct and seeking to enhance their processes and culture may get left behind as the industry moves to collectively rebuild consumer trust.

Considering these expectations for 2019 and beyond, there are 3 clear areas to focus on.

1. Adopting a Risk Culture Framework

The rapid evolution of risk culture diagnostics, propelled both by regulatory intervention and by organisations wanting to be at the forefront of change and demonstrate their commitment to putting customers first, has somewhat outpaced the fundamental step of defining risk culture and establishing a framework to operate within.

The real challenge of assessing risk culture lies in understanding and interpreting the results sufficiently well to use them to drive change. A useful assessment must necessarily start with a framework for defining risk culture, which would consider a range of inputs including: tone from the top (embedding the ‘should we do it’ question(1) throughout the organisation), organisation-wide understanding of risk, communication processes, incentive programs, etc.

2. Assessing Risk Culture

While regulatory requirements for assessing risk culture have been in existence for a number of years(2), ongoing uncertainty over how institutions are expected to demonstrate their risk culture has led to a slower progression of diagnostic techniques in some organisations.

Findings from the Royal Commission encouraging the Australian Prudential Regulation Authority (APRA) to build out its supervisory program for culture and assess cultural drivers of misconduct in entities(3) will ultimately encourage more supervisory oversight, but, as it currently stands, provides no more certainty on regulatory expectations.

While many financial institutions may have sought to address APRA’s CPS/SPS 220 Risk Management requirements by extending pre-existing culture surveys to cover specific elements of risk culture and conduct, the seriousness of cultural failings within organisations has demonstrated a need to increase the rigour and frequency of these assessments. Some organisations have already employed the use of research-backed scales to arrive at an educated assessment, while others have opted for a futuristic approach employing artificial intelligence software to identify differences and changes in sub-cultures across the business and even to monitor employee emails for the tone that is being used in communications. In any case, the approach taken should be appropriate to the size and complexity of the organisation and relatable to employees. In the case of risk culture, multiple data sources used simultaneously are often better than one, as this can reveal a more accurate picture of the culture and sub-cultures existing within the organisation.

3. Regular Monitoring

Following-up initial risk culture assessments with regular monitoring is critical for lasting impact and to translate objectives into meaningful information that can be communicated throughout the organisation. Internal culture is also susceptible to change over time as a result of staff transitions, mergers and acquisitions and the general growth of an organisation. As such, it’s important to periodically check in and monitor shifts in the risk culture and this has been reinforced in Recommendation 5.6 of the Royal Commission which encourages all financial institutions to regularly assess culture and governance and whether implemented changes have been effective(4).

But this doesn’t necessarily mean starting from scratch! Many organisations are already taking a closer look at their existing Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) to reconsider the sorts of intentional or unintentional impacts that these could be having on risk culture (in a reactive sense), and reinventing them for more proactive use to shift aspects of the culture that are causing concern. Given the difficulty of measuring culture in any strict quantitative way, chosen metrics should not be looked at in isolation, but rather correlations should also be considered.

Finally, some form of quarterly or regular dashboard reporting of risk culture indicators for Management and Boards should be developed and we can expect to see varying approaches to this adopted across different organisations.


(1) Prudential Inquiry into the Commonwealth Bank of Australia (CBA) Final Report, April 2018, page 55, Recommendation 21


(2) Prudential Standard CPS 220 Risk Management, April 2018, paragraph 9(b)


(3) Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry Final Report Volume 1, February 2019, page 37, Recommendation 5.7 – Supervision of culture and governance


(4) Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry Final Report Volume 1, February 2019, page 36, Recommendation 5.6 – Changing culture and governance


Recent Posts