Risk Culture: Are we too complacent?
In a recent paper, the prudential regulator has warned that organisations could be complacent with their risk management processes. Grant MacKinnon assesses what companies can do to implement a more robust framework.
The global financial crisis exposed shortcomings in attitudes to risk and risk-taking that created significant prudential risk. In response, the Australian Prudential Regulation Authority (APRA) has released a much anticipated information paper on risk culture.1
Promoting sound risk culture is seen by APRA as essential to its supervisory goal of ensuring financial system stability. While recognising that the Australian financial industry has a commitment to good culture, and that work has commenced across institutions, APRA notes that all such work, including their own, is at a ‘very early stage’ of maturity.
A lack of self-awareness?
While the majority of industry participants rated their own risk cultures’ as broadly ‘good’ or ‘strong’, APRA questions this self-assessment, given that many institutions also say they believe risk culture is an issue in the industry and many are struggling to measure and evaluate their own.
The APRA paper warns Australian institutions not to be complacent about culture.
As for APRA, it is commencing a concerted, consistent and sustained effort to strengthen risk culture within Australia’s financial intuitions.
The complacency paradox
In establishing the baseline through industry consultation, APRA found the ‘level and sophistication of assessment tools varies considerably’. It is therefore important to consider the extent to which an organisation’s response to managing its risks is as a consequence of its own prevailing culture, whether sophisticated or rudimentary.
- Sophisticated: Organisations that employ relatively sophisticated risk culture approaches, such as embedding culture into audit activities, driving the values and purpose of a risk aware culture from the top and developing key performance indicators that embed these values and their associated behaviours into their processes and protocols, tend to reap considerable value, and key stakeholders are generously rewarded with new insights from this investment
- Rudimentary: Conversely firms that adopt rudimentary approaches to rate or measure risk culture lack a critical ability to surface culture-related vulnerabilities and their underlying drivers. Resulting actions such as training and communications to address the identified culture-related vulnerabilities will often miss the mark and perpetuate systemic weaknesses.
The underlying drivers of culture are multifaceted – while there will be common characteristics that industry must pay attention to such as remuneration, drivers across and within organisations will vary immensely.
Organisations that are unable to garner such insight are more likely to hold a false sense of security as to the relative soundness of their risk management environment. Reliance on engagement or culture surveys is not enough to understand the role culture plays with respect to risk, conduct and compliance – particularly where these surveys are tied to leader scorecards, performance and incentives.
Understanding and influencing
Sophisticated risk culture approaches are not necessarily expensive. Relative to the scale of an organisation, there are many ways that in-house capabilities can be tuned to affect a positive and sustained impact.
Such an approach requires strong CEO-led coordination and collaboration across each of the three lines of defence with the risk and human resources functions each taking lead roles in their capacity to support the first line.
APRA’s paper makes clear reference to the equal importance of both the formal and informal elements of an organisation’s culture.
To borrow internal controls’ terminology: the formal elements of purpose, values, risk appetite statement, governance, performance, incentives, processes, and IT systems (etc) are critical preventative controls for risk culture. They serve to set and reinforce expectations of behaviour, conduct, and decisioning.
Organisations should take care to define and consistently embed their desired risk culture throughout all of these artefacts and avoid defining new artefacts that only serve to compete with the limited attention and headspace of a productive workforce.
In many organisations unconscious risk-taking may be perpetuated by misalignment between Delegations of Authority and the cascade of Risk Appetite Statements.
Detective controls address the challenge of understanding the informal or intangible aspects of risk culture. In particular to surface the situations where staff members deviate from the expected or ‘norm’, and to explore the underlying drivers of these situations.
The greater the clarity of underlying drivers, the greater the specificity of resulting actions to redress. Internal audit in the third line through its assurance mandate is logically suited to help surface such vulnerabilities at a local and granular organisational level.
Surfacing unconscious risk taking
However, not all risk culture vulnerabilities manifest locally, there are many documented examples of unconscious risk-taking across multiple parts of an organisation that result in an accumulation of unacceptable risk exposure or detrimental outcomes. While APRA provides growth-related examples in its paper, organisations should pay particular attention to the cumulative risk exposure and subsequent impact of ongoing transformation or productivity programs where there is an absence of corresponding internal control or IT simplification.
APRA will adopt a more intrusive supervisory role in forming a view of risk culture within financial institutions, insights of this work will directly influence their supervisory approach to each regulated entity.
Immediate practical steps to take
- As the risk culture conversation continues to mature, there is a wide array of techniques and approaches that organisations can consider, re-evaluate, and further embed
- Boards and executives should remain professionally sceptical of existing approaches, and clarify risk culture objectives and accountabilities across each of the three lines of defence
- While regulators are increasingly leveraging psychology and behavioural science specialist expertise – organisations should consider doing the same.
This article was first published in Asia-Pacific Banking & Finance.