Change your risk culture to make your framework work
Lack of focus on risk culture and behaviours
In the decade following the financial crisis, operational risk management has become a key topic, concerning senior management and regulators across the financial services industry. We have seen substantial losses and fines, as well as regulatory focus on specific subsets, such as Conduct (e.g. PPI and LIBOR), data security (GDPR), individual accountability (SMCR) and service disruption (Consultation Papers on Operational Resilience).
It isn’t surprising, then, that time and money have been invested (in significant volumes) to develop frameworks, organisational structures and systems to enable the management of these risk types. The proliferation of frameworks is, in itself, an issue that we have talked about before (A Defenceless Three Lines); as siloed thinking and a lack of alignment hinders their individual effectiveness.
However, while frameworks deliver a crucial foundation for risk management, and risk management processes are absolutely required to satisfy both regulatory and industry expectations, frameworks should act as a complement to, and not a replacement for, a culture in which risk is managed actively.
Indeed, a poor culture can undermine even the best designed risk frameworks. People can choose whether and how to comply with frameworks requirements; for example, an employee will consider a number of factors when deciding whether to report an incident from personal incentives and a firm’s cultural norms – will they act in line with the letter or spirit of controls, or not at all? A culture which does not prioritise recognition of risk or reward effective risk management will not manage risk well.
Senior Managers have a clear incentive to better manage risk under the increased individual accountability of SMCR. Leadership should ensure that they consider the risks relating to business decisions just as much as they consider commercial business cases. Consequently, Senior Managers should make sure that they set clear expectations that they want identification and assessment of risk to form part of the data they receive to inform decision-making.
The FCA has regularly discussed the influence this ‘tone from the top’ set by leaders can have on a firm’s culture, but what can leaders do to increase the chances of their expectations being met?
Common inhibitors to ‘risk culture’
By recognising five common challenges that can influence risk behaviours, your firm can begin to take tactical, pragmatic steps to drive cultural change.
- Awareness of risk and risk management frameworks
Colleagues across the organisation are often unfamiliar with risk frameworks and their responsibilities within them, meaning they are unlikely to take appropriate risk management actions.
- Risk assessment and management capability
Simple awareness of framework requirements will not be sufficient if risk and control owners, and their teams, do not have the knowledge to effectively carry out their risk management responsibilities.
- Unclear or complex procedures
If the procedures set out in the framework are overly complex or unclear, embedding them into BAU will always be challenging. It is incumbent on the teams designing frameworks to carefully consider the needs of the wider business.
- Procedures seen as unnecessary
Framework owners must be able to articulate the purpose and benefits of their procedures, and then convince the organisation of their importance.
- Poorly designed incentives
Firms have taken steps to ensure risk management behaviours are considered in performance management, but poorly designed measures can lead to unintended consequences. We have seen, for example, targets to reduce operational risk incidents driving underreporting.
Tactical changes to influence ‘risk culture’
Firmwide risk framework training campaigns are the obvious way to boost employee awareness of the firm’s risks, the frameworks for managing them and individual responsibilities. However, mass training isn’t always effective and may be treated as a tick-box exercise, awareness campaigns aren’t given the same focus as the framework design, and in any case, training alone will not change habits. Target messages to specific groups, and invest time to support BAU changes in response to framework requirements, for example ensure the risk team regular reinforces key messages in their regular meetings with business stakeholders.
To enable the organisation to effectively carry out framework requirements, define the knowledge and skill requirements for each team and individual to deliver the expectations of risk roles and responsibilities, for example as set out in a 3 Lines of Defence model. Targeted training can then be delivered or resource gaps escalated. Firms should avoid thinking that only one role (or function) needs to understand how to manage a risk; for example a recent FCA speech emphasised that ensuring the needs of vulnerable customers are met is not just a role for customer-facing employees; product design teams should also consider how to avoid harm to these customers.
Review your risk management procedures to make them simpler, easier to follow and more likely to be adopted. Many organisations have developed a web of procedures over time which reference, and sometimes contradict, each other. These can be difficult to understand, particularly during the heat of an incident, meaning that employees are less likely to act as those who have designed risk frameworks expect them to. As discussed in previous BCS Consulting posts, firms should consider alternative ways for people to raise concerns, leveraging technology such as accessible digital whistleblowing tools.
If a set of rules becomes perceived as too burdensome and getting in the way of the organisation’s purpose, it is more likely that people will look for ways around them. It is important both to review procedures on an “as much as necessary, as little as possible” basis and also to communicate the reasons for procedures and the outcomes they seek to produce to increase buy-in, and hence the likelihood of them being followed.
Finally, many organisations have unintentionally created disincentives for people to manage risks effectively. If people lose respect or financial reward due to an increase in risk exposure or number of risk incidents, they aren’t incentivised to report proactively. If there is little or no reward for raising risks, issues and incidents, and an admin burden for doing so, transparent communication becomes less likely. Performance measures should be carefully designed to focus on the behaviours you are seeking to drive, not necessarily the outcomes, consider rewarding information sharing, identification of risks, and the resolution of issues.
The benefits of cultural improvements are not likely to lead to information being shared and mitigating actions being co-ordinated within a firm if they are not organised through effective risk management frameworks. However, such frameworks will not function effectively if they are undermined by a culture which does not prioritise risk management. Risk culture and risk frameworks should be seen as both necessary and complementary for effective risk management.