During the financial market crisis of recent years, the lacking effectiveness of existing risk management systems was painfully revealed. Prevailing trust in quantitative models for risk measurement was shaken to its core and the repercussions are obvious to all those involved: comprehensive changes and expansions, in particular with regard to quantification, limitation and capital charge of risks were affected through new and additional regulatory requirements (in particular Basel III, SSM, etc.) and have been widely implemented for the time being.
Apart from purely quantitative aspects, qualitative aspects and their extensive impact have largely been overlooked. The triggers for the financial market crisis were not the risk models themselves, but rather the (mis-)behavior of market participants and risk managers and their lack of risk awareness, which led to collapsing markets, substantial risks and finally to the known system-wide failures. Thus, the behavior-related, cultural design of a company’s risk organization is a decisive factor for the stability of a financial institution. A sole focus on quantification models is no longer sufficient. This has forced supervisory authorities to concentrate on such qualitative and cultural aspects. A corresponding first guideline regarding risk culture was published by the Financial Stability Board in April 2014 (Financial Stability Board (FSB), Guidance on supervisory interaction with financial institution on risk culture, a framework for assessing risk culture).
Therefore, it is indispensable for banks and other financial institutions to intensify their focus on risk culture in order to achieve effective and comprehensive risk management, and thereby reduce the risk to a minimum of getting caught off guard again.
What is risk culture?
“Risk culture can be defined as the norms and traditions of behavior of individuals and of groups within an organization that determine the way in which they identify, understand, discuss, and act on the risks the organization confronts and the risks it takes.” (International Institute of Finance, “Reform in the financial services industry: Strengthening Practices for a More Stable System” (2009)).
Consequently, risk culture supplements the existing (quantitative) risk management framework with behavior-related components and therefore depends on various aspects, such as a company`s
- organizational culture
- business model and the defined risk appetite
- organizational structure
- senior management and staff
- and, last but not least, the regulatory framework.
The aim of risk culture is to close the gap between risk exposure resulting from the business model and the capabilities of the existing quantitative risk management. In order to account for the aforementioned levers, risk culture must be designed multi-dimensionally and according to the individual characteristics of each organization.
Currently, the regulatory requirements of Pillar II determine the strategic alignment and structure of the internal risk management framework. A risk-specific quantification and limitation of the respective risk-types as well as the maintenance of risk-bearing capacity on total bank level are performed for the risk-bearing capacity calculation (as part of the ICAAP). Metaphorically speaking, as long as there is no infringement of the limits, the traffic lights are green. Counter-measures will only be taken after a certain risk materializes—with the aim of reducing the risk scope within the defined limits.
Effective risk culture contributes to an organization´s ability to pro-actively counteract looming risks as well as risk changes, especially if it is properly integrated into daily business. Appropriate behavioral guidelines set the framework for distinct risk awareness and must be designed in accordance with the risk type. Subsequently, a comprehensive image of the overall risk situation can be established and unpredictable and unwanted developments can thereby limited to a minimum.
Sticking to the metaphor, the limit traffic lights only switch to yellow if measures are already urgently required. Effective risk culture on the other hand ensures that risks are recognized as soon as they appear on the horizon and that behavior as well as decisions are adjusted accordingly. This situation can best be compared to a roundabout in traffic: first you take a look and assess the situation, then you pull into traffic.
In conclusion, effective risk culture enables anticipatory / pro-active risk management and focuses on the recognition and mitigation of risks before they materialize. As a consequence, the leeway for deliberate risk positions is increased and the capital charge demand for unchanged risk position is decreased. The “undesired” share of risk volatility is reduced as a result of increased risk awareness—the probability of surprises, as mentioned above is lowered.
Therefore, by establishing comprehensive risk culture, the grip of the current regulatory sleeper hold can be loosened and step-by-step replaced once again by sensible business.
How can risk culture be implemented in my organization?
When implementing strong and progressive risk culture, the levers described above must be used in order to effectively intervene in the cultural identity of the organization and its employees. The zeb.approach combines and utilizes these levers and enables implementation via three independent modules, as described in figure 3:
- Module 1: Cultural assessment
- Module 2: Target operating model
- Module 3: Incentives & compensation
In order to monitor the progress of the individual modules as well as the general cultural change, additional risk culture metrics can be defined and implemented; thus, making the progress of implementation, regarding the specific objectives pursued by senior management, measurable in the medium and long run.
The aim of the cultural assessment (module 1) is to analyze the status quo of the cultural understanding and self-awareness of the employees. Based on the findings of the assessment it can be evaluated whether the current (risk) culture of the organization is aligned with the goals pursued by senior management. Additionally, the assessment will highlight the specific areas with the largest gap between the target culture and status quo.
This module is predominantly conducted by means of questionnaires, interviews and self-assessments and can be supplemented by quantitative methods and tools, such as the organizational culture assessment instrument (OCAI). The result is a comprehensive view on how the employees experience the current corporate culture and in which direction they want to grow and develop. The outcome of this assessment impacts in particular the necessary applicable measures for inducing cultural change.
The “target operating model” (module 2) focuses on the necessary organizational structure and related framework conditions in order to create sustainable risk culture. One key elements of this module is transparency. On the one hand via availability of tangible information and on the other hand through consistent and clear communication of expectations. This will enable employee`s insights into different areas of business and foster a more holistic understanding of the organization`s big picture. Additionally, transparency reduces the individual`s opportunity for non-compliant behavior, which would contradict the trending cultural awareness of one`s peers. Therefore, transparency also represents an important control function.
The other key element of a risk culture TOM is the implementation of risk management as a challenger function, thus directly involving it in the business decision-making process. Consequently, this will lead to increased influence on total bank management and ultimately facilitates proactive mitigation of potential risks and a decision-making process that reflects the risk appetite of the organization.
The third module focuses on the various measures for incentivizing the organization´s employees. Financial remuneration represents the allegedly strongest lever with regard to motivation. The company, however, faces the challenge of striking a balance between risk awareness and profitability with this type of incentive. Recent studies and well-known research have shown that a sole focus on remuneration is not the main trigger of employee satisfaction in the workplace. On the contrary, financial compensation, according to the 2 factors theory, is a hygiene factor or so-called dissatisfier. On the other hand there are factors, such as the degree of autonomy in the workplace, career opportunities or the recognition of achievements and performance, which are directly associated with employee satisfaction. The aim of the module is to strengthen the employee’s feeling of adherence to the organization and loyalty towards the employer by a risk- and target-oriented adjustment of the incentive structure.
Finally, a strategy must be developed independently of the respective module, which enables a combination of functional, procedural and cross-functional measures in order to facilitate the widest possible implementation coverage (see figure 4). The functional approach initially targets the management level in order to anchor risk culture in thought and action of senior management. Process-related measures foster the timely recognition of potential risks and the respective escalation behavior across all process steps. Lastly, interdepartmental implementation paves the way for better understanding of the individual employee with regard to the big picture and will ultimately strengthen the collective sense of responsibility.
Risk culture has become an increasingly vital topic instead of current market conditions and the overall banking environment. After having introduced quantitative regulatory requirements (Basel III), supervisory authority will increasingly focus on the qualitative design of risk management frameworks as a next step. The topic of risk culture and the related “soft” factors is currently not treated with particular urgency by the majority of market participants; it is certainly not on the list of hot topics for 2015. zeb thinks, however, that risk culture will be an essential element of comprehensive and sustainable risk management. The quantitative, relatively mature, risk models must be complemented by qualitative aspects in order to evolve from mostly passive to pro-active risk mitigation.
Expanding and developing the individual design of their risk culture framework banks can establish a competitive advantage, strengthen the relationship with supervisory authorities and reinforce sustainability of the bank’s business model.