Spring 2021 Newsletter – Lets go Data Driven!

AXVECO Autumn 2020 Newsletter

Decentralised Finance – Innovation versus Compliance!

Zero to $1.27 bn in a week – too good to be true?

Yes – because SushiSwap founder ‘Chef Nomi’ cashed in and disappeared causing his innovative new proposition to collapse in value. All this within a week – Zero to $1.27 bn back to (near) zero. But how is that possible? I hear you ask.

Well I would like to introduce Decentralised Finance (DeFi). DeFi is a revolutionary and innovative application of blockchain technology. We tokenise assets in the real world, and manage them in a digital world. With blockchain this can be done in a decentralised manner without a central authority.

DeFi has been around for a while but has seen an enormous rise in capital inflow and media attention following the launch of a number of initiatives aimed at providing Decentralised, peer-to-peer trading exchanges (DEX), Digital Asset Management, Lending and Payment solutions.

DeFi Prime lists a range of current projects which are positioned in different segments of the financial services spectrum.


The development of new DeFi infrastructure and tooling is also progressing with many projects in this area.

Some recent DeFi initiatives have received investments in the order of $bns in a matter of weeks – particularly over the summer of 2020, with DeFi Pulse estimating the assets under management rising from $5bn in July to around $80bn in September 2020.

Notable initiatives include UniSwap (transparent, censorship-resistant financial infrastructure for Ethereum) and other competing exchanges such as Balancer, Bancor and Kyber.


But back to Sushi! SushiSwap was listed in Binance on 1 September and received value “under lock” of $1.27bn in a week – only to become the focus of exit-scam speculation after the initiator (known only by pseudonym Chef Nomi) sold his stake and exited the venture – within 1.5 weeks of launching…

Those 4.500 of you who have been through our blockchain training know how we view blockchain applications – we address three key aspects of any initiative and we apply this to DeFi:

  1. Business Model
    DeFi is a fantastic innovation which can improve speed, transparency and reliability of many transactions due to the combination of information, financial and ownership exchange on a single platform.  It may also enable better market liquidity due to automated market making (AMM) by paying interest on invested tokens. There is a valid business case here!
  2. Technology
    DeFi currently mainly builds upon Ethereum tokens which are tried and tested on a worldwide blockchain with smart contracts. Leveraging the features of blockchain (decentralisation, non mutability) and smart contracts (programmable tokens) it is possible to build fully decentralised solutions which offer individuals the functionality of an exchange or lending service using smart contracts, pooling and peer-to-peer transactions.  This infrastructure does not require a centralised party to operate.So far so good…
  3. Governance, Risk and Compliance
    And here we hit the problems! In Europe we have introduced regulations which safeguard consumers and investors from malafide parties and ensure the prudent operation of financial infrastructure.  One such set of regulations is known as MiFID5 which came into force in early 2020.  Under this regulation, blockchain platforms offering crypto wallets, custodial services and transactions had to apply regulations including identifying parties involved and screening for criminal activity.This may seem cumbersome to fast paced innovative entrepreneurs, but it prevents the type of scam for which SushiSwap is now considered an example.  It also ensures that investors, both consumers and professionals, have recourse to legal action when a malafide player deliberately misleads or even breaks the law.We have created regulations for a reason! For DeFi to succeed, and I sincerely believe it will, we need to take Governance, Risk and Compliance seriously within the world of blockchain.  This means moving on from the libertarian and machiavellian roots of this wonderful technology and accepting that it too should respect the law.

This will enable DeFi to blossom as opposed to becoming Sushi!

To learn more about Decentralised Finance, follow our Blockchain learning paths.

Managing risk in agile organisations

The concept of agility is currently being extended to apply to governance and organisation, business functions such as operations, and corporate support functions such as IT and HR, but what are the implications for risk management?

Read more

Teaching the caterpillar to fly

Quite often I am being approached by clients with the following request.

“The level of risk management in our organisation needs to go up, so I think my people need training. I am looking for some basic training in – for example – risk appetite, risk identification and risk assessment?”

We should stop treating training as a solution

There is a big chance that, over the course of your career, you picked a training course (or worse: you have been sent to one) that did not lead to a change in the way you worked. Although it was enjoyable and the facilitator knowledgeable, the added value of the training to the organisation was most likely limited, questionable or not known.

Still, one of the first solutions that springs to mind to help increase the performance of a team or an organisation is send people to a training. In a way, this is not strange, since everybody has been to school and therefore grown up with the idea that training is the way to develop oneself. This has led to a still persistent belief that learning equals training and that training is the be-all and end-all to performance improvement.

I would like to plead for a more critical approach to the use of training (and more people with me (see for example Tulser 2009)), because:

  1. learning new skills will only create value to the organisation in specific circumstances
  2. the value of the training needs to expressed as results for the entire organisation
  3. reaping the benefits often involves a much broader set of interventions than just training

Learning itself needs to be aligned to the work environment of the professional and address his/ her development needs

Let’s look at the client question above. Yes, training can be a great way to kickstart the development of new skills or improvement of existing skills. It is good practice to use regular training, for example through e-learning, to maintain a good level of risk awareness and knowledge of basic risk management principles, i.e. the risk management foundation. Also, training can be a great way to help risk managers be better prepared for their future business environments, characterised by for example new business models, shifting risk profiles, disruptive technologies, digitisation and automation, ecosystems, platforms and agile ways of working.

What happens often in practice is that old internal risk management training material is given a good dusting down and brought back to life or standard external off-the shelf training courses are chosen. We know, however, that the effectiveness of learning is significantly increased if the learning environment closely resembles the work environment of the professional where the multiple skills also interact in a complex way (knowledge, application, behaviour, attitude). This is because the improvement opportunity presumably lies not so much in the knowledge of the risk management instruments themselves. It should instead be sought in the skills that enable professionals to apply the instruments within the context of the business and product domains, or in the soft skills that enable a risk manager to effectively and proactively challenge and advice the business on policy areas or risk appetite (e.g. through more emphasis on soft controls).

This means that the context within which one learns and applies these skills is a crucial factor for the success of the training. A training purely focused on the instruments most likely will not have a big impact on the organisation. The challenge is to define a solution that addresses the actual learning and development needs and appropriately reflects the work environment of the employees.

Learning new skills will only create value if a skills gap exists causing a lower performance

Developing (new) skills will only lead to added value to the organisation if the existing performance is too low because of the skills gap (knowledge, behaviour, attitude).

Senior management often wants a training without having done a solid investigation into the nature and root causes of the organisational performance issue: why is it that our risk management maturity level is not what it should be? Is it really caused by a shortage of skills or could there be other reasons? Consequently, there is a lack of understanding of what is needed to address the issue. This leads to a situation which is a breeding ground for unmet expectations and the training could prove to be a costly intervention.

To make it worse, external training providers tend to overestimate training outcomes and substitute these for value add to the organisation. They raise expectations of senior management who rely on the training being the solution to their problem and have a high likelihood of becoming disappointed since the effect of the training intervention will most likely be limited.

It is like teaching the caterpillar to fly.

Focus on evaluate the value to the business

Investigating the nature and root cause of the issue also provides essential input to the quantification of the value of the performance improvement opportunity.  I am a strong advocate of measuring the business impact and value to the organisation for three reasons: 1) to improve the learning programme itself, 2) to maximize the transfer of learning into actual behaviours of the participants and tangible results, and 3) to demonstrate the value of training to the entire organisation.

Let us assume that a skills gap is indeed present and that this gap is a significant cause of the performance of the team or the organisation to be low. Management can then build a business case comparing the costs of doing nothing, versus the costs and the benefits of the training. Skipping this step, however difficult it might be, will lead to a situation where senior management clearly sees the costs of the proposed intervention, without having enough insight in the quantitative and qualitative benefits to the organisation. This obviously undermines sound decision making and makes it difficult, if not impossible, to steer management away from choosing the cheapest option.

Too often training is found to be “non-essential” and during cost reductions becomes one of the first programmes to be cut. Each time this has happened, one factor they have in common – the value of the programme was not evaluated at the right level.

Kirkpatrick (1994) introduced four levels of evaluating training programmes. The four steps of evaluation are:

  • Step 1: Reaction – How well did the learners like the learning process?
  • Step 2: Learning – What did they learn? (the extent to which the learners gain knowledge and skills)
  • Step 3: Behaviour – What changes in job performance resulted from the learning process? (capability to perform the newly learned skills while on the job)
  • Step 4: Results – What are the tangible results of the learning process in terms of reduced cost, improved quality, increased production, efficiency, etc.?

Often, step 1 and 2 is where the evaluation stops. We call this the happy sheet: the participants fill out an evaluation form stating they liked the training, it was fun, the trainer was knowledgeable and if they were motivated they may have learned something new. What does this tell you? It may make you feel good that the participants enjoyed the training, but there are no actual results here. Therefore, this holds little meaning unless accompanied by real results.

Step 3 and 4 are essential to demonstrate the strategic value to the organisation. Indeed, this is where you must start. If you do not know your end goal how do you know what you need to teach? Determining upfront the expected value to the organisation – i.e. the results at level 4 – is crucial to build a solid business case, to define the performance indicators to measure benefits realisation and prove the programme has impact.

When the resources, processes and values of the organisation are not aligned, even the best learning programme will not help

As soon as concrete skills with tangible benefits to the organisation have been determined a diagnostic assessment can help to identify the learning and development needs of the target population. Even if we did close the existing skills gap, however, this may not necessary lead to a higher performance, since training will not solve any other issues that may be present.

Firstly, often, multiple reasons can be identified that cause the level of risk management to be lower than desired, for example due to capacity constraints, low levels of risk awareness, lack of first line of defence ownership, ineffective processes, knowledge drain due to staff turnover, lack of clarity around roles and responsibilities etc. Some research (Deming (2000) and Rummler (2004)) even shows that approximately 80% of the organisational challenges are not caused by a shortage in skills of the employees, but due to other barriers and issues in the work environment.

Secondly, new skills need to become an integral part of the way people work and behave. This will only happen if there is ample space to put these into practice and when other barriers are removed. In other words, if the processes (ways of working, organisation, communication, etc) and values (decision making, culture, etc) do not allow employees to put the new skills into practice even the greatest learning programme will not be able to address the performance issue.

For example, one insurance company sent a group of their talented managers to a programme to boost their innovative capacity. Senior management was disappointed when nothing changed upon their return. Existing processes, structures, performance drivers and decision making were not aligned to the new way of thinking and stifled any the initiatives.

Learning is the first step in a behavioural and organisational transformation

What, then, would be the best way to learn and develop these skills and how we can capture the most value of this investment? To answer this question it is important to realise that learning new skills and applying these in practice requires a fundamental change in the way we act and operate.

And changing our behaviour is very difficult.

We are often comfortable in our status quo and derive an important part of our identity – who we think we are – from what we do. If we are being asked to change the way we do things, we need to let go of a part of who we are and transition to a new – unknown – image of ourselves (a new status quo): a new identity.

This requires a structured approach with a set of interventions that follow a specific order and patience.

We generally go through  several steps in a change process:

  1. Mindset: being open to change and having a mindset that allows oneself that things can be done differently
  2. Awareness: seeing how things can be or should be done differently – a vision of the new situation and what this means for us
  3. Intrinsic motivation: Recognising that it is worth making the transition – value to the organisation and – importantly – for yourself
  4. Ability: Learning new skills and having access to tools in support of the transition
  5. Opportunity: Applying the new skills and tools in practice and integrate them in day-to-day operations

The speed and duration of going through these steps vary per person. Skipping one or more of them may have a negative impact on the outcome or time needed for the behavioural and organisational leading to the performance enhancement.

This also means that a one-off training exercise will have limited effect. Isolated classroom based trainings are truly outdated. Learning will be more effective where the learning activities are a mix of on-the-job (online, eLearning’s, microlearning available upon request of the professional) and off-the-job (traditional formal setting). This is called blended learning and it is a great way of embedding continuous learning in your organisation what is required to solve many of today’s real life challenges.

Dominant logic and importance of mindset

The change programme will have a greater effect or will be embraced more quickly if participants themselves see that things must change. They will participate more actively if they clearly see the benefits of the transition and if these are higher than the pain of remaining in the status quo.

A key enemy of change and innovation are cultural norms; something also called dominant logic, or institutionalised thinking. It is driven by the established beliefs within organisations and acts as a blinder to peripheral vision, thereby impacting openness and receptivity to new ideas and constraining creative thinking.

We need to be aware of these established beliefs have the mindset, ability and opportunity to push ourselves to get out of our comfort zones. Senior management needs to create a positive and stimulating environment to support this transition actively demonstrating tone-at-the-top behaviour, sponsoring, coaching and aligning governance and performance management.

Combining learning and other performance improvement initiatives – a case study

In a recent project for a large Dutch bank, we developed a learning and development programme as part of a wider initiative aimed at developing their risk professionals towards becoming risk managers of the future. An important part of the learning activities were designed to increase the knowledge of disruptive technologies and their impact on the organisation’s business models and associated risk profile.

The programme was set up in a way that even the formal training consisted of 20% listening and 80% doing. The participants were asked to identify areas for improvement in their current environment, leveraging new technologies, new skills, etc. A shortlist of ideas were chosen and further developed in teams – in an agile way. The best ideas were pitched to a panel of senior business executives (Dragons’ Den), who picked a winning idea based on several criteria, including innovative character, value to the business, ease of implementation. Senior management committed budget and resources to further develop, test, refine and roll out the idea in practice.

This example shows how developing new skills through training can go hand in hand with other performance improvement initiatives, whilst a concrete opportunity is given to the professionals to put these skills into practice.

One cannot become a butterfly by remaining a caterpillar

We should stop treating training as a solution. One has to go through a process of change which involves becoming less and less of a caterpillar while becoming more and more of a butterfly. We need to recognise that any transformation process is uncomfortable and that it takes confidence, commitment and intrinsic motivation to go through the change process and actually implement something. Management needs to understand this and in order to provide the level of support needed to create a somewhat different future.

By constraining our thinking, we are limiting the potential of our people to develop, innovate and transform themselves and our organisations. Developing new skills will only create value to the organisation if a skills gap exists that causes the performance of a team or an organisation to be lower than required/ expected. Often, realising tangible results for the business involves a much broader set if interventions than just training and should be viewed as a driver of organisational transformation. Tying your training to business objectives and evaluating the real results to the entire organisation is what drives success.

I will leave you with a few questions:

  • How do you determine the success of your (risk management) training?
  • Did you design the training/ learning programme what the end in mind?
  • What behaviours are you trying to change?
  • What skills and knowledge are needed to accomplish this?
  • How are you going to continue to support participants after the training is over?

Three lines of defence: a panacea?

AXVECO performed a short survey among Dutch Financial Institutions to establish whether the three lines of defence model was still viewed as valid and identify implementation challenges.

Read more

The route to a strong risk culture – 5 tips

Following the global economic crisis, financial institutions have embraced the imperative to enhance their risk management capabilities. In many cases, the maturity of hard controls needed enhancing, but, as we have seen from more recent incidents, this has not fully addressed the risk management challenges.

Banks, insurance companies and asset managers launched an extensive range of improvement programmes to redesign frameworks, policies, procedures and instruments (hard controls) to detect and mitigate potential risks. The effectiveness of hard controls to address the risk of incidents is limited however, for two reasons:

  • Firstly, risk management instruments and procedures can only be effective when they are used in the right way and at the right moment.
  • Secondly, research tells us that more procedures, more rules or more regulation leads to a decline in clarity and employee accountability, which in turn lowers the quality of professional judgement and commitment to living up to ethical standards.[1]

A problematic risk culture is often found to be at the root of major incidents. ‘Risk culture’ denotes the values and beliefs about risk (and compliance) and the mindset and behaviour towards risk of individuals and groups within an organization. It is a way of thinking and embedded within the organisation’s DNA through core values, patterns of behaviour, involvement, empowerment, transparency and tone at the top. It determines the collective ability of an organisation to identify and understand, openly discuss, and act on the organisation’s current and future risks.

It is important to note that a strong risk culture does not imply taking as little risk as possible, but instead helps companies consciously take appropriate risks that fit the risk appetite, vision and strategy.

Risk cultures, of course, may differ per organisation and may provide a competitive edge to companies, if implemented well. As part of our recent roundtable with CROs and Senior Risk Managers, AXVECO conducted a survey on risk culture amongst 18 financial institutions to see how much and on what aspects they may be different. The results of the survey and related discussions with participants indicate that there is a wide spread in the degree to which risk culture is prioritised on the agenda within companies as well as the perceived strength of the existing risk cultures.

Regulatory scrutiny

Since the financial crisis, supervisory scrutiny on risk culture has significantly increased. Regulators recognise that cultures may differ and see a “mono-culture as undesirable since it diminishes diversity”. The conduct authority in The Netherlands, Autoriteit Financiele Markten, (“AFM”), traditionally supervises conduct and culture within Dutch financial institutions[2], such that they act in the best interest of customers, public interest and the effectiveness of the financial markets. Their centre of expertise has combined forces with the University of Utrecht to integrate scientific research with practical implementations. Further, the Dutch prudential authority, De Nederlandsche Bank (“DNB”), have increased their focus on culture and awareness [3]over the years, including the establishment of a centre of expertise with professionals from governance, risk, change and organisation psychology. They perform regular onsite visits and thematic reviews to assess the appropriateness of risk cultures at financial institutions.

5 tips to help companies with making a start with developing their risk culture


Tone at the top, noise in the middle

Risk culture is a board responsibility. The behaviours and attitudes of the top executives of a company have a disproportionate impact on the risk culture of a company. The best way to start improving your risk culture as a company is therefore by making sure the top executives establish the right tone of the top. Top executives should be aware of their role model status and walk the talk to create the right risk culture awareness within their organisation. Attention should be given to instilling and growing the right culture and behaviours at the level of middle management – the top 100 or so of directors and management teams which direct business activity. Without this, the employees experience ‘noise’ as their seniors’ behaviour may differ from that desired by the board.

Communication is key

Building a strong risk culture starts with defining  a clear risk vision, strategy and appetite. These set the values, believes and boundaries that guide the desired behaviours. What is even more important though is to communicate the risk vision, strategy and appetite very clearly and repeatedly in the organisation. Our research on risk culture points out that in 69 % of the companies, senior executives drafted a risk vision, strategy and appetite, but only 39% of the companies communicated these clearly in the organisation. Consequently, the awareness amongst employees of the risk vision, strategy and appetite was relatively low (rated as sufficiently aware in 33% of the companies). The lack of awareness makes it very hard for employees to behave in the way that best suits the risk vision, strategy and appetite.

Create an adaptive organisation

An adaptive organisation is an organisation that is able to keep up with rapid changes in the environment and is entrusting decision making power and associated resources to its employees. This type of organisation is the most resilient in terms of risk culture. Adaptive organisations are formed by creating an atmosphere within the company whereby employees are encouraged to speak up and challenge the way things are done. Stimulate discussion and bottom-up input and consider agile and new forms of organising change. Employees should feel free to voice their opinion and raise the alarm in case they detect undesirable risks in the company. Mistakes and failures should be used to learn from. This can be done within the organisation, but also between organisations. The platform is an example of an initiative of fintech companies to organise conferences for learning from each other’s mistakes. Next to that, make sure there is an accurate system of countervailing power in place. Prevent blaming and share lessons learned throughout the organisation.

Make the risk culture explicit in the performance review process

Establishing an appropriate risk culture can be a long-term process that requires dedication of (senior) management. Even if all involved managers are sufficiently aware of the importance of building a sound risk culture, it is advisable to ensure their dedication by explicitly setting goals for risk culture. It is important to realise that an implied vision on risk culture is not enough. The perceived risk culture amongst employees might deviate from your implied vision.  One can therefore think of measuring the risk awareness amongst employees or the perceived openness to challenge. By embedding these goals in the yearly performance reviews, companies can make sure risk culture will stay on the agenda of (senior) management.

Use a structured framework

Our research on risk culture indicates that many financial institutions struggle to measure their risk culture and create a transparent picture that illustrates the strengths and weaknesses of the aspects of their risk culture. Having such insight, however, provides an incredible strong foundation for any change initiatives. A structured framework is crucial to map out the desired risk culture and to measure the perceived risk culture and the effect of risk culture optimisation initiatives. An example framework is shown below in Figure 1, consisting of four main areas and 18 sub-areas.

Since risk culture is not a static concept but evolves over time in relation to events in the organisation and in the environment of the organisation, it is necessary to assess the risk culture on a recurring basis.  AXVECO’s risk culture optimisation stairway, shown in Figure 2, can serve as a basis for a cycle of continuous improvement.

Figure 1 – AXVECO risk culture framework.

Figure 2 – AXVECO risk culture optimisation stairway.

Initiatives to align the risk culture with the organisation’s risk vision, strategy and appetite are a smart investment since they can help companies reach their strategic goals and prevent expensive scandals and incidents. Next to that, we have seen a heightened focus from regulators on companies’ risk cultures. Therefore there are enough reasons to start improving your organisation’s risk culture. The 5 abovementioned tips give a starting point for building a sound risk culture.

For more information see our online Risk Management eLearnings.

[1] Katz-Navon (2005), Knights V Collinson (1987), Grandpre, Alvaro, Burgoon, Miller & Hall (2003)

[2] See for example AFM publication: ‘Mag ik van u twee frappuccino’s en één integrale cultuurverandering?’

[3] See for example the very recent publication: Gedrag en Cultuur in de Nederlandse financiële sector.