Ondanks grote investeringen in het verbeteren van risicomanagement en interne beheersing, blijken de huidige raamwerken voor risicomanagement nog altijd kostbaar en bijzonder ineffectief. Wat is er aan de hand en hoe kan het anders?
Spring is in the air and the terms Agility, FinTech and Hostile Shareholders echo across the polder.
The concept of agility is currently being extended to apply to governance and organisation, business functions such as operations, and corporate support functions such as IT and HR, but what are the implications for risk management?
Following the global economic crisis, financial institutions have embraced the imperative to enhance their risk management capabilities. In many cases, the maturity of hard controls needed enhancing, but, as we have seen from more recent incidents, this has not fully addressed the risk management challenges.
Banks, insurance companies and asset managers launched an extensive range of improvement programmes to redesign frameworks, policies, procedures and instruments (hard controls) to detect and mitigate potential risks. The effectiveness of hard controls to address the risk of incidents is limited however, for two reasons:
- Firstly, risk management instruments and procedures can only be effective when they are used in the right way and at the right moment.
- Secondly, research tells us that more procedures, more rules or more regulation leads to a decline in clarity and employee accountability, which in turn lowers the quality of professional judgement and commitment to living up to ethical standards.
A problematic risk culture is often found to be at the root of major incidents. ‘Risk culture’ denotes the values and beliefs about risk (and compliance) and the mindset and behaviour towards risk of individuals and groups within an organization. It is a way of thinking and embedded within the organisation’s DNA through core values, patterns of behaviour, involvement, empowerment, transparency and tone at the top. It determines the collective ability of an organisation to identify and understand, openly discuss, and act on the organisation’s current and future risks.
It is important to note that a strong risk culture does not imply taking as little risk as possible, but instead helps companies consciously take appropriate risks that fit the risk appetite, vision and strategy.
Risk cultures, of course, may differ per organisation and may provide a competitive edge to companies, if implemented well. As part of our recent roundtable with CROs and Senior Risk Managers, AXVECO conducted a survey on risk culture amongst 18 financial institutions to see how much and on what aspects they may be different. The results of the survey and related discussions with participants indicate that there is a wide spread in the degree to which risk culture is prioritised on the agenda within companies as well as the perceived strength of the existing risk cultures.
Since the financial crisis, supervisory scrutiny on risk culture has significantly increased. Regulators recognise that cultures may differ and see a “mono-culture as undesirable since it diminishes diversity”. The conduct authority in The Netherlands, Autoriteit Financiele Markten, (“AFM”), traditionally supervises conduct and culture within Dutch financial institutions, such that they act in the best interest of customers, public interest and the effectiveness of the financial markets. Their centre of expertise has combined forces with the University of Utrecht to integrate scientific research with practical implementations. Further, the Dutch prudential authority, De Nederlandsche Bank (“DNB”), have increased their focus on culture and awareness over the years, including the establishment of a centre of expertise with professionals from governance, risk, change and organisation psychology. They perform regular onsite visits and thematic reviews to assess the appropriateness of risk cultures at financial institutions.
5 tips to help companies with making a start with developing their risk culture
Tone at the top, noise in the middle
Risk culture is a board responsibility. The behaviours and attitudes of the top executives of a company have a disproportionate impact on the risk culture of a company. The best way to start improving your risk culture as a company is therefore by making sure the top executives establish the right tone of the top. Top executives should be aware of their role model status and walk the talk to create the right risk culture awareness within their organisation. Attention should be given to instilling and growing the right culture and behaviours at the level of middle management – the top 100 or so of directors and management teams which direct business activity. Without this, the employees experience ‘noise’ as their seniors’ behaviour may differ from that desired by the board.
Communication is key
Building a strong risk culture starts with defining a clear risk vision, strategy and appetite. These set the values, believes and boundaries that guide the desired behaviours. What is even more important though is to communicate the risk vision, strategy and appetite very clearly and repeatedly in the organisation. Our research on risk culture points out that in 69 % of the companies, senior executives drafted a risk vision, strategy and appetite, but only 39% of the companies communicated these clearly in the organisation. Consequently, the awareness amongst employees of the risk vision, strategy and appetite was relatively low (rated as sufficiently aware in 33% of the companies). The lack of awareness makes it very hard for employees to behave in the way that best suits the risk vision, strategy and appetite.
Create an adaptive organisation
An adaptive organisation is an organisation that is able to keep up with rapid changes in the environment and is entrusting decision making power and associated resources to its employees. This type of organisation is the most resilient in terms of risk culture. Adaptive organisations are formed by creating an atmosphere within the company whereby employees are encouraged to speak up and challenge the way things are done. Stimulate discussion and bottom-up input and consider agile and new forms of organising change. Employees should feel free to voice their opinion and raise the alarm in case they detect undesirable risks in the company. Mistakes and failures should be used to learn from. This can be done within the organisation, but also between organisations. The platform thefailcon.com is an example of an initiative of fintech companies to organise conferences for learning from each other’s mistakes. Next to that, make sure there is an accurate system of countervailing power in place. Prevent blaming and share lessons learned throughout the organisation.
Make the risk culture explicit in the performance review process
Establishing an appropriate risk culture can be a long-term process that requires dedication of (senior) management. Even if all involved managers are sufficiently aware of the importance of building a sound risk culture, it is advisable to ensure their dedication by explicitly setting goals for risk culture. It is important to realise that an implied vision on risk culture is not enough. The perceived risk culture amongst employees might deviate from your implied vision. One can therefore think of measuring the risk awareness amongst employees or the perceived openness to challenge. By embedding these goals in the yearly performance reviews, companies can make sure risk culture will stay on the agenda of (senior) management.
Use a structured framework
Our research on risk culture indicates that many financial institutions struggle to measure their risk culture and create a transparent picture that illustrates the strengths and weaknesses of the aspects of their risk culture. Having such insight, however, provides an incredible strong foundation for any change initiatives. A structured framework is crucial to map out the desired risk culture and to measure the perceived risk culture and the effect of risk culture optimisation initiatives. An example framework is shown below in Figure 1, consisting of four main areas and 18 sub-areas.
Since risk culture is not a static concept but evolves over time in relation to events in the organisation and in the environment of the organisation, it is necessary to assess the risk culture on a recurring basis. AXVECO’s risk culture optimisation stairway, shown in Figure 2, can serve as a basis for a cycle of continuous improvement.
Figure 1 – AXVECO risk culture framework.
Figure 2 – AXVECO risk culture optimisation stairway.
Initiatives to align the risk culture with the organisation’s risk vision, strategy and appetite are a smart investment since they can help companies reach their strategic goals and prevent expensive scandals and incidents. Next to that, we have seen a heightened focus from regulators on companies’ risk cultures. Therefore there are enough reasons to start improving your organisation’s risk culture. The 5 abovementioned tips give a starting point for building a sound risk culture.
 Katz-Navon (2005), Knights V Collinson (1987), Grandpre, Alvaro, Burgoon, Miller & Hall (2003)
 See for example the very recent publication: Gedrag en Cultuur in de Nederlandse financiële sector.
Whilst credit and market risk management have matured, managing non-financial risks has become a growing challenge for financial institutions.
AXVECO performed a short survey among Dutch Financial Institutions to establish whether the three lines of defence model was still viewed as valid and identify implementation challenges.