Risk culture 15 years on from the financial crisis

“The culture of an institution can defeat its formal governance,” wrote the Financial Stability Board in a 2017 report to G20 leaders. Since the 2008 financial crisis, there’s been increasing interest in behaviour and culture. They are felt to have been important determinants of the crisis and of many misconduct cases.

Fifteen years on, the world is a different place. We’ve seen a global pandemic, the Ukrainian war, cryptocurrencies going mainstream, banks failing and merging. Yet although the context has changed, the need for a healthy risk culture remains undiminished.

After briefly looking at culture and its importance, we consider the degree to which policies and procedures, measurements, and metrics can be helpful. We explore the characteristics of a good risk culture. And the role of risk managers in helping determine a risk culture.

What is culture? And why is it important, anyway?

Culture shapes how things are done. It determines what’s valued and what’s not within an organisation. The Institute of Risk Management (IRM) proposes an A-B-C approach to explaining how this works in practice, where ‘A’ stands for ‘attitude’, ‘B’ stands for ‘behaviour’ and ‘C’ stands for ‘culture’.

The culture of a group arises from the repeated behaviour of its members. The behaviour of the group and the individuals within it is shaped by their underlying values, beliefs, and attitudes. But are also influenced by the prevailing culture in the organisation.

The importance of culture comes as regulators and others have acknowledged that rules and enforcement can only go so far. Enquiries into the banking collapse and failures of safeguarding for children in care have both concluded that improvement does not come from more procedures and tighter compliance. Rather, the IRM found that it comes from addressing leadership, cultural and behavioural issues.

Beware a culture of measurement and metrics

Policies, processes, and procedures are unlikely to cover every scenario or eventuality of business now and in the future. But what of measurement and metrics? To what degree can they be helpful in guiding and assessing performance?

In 1986, the American management guru, Tom Peters, embraced the motto “What gets measured gets done,” which became a cornerstone belief of metrics. However, measurement and the related discipline of metrics come with health warnings.

“Used properly, measurement can be a good thing. So can transparency. But they can also distort, divert, displace, distract, and discourage,” warns Jerry Muller in his 2019 book The Tyranny of Metrics.  It pays to be aware of the recurring flaws in any system of measurement and metrics.

The obvious ones are measuring the most easily measurable, measuring inputs rather than outcomes, or measuring the simple when the desired outcome is complex, cautions Muller. Beware also of attempts to ‘game the stats’ by lowering standards, omitting, or distorting data, or flat-out cheating. Or when measurement and metrics are used without an awareness of culture and context.

Just as too much procedure and measurement can be counterproductive, so can too much regulation. This realisation is influencing the move towards more principles rather than rules-based regulation. Regulators are increasingly designing regulation that describes how to achieve an outcome rather than what prescriptive steps to take.

The same is true for culture. Not all organisations are the same. Nor are all risks. So, it follows that they do not need the same risk cultures. Taking a principles-based approach and embedding a healthy culture allows organisations to combat the risks relevant to them in a cost-effective, flexible, and proportionate way.

What does a good risk culture look like?

An effective risk culture is one that enables and rewards individuals and groups for taking the right risks in an informed manner, says the IRM in its 2012 report. In practical terms, this means having a distinct and consistent tone from the top around risk-taking and avoidance. Plus, a commitment to ethical principles and continuous management of risk.

There’s a transparent and timely flow of risk information up and down the organisation. Risk event reporting and whistle-blowing are encouraged, as the organisation seeks to learn from past accidents or near-misses.

No process or activity is too large, complex, or obscure for the risks to be readily understood. Appropriate risk-taking behaviours are rewarded, just as inappropriate ones are challenged and sanctioned. Risk management skills and knowledge are valued, encouraged, and developed.

“The least questioned assumptions are often the most questionable,” as the nineteenth-century French physician and anthropologist Paul Broca reputedly said. A good risk culture includes a sufficient diversity of perspectives, values, and beliefs to consistently challenge the status quo, actively manage, and improve the risk culture.

What can risk managers do to drive the right risk culture?

Risk managers can promote the characteristics of a good risk culture. They are also well placed to remind their organisations that culture is organic. Just as policies, procedures, risk assessments and so on, culture needs to be monitored. They can ensure that their organisations commit to reviewing their approach regularly.

Web Shield runs Online Academy courses on merchant acceptance and underwriting, monitoring and anti-money laundering. The courses are packed full of practical, real-life information and case studies to help risk professionals recognise various risks. The courses offer advice on how to manage and monitor risk exposure and develop a healthy risk culture.