Establishing and Nurturing an Effective Risk Culture

658 views
576 views

Published on

Enabling the Chief Risk Officer’s Success
FOURTH IN A SERIES

This latest installment of our CRO Series addresses establishing and nurturing a learning culture with regard to risk. Learning is dynamic, ever-evolving, stimulating, and fun, and simply a prudent thing to do when risk is involved. The openness and transparency so necessary to an effective learning environment in managing risk is largely driven by the organization’s risk culture, as there is a circular relationship between the two. Learning in this sense is not confined to individuals, but directed more to the organization.

Building on prior installments of our CRO Series covering the importance of effective board risk oversight and CRO positioning within the organization, this white paper focuses on risk culture because it is a topic in which regulators have a keen interest. Organizational learning is supportive of an effective risk culture that in turn is supportive of effective risk management. Supported by empirical research, this white paper explores such topics as the attributes of successful learning organizations, the importance of risk culture in financial services, challenges in making risk culture actionable, success factors for an effective risk culture, physical and behavioral characteristics of risk culture, a process for strengthening risk culture, and how the CRO can facilitate the development of an effective risk culture.

Published in: Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
658
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
42
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Establishing and Nurturing an Effective Risk Culture

  1. 1. Establishing and Nurturing an Effective Risk Culture Enabling the Chief Risk Officer’s Success FOURTH IN A SERIES
  2. 2. PROTIVITI  •  ESTABLISHING AND NURTURING AN EFFECTIVE RISK CULTURE  •  1 Introduction In a white paper issued in late 2010, Protiviti inaugurated a series addressing critical challenges faced by fi- nancial services chief risk officers (CROs). The paper introduced five “secrets” of what we referred to as the “winning hand” for CROs, using an analogy of the game of poker.1 This initial paper noted that changes being implemented across the financial services industry – through enhanced oversight, more rules and regulations, increased transparency and better governance, among other things – may fall short of expectations if the secrets we cited in the paper were not addressed. Since the release of the inaugural paper, we have issued separate white papers addressing two of the five se- crets. The first, constructive board engagement, covered the importance of understanding the current state of board risk oversight and how effective risk oversight enables the CRO’s success.2 The second, effective positioning of the risk management organization, stressed that the CRO must have a seat at the table and provide an effective line of defense in protecting enterprise value through an objective and, if necessary, contrarian perspective about strategies, plans, transactions and deals that is expected and respected by executive and line management.3 This latest installment of our CRO Series addresses another secret, establishing and nurturing a learning culture with regard to risk. Returning to our analogy, great poker players are smart, witty and seemingly impulsive at times; they are this way because they are aggressive learners poised to take advantage of the information re- vealed with each “turn of the cards.” The best poker players are more informed risk takers, partly because they are highly motivated learners. Failure to learn and adapt in poker (game to game, hand to hand) makes los- ing inevitable. Learning is dynamic, ever-evolving, stimulating, and fun, and simply a prudent thing to do when risk is involved. Such is the case with individuals who begin learning at birth and consistently evolve into knowledgeable adults. It is from this beginning that the value of a “learning culture” is first understood. Some individuals are lifelong learners who consistently strive to better themselves and try new things. Those indi- viduals are the better poker players, athletes, coaches and executives. Why? Because they analyze and evaluate every situation and strive to evolve their skills in response to change – just as poker players analyze every card, hand and player to learn from every moment at the table. That’s the discipline of the culture. The question arises as to how the CRO can ensure that organizational learning is supportive of effective risk management. We believe answering this question effectively will help shape and support an effective risk culture. This white paper explores how this can be accomplished while dealing more specifically with strengthening risk culture. 1 The inaugural release of our CRO Series, The Name of the Game Is Risk: Secrets of the Winning Hand, is available at www.protiviti.com/ en-US/Documents/White-Papers/Risk-Solutions/CRO-Series1-Secrets-Winning-Hand-Protiviti.pdf. It was published in 2010. 2 The second release in our CRO Series, Constructive Engagement Through Effective Board Risk Oversight: Enabling the Chief Risk Officer’s Success, is available at www.protiviti.com/en-US/Pages/Constructive-Engagement-Through-Effective-Board-Risk-Oversight.aspx. It was published in 2011. 3 The third release in our CRO Series, Effective Positioning of the Risk Management Organization, is available at www.protiviti.com/en-US/ Documents/White-Papers/Industries/CRO-Series3-Effective-Positioning-Risk-Mgmt-Protiviti.pdf. It was published in early 2013.
  3. 3. PROTIVITI  •  ESTABLISHING AND NURTURING AN EFFECTIVE RISK CULTURE  •  2 A Synergistic Relationship Successful CROs know that improvement of policies and processes continuously over time comes from recognizing that a successful organization “learns once” from its mistakes; therefore, mistakes must be shared across the company and acted upon to deepen the “institutional memory.” An organization’s learning culture is the environment in which the knowledge and skills of its people and the quality, time, innovation and cost performance of its processes are developed and improved continuously. It is the composite of formal and informal processes for (1) analyzing data, information, knowledge, perceptions, actions and motivators in a changing business environment and (2) using that analysis to synthesize necessary improve- ments to business policies and processes to ensure that emerging opportunities and risks are considered in an appropriate manner. In essence, a positive learning culture is able to analyze the institution’s experience and distill its learnings into necessary changes in processes and decision-making behavior. It embraces and encourages such things as critical thinking, fresh ideas, maximum employee participation and quality feedback loops. It facilitates the pursuit of opportunities and undertaking of risks and all that entails, including the inevitability of mistakes that stimulate further learning. From a risk management standpoint, the learning environment has a strong influence on risk culture and, there- fore, on how executives and employees perceive risk and make risk/reward decisions. However, an enterprise’s risk culture is influenced by other things as well, including its leadership, “tone at the top,” decision-making processes and risk governance (see below). Strong Risk Cultures Demonstrate: • Viable and consistent role modeling from senior leadership; core values practiced in daily actions • A clear and well-communicated risk strategy • Transparent and coordinated decision-making • Continuous and constructive challenging of preconceptions, decision-making and actions • High standards of analytical insight and information-sharing at all levels • Rapid escalation of threats and concerns • Failures used as critical learning opportunities • Incentives that encourage all members to “do the right thing” while considering the overall health and operation of the organization • Focus on external stakeholders of risk (e.g., customers, markets, societies) Key Drivers of Risk Culture Leadership and “tone at the top” Strategy Decision-making Risk governance structure Recruitment, training and competence Reward Learning environment Risk Culture PROTIVITI  •  ESTABLISHING AND NURTURING AN EFFECTIVE RISK CULTURE  •  2
  4. 4. PROTIVITI  •  ESTABLISHING AND NURTURING AN EFFECTIVE RISK CULTURE  •  3 Successful CROs know that improvement of policies and processes continuously over time comes from recog- nizing that a successful organization “learns once” from its mistakes; therefore, mistakes must be shared across the company and acted upon to deepen the “institutional memory.” Four-way communications are vital to the sharing process – up, down and sideways within the enterprise. This is important, as the price of mistakes con- tinues to rise significantly over time – from reputational damage to regulatory sanctions, external fines and liti- gation. Like a poker player’s crushing “all in” loss, the financial crisis was a wake-up call for many CROs, rein- forcement of a vision for a few and a lesson learned for all. For example, CROs learned a timeless reality of the table: Weak hands, falsely portrayed as better than they are, ultimately are called. And when a bluff is called in financial services, it’s not just the regulators that institutions need to worry about – it is the marketplace. As shareholders paid a huge price and taxpayers picked up the bailout tab for the “weak hands,” the financial crisis illustrated all too clearly that the stakes of reckless risk-taking have risen substantially. This contribution of learning is most vital to sustaining an effective risk management system. There are many attributes to an effective learning organization; the accompanying table illustrates a few. SOME ATTRIBUTES OF SUCCESSFUL LEARNING ORGANIZATIONS Generic Risk-Related • Shared “future pull” vision • Encourage commitment to: –– Lifelong learning –– Networking –– Systems thinking –– Pursuit of innovation –– Continuous improvement • Team learning • Transparency and access • Outward-looking • Strong performance discipline • Differences embraced • Mistakes not punished • Risk integrated with strategy setting and other core management processes • Risk embedded into day-to-day activities • Disclosure of close calls rewarded • Scenario sessions encouraged • Circumstances and root causes leading to events analyzed • Post-mortem analyses of key losses, near misses and control failures conducted From a risk perspective, seeking out individuals to blame for failures, fostering a “shoot the messenger” atmosphere, rationalizing away critical learning opportunities to “protect enterprise value,” exhibiting dominant individu- al behavior, and/or encouraging groupthink by insisting that everyone get along in harmony will likely create obstacles to organizational learning. Positive learning and risk cultures are stimulated through an enterprisewide commitment to excellence, not protocols for punishment. This white paper will focus on risk culture because it is a topic in which regulators have a keen interest. The openness and transparency so necessary to an effective learning environment in managing risk is largely driven by the organization’s risk culture. There is a circular relationship between the two. Learning in this sense is not confined to individuals, but directed more to the organization. The question is whether the or- ganization itself is learning and adjusting its risk management capabilities as it learns. At stake are the benefits of positioning the entity to improve its capabilities continuously in an ever-changing business environment. A positive risk culture should help the institution become more proactive in (a) recognizing unique opportu- nities or risks and (b) using that knowledge to evaluate risk/reward trade-offs and decision-making options to seize the initiative before others do.
  5. 5. PROTIVITI  •  ESTABLISHING AND NURTURING AN EFFECTIVE RISK CULTURE  •  4 Importance of Risk Culture in Financial Services “Culture has always been there – we are trying to formalize it before the guardians all retire.” “We are in the beginning stages of formally implementing a risk culture. It has been defined as being crucial to supporting our risk strategy.” – cro/senior risk executive commentary from the rma/protiviti survey4 Risk culture has gained traction in terms of relevancy in the post-financial crisis era. In 2009, the Institute of International Finance defined risk culture5 as the norms of behavior for individuals and groups within an orga- nization that determine the collective ability to identify and understand, openly discuss, and act on the organi- zation’s current and future risk. Regulators and other financial services bodies have given, and continue to give, guidance on risk culture to the industry. For example, in November 2012, the Financial Stability Board (FSB) released a G20 update report stating: Supervisors should further explore ways to formally assess risk culture. Establishing a strong risk culture at financial institutions is an essential element of good governance.6 In February 2013, the FSB released a thematic peer review report,7 discussing the progress of risk oversight at peer institutions and laying out areas for improving risk governance, including supervisory expectations for the risk management function, frequency of board and management engagement, and usefulness and accuracy of information provided to the board, among other things. In November 2013, the FSB released an updated report to provide additional guidance8 beyond that which was reflected in the November 2012 and February 2013 reports. This latest report focuses on assessing risk culture and emphasizes foundational elements that contribute to a sound risk culture, and on identifying core practic- es and dynamics that may be indicators of the effectiveness of an enterprise’s risk culture. The important foun- dational elements cited, for systemically important financial institutions (SIFIs) in particular, include effective 4 All references to “CRO/senior risk executive commentary” are from the Risk Management Association (RMA)/Protiviti survey findings. For more about the survey, refer to Risk Culture: From Theory to Evolving Practice, RMA and Protiviti, 2013: www.rmahq.org/File%20Library/ERM/RMA-Journal-Risk-Culture-article.pdf. 5 Reform in the Financial Services Industry: Strengthening Practices for a More Stable System, Institute of International Finance report, 2009: www.iif.com/press/press+125.php. 6 Increasing the Intensity and Effectiveness of SIFI Supervision, Progress Report to the G20 Ministers and Governors, November 2012: www.financialstabilityboard.org/publications/r_121031ab.pdf. 7 Thematic Review on Risk Governance, Peer Review Report, February 2013: www.financialstabilityboard.org/publications/r_130212.pdf. 8 Increasing the Intensity and Effectiveness of Supervision, Guidance on Supervisory Interaction with Financial Institutions on Risk Culture, November 2013: www.financialstabilityboard.org/publications/c_131118.pdf. PROTIVITI  •  ESTABLISHING AND NURTURING AN EFFECTIVE RISK CULTURE  •  4
  6. 6. PROTIVITI  •  ESTABLISHING AND NURTURING AN EFFECTIVE RISK CULTURE  •  5 RISK CULTURE IS THE KEYSTONE PerformanceM a nagement culture RiskM anagement Business Strategy Risk Appetite risk governance, an effective risk appetite framework and alignment of compensation for prudent risk-taking. To further elaborate on these elements: • Risk governance – Encompasses the roles and responsibilities of the board, the CRO and the risk man- agement function, and independent assessment of the risk governance framework. • Risk appetite framework – Includes an effective risk appetite statement, clearly defined risk limits, and roles and responsibilities for the board of directors and senior management in establishing the approved risk appetite statement. Embedded in these principles is the assumption that financial institutions have the processes in place to establish their strategies and develop their business plans, and the models and systems to measure and aggregate risks. • Compensation – Alignment of compensation with prudent risk-taking suggests that an employee’s com- pensation should account for the risks that the employee takes on behalf of the financial institution, and the employee’s performance in meeting the institution’s risk, compliance and other important policies. In summary, the FSB’s point of view is that the determination of whether an institution’s risk culture is sound is based on the extent to which it governs its risk/reward decision-making processes, successfully executes its agreed-upon strategy within its defined risk appetite on a day-to-day basis, and structures its compensa- tion practices to take into consideration prospective risks and risk outcomes that are already realized. The FSB’s view recognizes that risk culture is embedded in the overall corporate culture, which will evolve over time, and that there will be differences among institutions. While there is no one-size-fits-all approach to risk culture, it is a top priority for senior management to instill a strong risk culture, requiring a sustained commitment and investment. Culture is the keystone that holds things together, providing a source of strength or weakness for the organization. An actionable risk culture helps balance the inevitable tension between (a) creating enterprise value through the strategy and driving performance on the one hand and (b) protecting enterprise value through risk appetite and managing risk on the other hand. In effect, it balances the push between strategy and risk appetite.
  7. 7. PROTIVITI  •  ESTABLISHING AND NURTURING AN EFFECTIVE RISK CULTURE  •  6 Challenges in Making Risk Culture Actionable “Our mission, vision and values are founded in how we manage and address risk. The main issues are how to maintain our risk culture as we grow and others become part of the organization. Providing clarity in how risk culture functions and the increasing difficulty of delivering consistent messages as the organization grows present a challenge.” – cro/senior risk executive commentary from the rma/protiviti survey Despite all the focus on risk culture over the past several years, substantial work remains, as we evidence below. In working with clients and drawing upon our industry experience, we have defined risk culture as follows:9 The set of encouraged and acceptable behaviors, discussions, decisions and attitudes toward taking and manag- ing risk within an institution that reflects the shared values, goals, practices and reinforcement mechanisms that embed risk into the institution’s decision-making processes and risk management into its day-to-day operations. The results of two recent surveys of financial services executives that we conducted show risk culture is a chal- lenge for many financial institutions. A full quarter (25 percent) of respondents to a survey we did with the Economist Intelligence Unit (“EIU/Protiviti survey”)10 identified risk culture as a key hurdle to improving risk management and compliance performance. In another survey we conducted with the Risk Management Asso- ciation (“RMA/Protiviti survey”),11 only 37 percent of respondents noted they evaluate risk culture. From a size perspective, the number of institutions that evaluate risk culture increases with asset size as only 29 percent of re- spondents with assets less than US$10 billion evaluate risk culture, whereas 50 percent of respondents with assets in excess of US$250 billion evaluate risk culture. However, this finding does not suggest that larger institutions are necessarily more effective and agile than smaller ones at making the tough decisions to reduce concentrations, exit risky markets and exercise caution in following the herd during times of high growth and high demand. It is true that smaller institutions may lack formality, but they also may be quicker to act on risk issues than their larger counterparts. Another indicator of the difficulty of implementing an effective risk culture is revealed by the following statistic: Only 28 percent of respondents to the RMA/Protiviti survey noted that they believe risk culture is fully integrated into their respective organizations, whereas the majority (55 percent) said they believe risk 9 This definition was derived from the one adopted by RMA and Protiviti in Risk Culture: From Theory to Evolving Practice, RMA and Protiviti, 2013: www.rmahq.org/File%20Library/ERM/RMA-Journal-Risk-Culture-article.pdf. 10 Restoring Confidence: Risk Management Capabilities in the Wake of the Financial Crisis, Economist Intelligence Unit (EIU) and Protiviti, 2013: www.protiviti.com/en-US/Documents/Surveys/EIU-Protiviti-Risk-Management-Capabilities-Survey.pdf. For additional information and research, please visit www.protiviti.com/EIUriskresearch. 11 Risk Culture: From Theory to Evolving Practice, RMA and Protiviti, 2013: www.rmahq.org/File%20Library/ERM/RMA-Journal-Risk-Culture-article.pdf. PROTIVITI  •  ESTABLISHING AND NURTURING AN EFFECTIVE RISK CULTURE  •  6
  8. 8. PROTIVITI  •  ESTABLISHING AND NURTURING AN EFFECTIVE RISK CULTURE  •  7 culture is only a component of the risk management work stream. For risk culture to have an impact, it cannot be viewed as a stand-alone appendage that concerns only the risk management function. The RMA/Protiviti survey respondents were asked to rank their top challenges in integrating risk culture into the enterprise’s culture. The following graphic shows the top five challenges noted. The first two challenges suggest there is lack of understanding as to what risk culture is and how it is imple- mented and embedded into the organization’s daily activities. The resource challenge noted above manifests itself when viewing survey results by asset size (i.e., organizations with $10 billion or less in assets are more likely to report they are resource-constrained in terms of defining their risk culture and how to manage it than those institutions with $250 billion or more in assets). Some other relevant observations are noted below (unless otherwise stated, all findings are from the RMA/Protiviti survey): • A majority (57 percent) of the respondents noted their organization does not evaluate risk culture. Of the 37 percent of respondents who do evaluate risk culture: –– Only 28 percent asserted they could determine that over the past 12 months their risk culture pre- vented a significant and/or material event from negatively affecting the business; –– Thirty-two percent said their risk culture “probably” prevented a significant and/or material event; and –– Another 32 percent had no idea whether their risk culture was working. Our survey results suggest that nearly four out of five respondents have difficulty either understanding what risk culture is or how risk culture translates into actionable benefits. This dilemma presents a for- midable challenge and emphasizes the importance of demonstrating to the board of directors, executive management and regulators that improving risk culture is an actionable task. • One-third (33 percent) of respondents indicated that, while leadership expectations are defined, they are inconsistently communicated and understood. As a result, it is unclear to the institution’s personnel as to the overall direction of the risk culture and what it really means in practice. This lack of clarity could be a sign of the tone at the top and tone in the middle being out of alignment. • Almost two-thirds (64 percent) of respondents were unsure whether risk culture prevented any significant event from negatively impacting their business. This result reflects the dilemma in general around measuring the effec- tiveness of risk management in either preventing such events or reducing their impact. Another interpretation is that individuals may not be executing their risk-related responsibilities consistently with expectations set by the enterprise’s risk appetite. The good news is that 63 percent of respondents believe employees at their institution are empowered to own and manage risk, suggesting that the problem may not be so much about understanding risk management as it is about determining how to manage risk at all levels of the entity on a daily basis. • Some 35 percent of respondents believe their organizational complexity allows certain units to operate outside of established boundaries. This erodes confidence within the firm as to whether risk management really matters and has a direct effect on its risk culture. Nature of Challenge Rank Lack of clear understanding on what needs to be implemented to improve risk culture 1 Lack of clarity about how risk culture works within the organization and, most importantly, at the level at which employees perform their respective daily activities 2 Insufficient tools and processes to establish or drive needed risk culture change 3 Insufficient financial and human resources to give risk culture sufficient attention 4 Lack of clear understanding of current culture 5
  9. 9. PROTIVITI  •  ESTABLISHING AND NURTURING AN EFFECTIVE RISK CULTURE  •  8 • As the fourth-largest challenge, respondents noted that available financial and human resources limit their ability to assess and manage risk culture in their organizations. Similarly, 27 percent of respondents to the EIU/Protiviti survey noted resource constraints, including people, time and conflicting priorities, as an obstacle to risk and compliance management. In the EIU/Protiviti survey, the resource limitations issue was further compounded by regulatory uncertainties and 25 percent of the respondents noted inad- equate funding. There are several factors reinforcing this challenge: –– The financial capability to fund initiatives to drive risk culture is not unlimited. Organizations are consis- tently faced with the risk versus reward discussion and where to put their financial and human resources. Determining the best and highest use of resources remains a challenge across institutions of all sizes. –– Some organizations lack individuals with the requisite risk skill sets. In the EIU/Protiviti survey, 28 percent of respondents identified management skill sets as an obstacle to effective risk management. Only 10 percent of survey respondents believe competency in risk awareness and risk management is widely accepted as an entry-level requirement for all levels of management. Interestingly, in the same survey, 60 percent of respondents believe a risk management competency is either not recognized or exists only in pockets within their organization. –– Institutions may not have the sustainable infrastructure and/or processes in place to train individuals and drive risk competency and awareness throughout the firm. Only 37 percent of respondents believe their organizations have mechanisms in place for training, reinforcing, and ensuring shared objectives, whereas 63 percent of respondents believe it only somewhat exists or does not exist at all within the entity. • On the positive side, seven out of 10 respondents (71 percent) believe the tone at the top from senior management is clear and consistent and sets appropriate expectations for employee behavior. However, countering this finding as stated above, only 28 percent of all respondents believe risk culture is fully in- tegrated into their institution, and a majority (55 percent) believes risk culture is only a component of the risk management work stream. Overall, these results suggest that there is a top-of-the-house risk cul- ture message being communicated, but individuals at various levels of the firm are not clear on how that translates into their daily risk-taking activities. This assertion may not be true in every case, as 71 percent of respondents involved in commercial credit and lending note that they understand the risks they own and what it means to own that risk; it is expected that these individuals would have a better understand- ing of risk than, say, personnel responsible for operations. Other key barriers to the effectiveness of risk culture noted by the RMA/Protiviti survey participants were: consistency of messaging throughout the entire enterprise in all locations; integration of risk culture with growth objectives and strategy; inadequate board and management support and direction; competing initia- tives; automation of information; employee resistance to change; and lack of understanding of risk culture that can grow and change with the organization as it evolves. Finally, our EIU/Protiviti survey results noted that the top challenge was the integration of risk appetite into day-to-day activities. Nearly one-third (32 percent) of survey respondents cited implementing the risk appetite statement into daily activities as the main hurdle to improving risk management. This is important, as the risk appetite statement is an essential building block for driving risk culture and understanding the potential changes required. Our survey results suggest that nearly four out of five respondents have difficulty either understanding what risk culture is or how risk culture translates into actionable benefits. This dilemma emphasizes the importance of demonstrating that improving risk culture is an actionable task.
  10. 10. PROTIVITI  •  ESTABLISHING AND NURTURING AN EFFECTIVE RISK CULTURE  •  9 Success Factors for an Effective Risk Culture “The indicators of an effective risk culture are integrated and all need to be present.” – cro/senior risk executive commentary from the rma/protiviti survey According to the FSB, there are four mutually reinforcing indicators of a sound risk culture that need to be considered collectively; looking at each indicator in isolation will ignore its multifaceted nature. These indica- tors include (along with some “real world” examples provided in our commentary to each indicator):12 • Tone at the top – The board of directors and executive management are the starting point for setting the financial institution’s core values and risk culture, and their behavior must reflect these values. Commentary: Following are some examples to illustrate the tone at the top in action: –– A global bank gave the CRO a seat on the management committee for the first time in its history. The CRO’s compensation was brought closer in line with other senior executives, such as the chief financial officer; previously, it was one-third less. –– At a multinational financial services institution, the risk culture statement is embedded in the bank’s risk framework, which is shared with and available to all employees through internal websites, the on- boarding/orientation program for new employees and regular communications across the enterprise. Periodically, the board reviews and approves the risk culture statement and risk framework. Tone at the top is evidenced through public statements on the organization’s culture and in enterprisewide communication venues. Executive management emphasizes the risk framework and risk management programs during town halls and incorporates the risk culture in performance management and com- pensation programs to incent behavior reflective of the desired behaviors. –– Tone at the top is important, but so is tone in the middle. It makes a huge difference when employ- ees see leaders with P&L responsibility actually leave money on the table when a proposed product, transaction or deal presents risk that they lack confidence can be managed appropriately, particularly when these decisions are made without pressure from independent risk and compliance management functions. If rank-and-file personnel hear their leaders saying all of the right things about risk but the frontline behaviors don’t match up with the rhetoric, the impact of the tone at the top is reduced. –– A focus on operational excellence sets a strong tone at the top. Firms that have a culture where people are expected to design and run operationally sound processes (regardless of whether the need to do so is driven by customer service, credit risk, compliance, reputational or other considerations) have a significant advantage. 12 Increasing the Intensity and Effectiveness of Supervision, Guidance on Supervisory Interaction with Financial Institutions on Risk Culture, Financial Stability Board, 2013: www.financialstabilityboard.org/publications/c_131118.pdf.
  11. 11. PROTIVITI  •  ESTABLISHING AND NURTURING AN EFFECTIVE RISK CULTURE  •  10 –– In a well-publicized success story, a North American bank took action during the years leading up to the financial crisis to exit the structured products business. The CRO recommended the bank exit that line of business several years before it overheated and imploded. That CRO is expected to be chief ex- ecutive officer (CEO) of the bank by the end of 2014. Here is an excerpt from a speech he made three years ago:13 At TD Bank Group, we avoided the subprime mess and were one of the few major banks in the world to do so. How? Several years ago, we decided to exit the structured products business at the height of the market. This was a contrarian move at the time. Most other financial institutions were rushing to get in and we were criticized – even vilified – by some, for our decision to exit the business. Although it cost us in short term profitability, it was the right thing to do. To us, the securities were not transparent and the risk reward relationship was not obvious. These were instruments valued by mathematical models which few people on the planet understood and it wasn’t clear to us that the business model was sustainable. So when everyone else was getting in, we got out. Thankfully, we’ve benefited from our decision by largely avoiding the subprime meltdown alto- gether. Having said that, it doesn’t mean we haven’t been impacted by the current economic down- turn. Like others, we have. But the impact is considerably less than it would have been otherwise and has provided us with significant flexibility to continue to grow both in the U.S. and Canada. –– While board oversight is vitally important, the reality of the tone at the top is that the CEO has the most impact by far in terms of driving the appropriate cultural values and behaviors. Regulators need to remain cognizant of this when setting expectations for the board of directors so that it is clear how the responsibilities between the board and management are delineated. • Accountability – Successful risk management requires employees at all levels to understand the core values of the institution and its approach to risk, be capable of performing their prescribed roles and be aware that they are held accountable for their actions in relation to the institution’s risk-taking behavior. Staff acceptance of risk-related goals and related values is a necessary prerequisite. Commentary: Following are some examples to illustrate accountability: –– Some CEOs are more adept than others at articulating the culture of the firm and assigning account- ability so that everyone knows what the culture, mission and vision are as well as their respective roles and responsibilities. The larger the institution gets and the more layers of management, the harder it is to articulate risk-related accountabilities. By the time personnel get three or four layers removed from the CEO, risk considerations are overtaken by budgetary goals and P&L metrics. Therefore, for large, complex organizations, it is important to address the challenges of pushing accountability downward. For example, several banks have a strong focus on self-identification of issues. Exec- utive management expects each line of business (LOB) to self-identify a majority of their audit and examination issues, and if they don’t, they must answer to the CEO. There is no tolerance for delayed remediation of audits, and especially, regulatory matters requiring attention (MRAs). If a business line or function receives a “repeat” MRA, significant repercussions can result. –– An end-to-end view of business processes is needed to facilitate the assignment of accountabilities. One of the biggest practical roadblocks to being able to push down accountability is lack of clear linkages between risks, controls and business processes, such that when something “breaks,” it is unclear who is accountable for the particular process or risk issue. Just as the run-up to the financial crisis saw the pro- liferation of structured products and securitization, as well as movement away from relationship bank- ing in favor of transactional-focused profitability, it was also accompanied by a compartmentalization of business processes that clouded the overall accountability for risk and compliance management con- siderations cutting across business processes. To address this “white space” challenge, management at 13 See Rotman School speech by TD Bank COO, Bharat Masrani, “TD Bank, America’s Most Convenient Bank,” April 2011: www.td.com/about-tdbfg/corporate-information/thought-leadership/speech.jsp?id=52.
  12. 12. PROTIVITI  •  ESTABLISHING AND NURTURING AN EFFECTIVE RISK CULTURE  •  11 a large bank is instituting an end-to-end view of “executive owners” of critical processes that either span multiple LOBs or present themselves in multiple places within the company. These “executive process owners” have full accountability for both business and risk/compliance issues germane to the processes for which they are responsible. –– A global bank has several hundred “consumer remediation” projects a year – meaning an error affect- ing a consumer’s account occurred and it is necessary to make the consumer whole. Historically, these projects have been managed at the business level, leading to poor visibility at the senior management and board levels as to the scale of the problems involved, inconsistency in execution (e.g., consum- ers impacted by similar issues may receive different remediation, depending on which business line owns the relationship) and a consistent failure to identify and resolve root causes fully. While the bank is letting the LOBs retain ownership of project management (which fosters process owner account- ability), it is introducing an enterprisewide PMO framework and templates and enterprise-level policy standards, as well as a uniform issue-tracking and reporting platform. A governance forum led by the chief compliance officer (CCO) reviews project plans from all LOBs in advance to ensure issues are effectively addressed from an enterprise perspective on a consistent basis. • Effective challenge – A sound risk culture encourages an environment of effective challenge in which decision-making processes promote a range of views, allow for testing of current practices, and stimulate a positive, critical attitude among employees and an environment of open and constructive engagement. Commentary: Following are some examples to illustrate effective challenge: –– Risk functions are formally reviewing and commenting on key risks inherent in the entity’s strategic plan – by risk type and LOB/key strategy element. This review has impact. Challenges are raised, such as disagreeing with a certain portfolio expansion and recommending raising the required credit score on certain products based on the environment. –– When the CEO is driving a deal, the board of directors must ask the right questions and not get caught up in the euphoria of doing the deal. Directors do not need to understand everything about certain products and be engaged in all of the details of running a lending operation, but they need to ask questions focused on the underlying economics, changes to the risk profile, ability to measure and manage the assumed risks and other fundamentals, and apply their business sense about buying into markets that could be over-inflated. –– Some banks are going so far as to define what is considered “effective challenge” in order to (a) place em- phasis on the types of challenges that contribute to better dialogue, actionable outcomes and improved decision-making, and (b) distinguish effective challenge from the review comments, questions and observa- tions that occur during the normal course of conducting business. The idea is to focus on the big picture. We have seen some very early efforts at capturing, analyzing and reporting on effective challenge that oc- curs within certain business processes. This activity appears to be driven primarily by regulatory pressures to produce evidence that effective challenge is occurring at various levels of management. The difficulty for the industry is achieving the right level of balance in this regard so that effective challenge becomes a valuable and strongly embraced component of the corporate (and risk) culture. It would be unfortunate for effective challenge to become a compliance exercise emphasizing form over substance. –– The CRO is the ultimate champion of an effective challenge process within the organization. At the same time, the CEO and executive risk committee are the ultimate arbiters and decision-makers on all significant risk matters, with full transparency and reporting of critical issues to the board of directors. The CRO is the ultimate champion of an effective challenge process within the organization. At the same time, the CEO and executive risk committee are the ultimate arbiters and decision-makers on all significant risk matters, with full transparency and reporting of critical issues to the board of directors.
  13. 13. PROTIVITI  •  ESTABLISHING AND NURTURING AN EFFECTIVE RISK CULTURE  •  12 –– U.S. regulators are using the term “credible challenge” to describe the board’s relationship with man- agement at large banks. The regulatory concern is whether the board of directors provides a credible challenge to management. If board members challenge virtually every aspect of management’s agen- da with the intention of getting something “on the record” in the minutes to satisfy the regulators, the result could be counterproductive and non-value-adding. While the concept of credible challenge may be directed to new plans and initiatives, it also can be anchored around a formalized escalation process linked to the risk appetite statement. Escalation protocols can be evidenced in management reports and committee agendas. To illustrate, the CRO for a global bank issues monthly reports that call out the more significant risk issues and management’s direction and commitment to address them. Critical issues are escalated to the board so that it is involved on a timely basis. • Incentives – Performance and talent management should encourage and reinforce maintenance of the fi- nancial institution’s desired risk management behavior. Financial and nonfinancial incentives should sup- port the core values and risk culture at all levels of the institution. Commentary: Following are some examples related to incentives: –– Risk and compliance management need to be an integral part of every LOB manager’s performance metrics, just as profitability metrics are now. To that end, one organization has incorporated control partner feedback into the compensation structure for its top-level employees. The bank uses this pro- cess to identify those individuals who are perceived as taking excessive risk so that can be factored in- to determining their compensation. At another institution, risk, compliance and the business func­tions meet together with internal audit at the end of the year to rate the top executives based on a collective view of the risk management and compliance performance of each executive’s area over the past year. Programs of this nature tend to be qualitative in nature and place emphasis on the negative. –– Each LOB should develop risk and compliance plans for the year, with objective, quantifiable metrics that responsible executives can be measured against. This approach allows for the introduction of positive met- rics (e.g., increase in control coverage, reduction of residual risk levels, reduction in the average amount of time that corrective actions remain outstanding) as well as being called out for loss events and near misses. –– In addition to compensation programs that incorporate risk and compliance considerations, career progression is another way to incorporate risk culture into the performance management system. This shows that the organization not only recognizes and rewards employees for prudent risk management, but also promotes and places increased responsibility in their hands to make it happen. –– It is important to reward individuals who raise their hands and call out inordinate risk-taking. Such individuals should be used as ambassadors of living the bank’s risk culture. Our next installment of the CRO Series will speak more specifically about the importance of appro- priate incentives. As such, the FSB expects an institution’s leaders to systematically develop, monitor and assess its culture using these indicators. In addition, the RMA/ Protiviti survey respondents noted the most sig- nificant indicators of an effective risk culture. These survey results complemented the four in- dicators suggested by FSB. Considering both the survey results and the FSB’s indicators, we de- termined six key success factors for ensuring the strength and effectiveness of a financial institu- tion’s risk culture. These success factors are noted in the accompanying box. SUCCESS FACTORS FOR EFFECTIVE RISK CULTURES • Executive management sets the tone • Accountability and clear expectations • Decisions consider risk and solvency • Quality of board risk discussions • Incentives that encourage risk awareness • Collaboration and open communication
  14. 14. PROTIVITI  •  ESTABLISHING AND NURTURING AN EFFECTIVE RISK CULTURE  •  13 Physical and Behavioral Characteristics of Risk Culture: The Yin and Yang “Our institution has a strong and intuitive sense of its risk culture. It does not, however, have specific mechanisms for measuring culture (although we do have a robust risk appetite framework). The obstacles are mainly in the ‘how’ to assess the strength of our risk culture and in having the resources to accomplish this.” – cro/senior risk executive commentary from the rma/protiviti survey While indicators of an effective risk culture provide insights around what to evaluate and manage, the specif- ic characteristics supporting an effective risk culture suggest what management should emphasize from the standpoint of policies, processes and mechanisms on the one hand and behaviors and attitudes on the other hand. Accordingly, characteristics include both physical mechanisms and behavioral elements: • Physical mechanisms are tangible mechanisms influencing tone of the organization and include many things comprising the three FSB foundational elements cited earlier. These mechanisms include such things as policies and procedures, risk committee oversight activities, organizational structure, corporate val- ue statements, codes of conduct and ethics programs, incentive and recognition programs, risk assessment processes, key risk indicator (KRI) reporting, performance reviews, reinforcement processes and board risk oversight, among other things. They also include the risk appetite dialogue of the executive team and board, as well as the decomposition of risk appetite into risk tolerances and limit structures used day to day in executing the corporate strategy. Commentary: Standard & Poor’s (S&P’s) enterprise risk management (ERM) evaluation of risk gover- nance for financial institutions includes a definition for a “Strong” rating, which refers to various phys- ical dimensions encompassing both risk culture and topics we have discussed in earlier white papers in the CRO Series, namely, board risk oversight and effective positioning of the CRO. S&P’s definition states: “The track record shows that the formal risk management department acts as a valued partner to the business units by advising them on both ‘local’ and enterprisewide risks. Risk management is close- ly involved in planning and budgeting, and risk professionals rank highly within the firm. Indicators of a strong framework can include the existence of a Chief Risk Officer who reports directly to the CEO, and the existence of a Risk Management Board with nonexecutive director representation that reports to the board. There is clear evidence of board involvement in risk management issues.”14 14 “A Roadmap For Evaluating Financial Institutions’ ERM Practices,” Standard & Poor’s.
  15. 15. PROTIVITI  •  ESTABLISHING AND NURTURING AN EFFECTIVE RISK CULTURE  •  14 • Behavioral elements include the attitudes, belief systems and core values that drive behavior and guide daily activities and decision-making throughout the institution, particularly with respect to entrepreneur- ial pursuits. While not as easily “seen and touched” as physical mechanisms, behavioral elements warrant even more careful attention as they are “observed and sensed” up, down and across the firm. For exam- ple, behaviors around risk management and internal control accountabilities often manifest themselves in how and when people clear audit issues, address control weaknesses, escalate issues, and resolve issues re- ported. The timeliness with which such activities are carried out provides powerful “tells” regarding an enterprise’s risk culture. So does executive management’s reaction to warning signs provided by indepen- dent risk management functions. Behavioral elements are influenced by an effective tone at the top and in the middle; proactive, open and transparent communications; encouragement of challenges of ideas and options during the decision-making process; clear performance expectations aligned with risk strategy; recognition of effective risk behaviors; and emphasis on continuous improvement and learning. As depicted in the graphic, both physical and behavioral elements must act in unison to achieve an effective risk culture. Risk Culture Success Factors • Executive management sets the tone • Accountability and clear expectations • Decisions consider risk and solvency • Quality of board risk discussions • Incentives that encourage risk awareness • Collaboration and open communication Physical Mechanisms “Touched and Seen” Behavioral Elements “Observed and Sensed” +
  16. 16. PROTIVITI  •  ESTABLISHING AND NURTURING AN EFFECTIVE RISK CULTURE  •  15 Risk Culture: An Approach to Solving the Problem Risk culture is not a nebulous, obscure appendage mired in a risk management work stream. Institutions should examine existing operational channels for ways to embed risk culture into the firm’s “DNA.” Risk culture is an enigma. Most everyone agrees it’s important. The question is what to do about it. Only one-fifth (20 percent) of respondents to the EIU/Protiviti survey indicated that their companies have risk awareness integrated into the corporate culture. This finding suggests that, despite several years of regula- tory and other pressures, proactive efforts to identify, define and improve risk culture are absent in a very significant majority of institutions. Of the 37 percent of respondents to the RMA/Protiviti survey who said their institutions evaluate risk culture: • Thirty-eight percent indicated they have evaluated risk culture for more than three years, while 46 percent reported they have conducted evaluations for at least two years; • Thirty-two percent utilize management self-assessment; • Twenty-four percent utilize a structured self-assessment by the risk management or internal audit function in cooperation with the LOBs; • The majority of the remaining respondents indicated they conducted various types of surveys; and • Going forward, 58 percent plan to evaluate their risk culture annually. When evaluating risk culture, it is important to define what it is. While bodies such as the FSB and RMA provide a standard definition and we have suggested a definition derived from RMA’s, it is important to point out that there is no one-size-fits-all view of culture. Therefore, each institution must take these definitions and determine what risk culture means in practice given its structure, strategy and operating environment. No one would disagree that an initial assessment of risk culture is only a start. So what comes next? There should be a sustained effort to assess how risk culture is evolving. Risk culture is dynamic and changes over time in line with the evolution of the enterprise’s culture. The following graphic depicts the steps required to manage an evolving risk culture. PROTIVITI  •  ESTABLISHING AND NURTURING AN EFFECTIVE RISK CULTURE  •  15
  17. 17. PROTIVITI  •  ESTABLISHING AND NURTURING AN EFFECTIVE RISK CULTURE  •  16 The steps in the risk culture management process are discussed further below: • Evaluate current risk culture relative to risk and risk awareness – Understand the current state of the firm’s risk culture, including the existing physical mechanisms (e.g., risk governance, policies, processes, boundaries and rules) and the risk culture dynamics (e.g., attitudes, behaviors and beliefs) perceived across the institution. Look for subcultures that have an impact on risk management. Commentary: There are many ways by which risk culture is evaluated (e.g., surveys, independent assessments, culture KRIs, analysis of feedback to employees across the bank, among others). With respect to subcultures, LOBs and entrepreneurial processes engaged in potentially risky activities and which resist oversight and in- dependent review may be susceptible to dangerous blind spots because of existing performance incentives and lack of discipline concerning undertaking risk. For example, within an LOB, the sales culture and risk cul- ture often have competing agendas. Whether obvious or hidden, subcultures are an important consideration as they can, for example, permit the institution to be more agile in response to a changing business environment to solve problems, share knowledge and serve customers in a way that a unitary culture may constrain. On the other hand, they can lead to rogue risk-taking behavior that can ultimately harm the organization. Therefore, their existence and business impact should be understood. • Identify and define attributes driving risk culture – Obtain evidence of how the entity’s risk culture operates in practice and assess strengths and weaknesses. Articulate what risk culture means to the insti- tution, and establish how the desired behaviors fit into and reinforce the overall corporate culture. Commentary: Attributes include the internal attitudes and behaviors (i.e., the behavioral elements dis- cussed earlier) that guide daily activities and decision-making throughout the firm, as well as external factors, such as regulatory requirements and expectations of customers, investors and others. Risk Culture Management Process Evaluate current risk culture relative to risk and risk awareness Identify and define attributes driving risk culture Embed the desired risk culture in the organization Actively and consistently promote living the risk culture Create risk culture education and awareness Underpin the desired risk culture with appropriate incentives Monitor performance against desired risk culture
  18. 18. PROTIVITI  •  ESTABLISHING AND NURTURING AN EFFECTIVE RISK CULTURE  •  17 • Embed the desired risk culture in the organization – Define how risk culture should impact the insti- tution’s corporate governance, as well as how it supports execution of the mission and strategy within the boundaries set by the risk appetite statement. Reinforce accountabilities and desired behaviors through committee charters, policies, procedures, incentive compensation structures and escalation protocols. Make risk culture a priority for internal audit as an assurance function so that it can provide a third line of defense in ensuring the desired behaviors. Ensure the CRO and risk management function have the appropriate skill sets and are positioned effectively within the enterprise. Commentary: Risk culture is not a nebulous, obscure appendage mired in a risk management work stream. Institutions should examine existing operational channels for ways to embed risk culture into the firm’s “DNA.” To illustrate, think about elements of the business, such as recruitment and selection practices, ac- countability and responsibility statements, performance management frameworks, reward systems, commu- nications processes, and learning and development activities. Look at these activities through a “risk lens” to ascertain how to embed appropriate reinforcements of desired risk management behaviors in them. • Actively and consistently promote living the risk culture – Secure CEO/executive sponsorship of the desired risk culture by clarifying how it will contribute value to the enterprise. Lead by example, demon- strating the desired behaviors through appropriate actions over time. Recognize managers and employees who demonstrate the desired behaviors and risk awareness in their judgment and decision-making. Where necessary, take steps to overcome resistance to change. For example, explain why the necessary changes offer advantages over the status quo, and tie the necessary changes to issues and priorities that people care about (i.e., make it personal). Above all, keep the message simple. Commentary: “Keep it simple” means we live in a “sound bite” world; if paragraphs are needed to describe the desired culture, then people won’t remember the key points and will be hard-pressed to demonstrate and live them. Executives should be open to receiving “bad news” and contrary information, encourage timely recognition of problems and their appropriate escalation, and make decisions consistent with the expecta- tions set by the desired risk culture and risk appetite. They should look for opportunities to highlight and share successes, be open about issues, encourage organizational learning, and publicize learnings gained from mistakes or near misses. • Create risk culture education and awareness – Develop training programs, awareness campaigns and other appropriate support structures to educate employees at all levels of the institution. Take advantage of existing education and awareness programs to reinforce key risk culture elements, emphasize appropri- ate areas of focus and maintain messaging consistency. Balance the risk culture education and awareness initiative against other business priorities and competing interests, and ensure that all initiatives are ap- propriately aligned. Commentary: Risk-taking and culture should be addressed in the first training sessions new employees attend as part of their orientation and be reinforced consistently throughout their careers. • Underpin the desired risk culture with appropriate incentives – Bake risk awareness into the perfor- mance evaluation system and make risk management an integral part of every employee’s job responsibilities. Commentary: Reward systems and incentives drive behavior; therefore, they should be aligned with perfor- mance expectations expressed or implied by the risk culture. The integration of risk management applies to all three lines of defense – the LOBs and primary risk owners as the first line, independent risk management and compliance management functions as the second line, and internal audit as the third line.
  19. 19. PROTIVITI  •  ESTABLISHING AND NURTURING AN EFFECTIVE RISK CULTURE  •  18 • Monitor performance against the desired risk culture – Periodically evaluate the risk culture for progress toward the desired standard and monitor employee behavior for new trends, attitudes or beliefs that may require attention. Commentary: As noted in our survey results, employee engagement surveys, focus groups, risk manage- ment and internal audit reporting are practical examples of sources of insight for purposes of measuring and evaluating risk culture. Quantitative and qualitative measures around the success factors underlying an effective risk culture may also be useful in determining whether the institution is achieving its expected outcomes. In addition, employee pulse surveys can be beneficial as a monitoring tool, serving as barome- ters on institutional attitudes toward risk. In monitoring the effectiveness of the risk culture, management should consider the effects of change in the enterprise, including its strategy and business plans, as well as the occurrence of external events, including regulatory, competitor and other market developments. If the monitoring process identifies changes necessary to advance risk culture, they should be made timely. The above approach is not intended to be one-size-fits-all. The important point is to evaluate the internal and external dynamics affecting risk culture and make the necessary adjustments to evolve risk culture over time in response to change, consistent with the firm’s overall culture.
  20. 20. PROTIVITI  •  ESTABLISHING AND NURTURING AN EFFECTIVE RISK CULTURE  •  19 Taking the First Step: Evaluate Risk Culture “Our ‘people’ survey includes aspects of risk culture. The Risk Committee makes assessments on risk culture based on discussions with Management (in particular, the CRO), audit reports and other reporting.” – cro/senior risk executive commentary from the rma/protiviti survey Evaluating the enterprise’s risk culture can be overwhelming unless executive management has all the tools needed to begin the process. As risk culture evolves in line with the firm’s culture, it makes sense to start some- where, even if the pathway forward isn’t crystal clear. An outside perspective may be useful, particularly in sit- uations where risk culture has never been assessed before. It’s often difficult to evaluate an institution’s culture, or a part of it, if the evaluator is embedded in the culture itself. Objectivity is paramount to a fair assessment. Below is a list of 10 questions to assist executive management with its evaluation: 1. Does executive management openly support each line of defense (e.g., LOB leaders and process owners, independent risk and compliance management functions, internal audit and defined, effectively func- tioning escalation processes)? Does executive management have direct, quality contact with all lines of defense? Is there effective collaboration across the lines of defense regarding important risk issues? Are unexpected issues escalated to executive management handled effectively? 2. Can LOB management identify and understand their risks and risk appetite? Do they identify and report issues to executive management in a timely manner? Do they own the risks their activities create and are they accountable for results? 3. Are there important subcultures that exist and must be considered separately to ascertain whether they contribute to effective risk management or present exposure to excessive risk-taking? 4. What is the risk management organizational structure, and how is it viewed among the LOBs and throughout the firm? Is there an element of “effective challenge” and a degree of comfort with creative, healthy tension? Alternatively, is there an emphasis on harmony, “getting along” and conformity that can result in decision-making that discourages or ignores alternative views and salient contrary information and, as a result, reaches risk/reward decisions that may miss the mark badly? 5. What infrastructure is in place to support risk identification, measurement, analysis, reporting, monitoring and management? 6. What types of risk culture training, awareness programs or other support are available within the organi- zation? Do these programs and initiatives emphasize elements of continuous learning and improvement (e.g., process improvement, measurement and quantification, monitoring against expectations, and inno- vations to improve productivity, among other things)? PROTIVITI  •  ESTABLISHING AND NURTURING AN EFFECTIVE RISK CULTURE  •  19
  21. 21. PROTIVITI  •  ESTABLISHING AND NURTURING AN EFFECTIVE RISK CULTURE  •  20 7. Is risk culture a factor in the enterprise’s incentive and rewards systems? What metrics are being used to monitor risk culture and gauge the effectiveness of cultural change? 8. Are there patterns of behavior that provide an indication as to whether risk management and internal controls matter? For example, are there warning signs that the tone at the top may not be optimal (e.g., turnover of key executives, tolerance of significant control issues, a warrior culture, a shortsighted focus on profitability and evidence of an overly dominant CEO)? 9. Does executive management work closely with middle-line and functional managers to ensure everyone is effectively aligned in terms of the organization’s vision, mission, core values, strategy and risk appetite? Is there evidence of proactive, open and transparent communications; encouragement of challenges to ideas and options during decision-making processes; clear performance expectations aligned with risk strategy; and emphasis on continuous improvement and learning? 10. Are there effective escalation protocols and processes to ensure significant problems are recognized and addressed at the appropriate level of the firm? While the above list may not be comprehensive, it provides a useful starting point for any evaluation of risk culture. In addition to these and other appropriate questions, evidence should be obtained to demonstrate con- clusively examples of the culture as it is lived in practice. This is increasingly important to regulatory agencies who want to see beyond policies, mandates and frameworks to a real-world demonstration of practices that back up the desired behaviors.
  22. 22. PROTIVITI  •  ESTABLISHING AND NURTURING AN EFFECTIVE RISK CULTURE  •  21 Implications of Risk Culture for the CRO Far more risk and compliance breakdowns occur because either the people with the right knowledge to identify and escalate critical risks are not brought to the table early enough or key information is not presented to decision-makers on a timely basis. Facilitating the development of an effective risk culture should be a major priority for the CRO. The risk culture management process introduced above provides a context for the CRO in identifying how to strengthen it. For example, the CRO can: • Assess strengths and weaknesses of the current risk culture, including the institution’s existing physical mechanisms and behavioral elements, subcultures that can impact risk-taking and risk management, and regulatory and other changes that may affect risk culture significantly. Commentary: The CRO can conduct either an initial assessment to measure the current state of the en- terprise’s risk culture, assuming no prior assessment, or update a prior assessment to obtain an objective view. A diagnostic tool can be useful in this regard. It is important to establish a baseline for going forward. • Define how risk culture should impact the institution’s corporate governance, as well as how it supports the execution of the mission and strategy within the boundaries set by the risk appetite statement, and make recom- mendations for (a) improving the reinforcement of accountabilities and desired behaviors, and (b) ensuring the independent risk management function has the requisite skill sets and is appropriately positioned within the firm. • Work with the CEO and executive team to clarify the value of a strong risk culture to the enterprise and help them lead by example and demonstrate and reinforce the desired behaviors over time. • Develop and deliver training programs, awareness campaigns and other appropriate support structures to educate employees at all levels of the institution’s desired risk culture. • Review reward systems and incentives to ensure they are driving appropriate behavior with respect to risk-taking and risk management, consistent with performance expectations expressed or implied by the risk culture, and recommend necessary changes. • Use the six success factors we suggested earlier as a guidepost to evaluate risk culture periodically for progress toward the desired standard and monitor employee behavior for new trends, attitudes or beliefs that may require immediate attention. • Share and promote examples of “living the culture” in town halls and other appropriate forums to cham- pion the value an effective risk culture can bring. As the ultimate champion of an effective challenge and escalation process, the CRO ensures that the right forums are established and the right people and information are brought to the table to allow for effective challenge and escalation to occur. Far more risk and compliance breakdowns occur because either the people with the right knowledge to identify and escalate critical risks are not brought to the table early enough or key information is not presented to decision-makers on a timely basis. PROTIVITI  •  ESTABLISHING AND NURTURING AN EFFECTIVE RISK CULTURE  •  21
  23. 23. PROTIVITI  •  ESTABLISHING AND NURTURING AN EFFECTIVE RISK CULTURE  •  22 Conclusion We have defined risk culture as “the set of encouraged and acceptable behaviors, discussions, decisions and attitudes toward taking and managing risk within an institution that reflects the shared values, goals, practic- es and reinforcement mechanisms that embed risk into the institution’s decision-making processes and risk management into its day-to-day operations.” An open and collaborative risk culture is stimulated through an enterprisewide commitment to excellence. That commitment starts with a focus on cultivating an effective learning environment and a pursuit of continuous improvement. In focusing on strengthening risk culture, we used two surveys we conducted within the past year to explore challenges in integrating risk culture with the business and to identify indicators of an effective risk culture. We also suggested a risk culture management process, illustrated questions for evaluating risk culture, and dis- cussed how the CRO can support the desired risk culture. Supported by effective board risk oversight, effective positioning within the organization and an effective risk culture, the CRO can contribute to the institution’s quest to gain the advantages of the “winning hand.” CRO Company and Management Board Risk Oversight CRO Positioning Success Factors • Viewed as a peer with line leaders • Board reporting and interactions • Managing risk is everyone’s job • Risk is equal to opportunity pursuit • Broaden focus beyond compliance • Clearly defined CRO position Risk Oversight Success Factors • Strengthen risk management • Understand critical risks/assumptions • Understand risk appetite • Ensure satisfaction with risk information • Be alert for dysfunctional behavior • Provide timely input Risk Culture Success Factors • Executive management sets the tone • Accountability and clear expectations • Decisions consider risk and solvency • Quality of board risk decisions • Incentives that encourage risk awareness • Collaboration and open environment
  24. 24. PROTIVITI  •  ESTABLISHING AND NURTURING AN EFFECTIVE RISK CULTURE  •  23 About Protiviti Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 40 percent of FORTUNE 1000® and FORTUNE Global 500® companies. Protiviti and its independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index. About Our Financial Services Industry Team We assist financial services companies in identifying, measuring and managing the myriad risks they face. With our commitment to service, people, resources and values, we are the service provider of choice for financial institutions of all types and sizes. Our consultants are experienced professionals. Many have decades of experience working in the financial ser- vices industry. Located in offices across the globe, they include former industry executives, former regulators and a broad range of subject-matter experts who have firsthand knowledge of the issues on which they provide advice. Our internal commitment to training ensures that our consultants remain current on important indus- try issues. Armed with tested tools and methodologies, our consultants provide pragmatic, cost-effective and value-added solutions to your company. At Protiviti, we understand the challenges faced by financial services companies. Our solutions are designed to help your company turn these challenges into competitive advantages. Contacts Carol Beaumier Cory Gunderson Managing Director Managing Director +1.212.603.8337 +1.212.708.6313 carol.beaumier@protiviti.com cory.gunderson@protiviti.com Andrew Clinton Giacomo Galli Managing Director Managing Director +44.20.7024.7570 +39.02.6550.6303 andrew.clinton@protiviti.co.uk giacomo.galli@protiviti.it
  25. 25. © 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V. PRO-0814-103054 Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. ASIA-PACIFIC AUSTRALIA Brisbane Canberra Melbourne Perth Sydney CHINA Beijing Hong Kong Shanghai Shenzhen INDIA* Bangalore Mumbai New Delhi INDONESIA** Jakarta JAPAN Osaka Tokyo SINGAPORE Singapore SOUTH KOREA Seoul * Protiviti Member Firm ** Protiviti Alliance Member THE AMERICAS UNITED STATES Alexandria Atlanta Baltimore Boston Charlotte Chicago Cincinnati Cleveland Dallas Denver Fort Lauderdale Houston Kansas City Los Angeles Milwaukee Minneapolis New York Orlando Philadelphia Phoenix Pittsburgh Portland Richmond Sacramento Salt Lake City San Francisco San Jose Seattle Stamford St. Louis Tampa Washington, D.C. Winchester Woodbridge ARGENTINA* Buenos Aires BRAZIL* Rio de Janeiro São Paulo CANADA Kitchener-Waterloo Toronto CHILE* Santiago MEXICO* Mexico City Monterrey PERU* Lima VENEZUELA* Caracas SOUTH AFRICA* Johannesburg EUROPE/MIDDLE EAST/AFRICA FRANCE Paris GERMANY Frankfurt Munich ITALY Milan Rome Turin THE NETHERLANDS Amsterdam UNITED KINGDOM London BAHRAIN* Manama KUWAIT* Kuwait City OMAN* Muscat QATAR* Doha UNITED ARAB EMIRATES* Abu Dhabi Dubai

×