For years, financial institutions have found themselves in the headlines as a result of an ethics, compliance or risk breach. Of course, steering clear of any type of risky business might sound like the safest bet. But for the benefit of their long-term growth, financial institutions can’t be totally risk averse—or else they face a risk of the bottom-line sort.
A successful business strategy is anchored by a strong “risk culture.” Employees must know the organization’s mission, values and goals, understand the risk limits and be able to openly discuss which risks to take or avoid that fit within those realms.
BAI managing director Karl Dahlgren sums up the upsides powerfully in a recent piece for BAI Banking Strategies where he discusses the benefits of creating a specific risk culture subset: compliance culture that permeates a bank from top to bottom. “A compliance mindset produces a wealth of competitive advantages: Customers are better served; the bank is more operationally efficient; shareholders often enjoy a better return on their investment.”
Aligning risk culture to strategy
Once the organization develops its strategic initiatives, the Chief Risk Officer (CRO) should step in to help the CEO determine whether specific initiatives fit within current bank’s risk culture—and risk appetite. A formal risk appetite framework should encompass both qualitative and quantitative risks in areas such as credit, liquidity and reputation. That provides insight into the types and levels of risks seen as suitable.
For example, one financial institution may pinpoint a top priority in capital adequacy—that is, the amount of capital a financial institution has to hold as required by a financial regulator. Any business decision that could jeopardize capital adequacy by a specific margin can be defined as an excessive risk, and the CRO would then work to monitor capital adequacy and raise a flag if or when the value exceeds the company’s defined risk framework. Members of the relevant teams that contribute to the risk and responsible for mitigating it would then collaborate on the specific factors to adjust and correct for this risk issue, while making sure the bank maintains good regulatory standing and a high reputation index.
The key is to ensure that risk culture fosters smart decision making and becomes central to determining how much uncertainty is acceptable as teams pursue other goals. In short, creating a strong risk culture makes risk taking more transparent and aligns it to strategy.
After establishing the appropriate risk appetite and culture, banking executives must then make sure that risk behaviors remain consistent over time and across functions. All business units should measure risk against the standards that leadership and the risk management framework set forth. It’s also important to rethink performance targets and incentives structures in terms of how they impact behaviors.
CROs can also work with leadership to set performance targets that explicitly connect compensation plans to the risk framework and ultimately risk behaviors. Banks must frankly evaluate employee messages, tones and behaviors and seek feedback from all levels on the risks and pressures employees face.
Risk culture’s three lines of defense
On the ground floor, violations in sales practices serve as a potential major risk for financial institutions. The internal audit department must have a role in evaluating the cultures, process, procedures and controls in place. This makes sure that internal forces do not pressure client-facing bank representatives to engage in improper practices as the work to meet expectations and drive sales.
Beyond that, three lines of defense should all work in concert to promote a stronger risk culture and eliminate inefficiencies and overlaps:
- The first line should make the right business decisions and take ownership of the risks different departments take.
- The second line, risk and compliance teams, should support the business through owning risk and controls by effectively challenging business decisions through assessment methodologies, as well as standards and practices.
- The third line, internal auditors, should review business risk and control assessments, and assess second-line risk and compliance functions.
At the same time, a regular assessment of the company’s risk culture can help inform a bank’s board and senior management, as well as reinforce desirable risk cultural traits and practices.
Effective risk management will never be a singular—or simple—solution. But by fostering an explicit risk culture, banks will get better at handling the challenges that come their way. It far outweighs the alternative: an ethically challenged or breached work environment that, among other things, risks culture.
Want more Banking Strategies? Sign up for our free newsletter!
Brian Schwartz is U.S. governance, risk management and compliance (GRC) enablement solutions Leader, PwC.