mark lawrence - mark lawrence group - risk culture and conduct risk: what’s important for senior...
TRANSCRIPT
Risk Culture and Conduct Risk
What’s important for senior management
and boards - what have we learned from
international experience so far?
CONFIDENTIAL AND PROPRIETARY
Any use of this material without specific permission of Mark Lawrence Group is strictly prohibited
Dr. Mark Lawrence
Managing Director, Mark Lawrence Group
Adjunct Associate Professor, UNSW
AFR Banking and Wealth conference
Sydney
5 April 2016
Practical lessons from risk culture
transformation in large banks
| 1
Discussion topics
How can firms quickly and objectively assess the
strengths & weaknesses of their current risk culture?
Practical lessons - how firms can effectively strengthen
and transform their risk culture
Risk Culture – what is it, why does it matter, and
what are the key challenges for firms?
| 2
Key questions that firms must address to create a strong risk culture
What exactly do we mean by “risk culture”? Why do we care about it? Why does it matter?
What is the relationship between risk culture, conduct risk, ethics and compliance?
How will a strong risk culture make us a better bank, or a better business?
What are the key elements of a strong risk culture, and what are the most common risk culture weaknesses?
How can we quickly and accurately identify the most important characteristics of our own risk culture, including strengths and weaknesses?
The leaders of every single financial institution think that their risk culture is strong!
Risk culture weaknesses are like institutional “blind spots”, and are very difficult to see – how can we objectively detect these?
What is our own unique, risk culture “fingerprint”?
How can we practically and efficiently transform our risk culture, to create a strong risk culture that is well-tailored to our organisation?
SOURCE: Mark Lawrence Group
| 3
The financial crisis demonstrated that effective risk management is
very difficult; “risk culture” is a dominant driver of RM effectiveness
The financial crisis was a catastrophic failure of risk management: many large banks took huge risks that they didn’t understand, unconsciously
Many boards did not understand the risks that management was taking; individual and aggregate risks were fundamentally opaque
Analyses of what went wrong were conducted by supervisors (SSG) and the industry (IIF) in 2008/2009. Both analyses separately concluded that for many large banks firm culture with regard to risks was the dominant element which determined whether their internal risk management processes were effective, or failed, when the crisis struck
Key risk management lesson from the crisis: Ultimately, opaque or rapidly changing risks can only be successfully understood within the organisation, and acted upon, through effective internal conversations
To avoid nasty risk and conduct surprises, it is essential to ensure that the internal discussions about risks are effective throughout the organisation, at all levels
Effective internal risk discussions inside business units are a central, key element of a strong “risk culture”
SOURCE: Mark Lawrence Group
| 4
Examples of typical risk culture weaknesses
SOURCE: Risk categories adapted from risk culture categories from IIF/McKinsey; Mark Lawrence Group
Many of these weaknesses are very common in large banks, and the “fear of
bad news” is ubiquitous – many firms have “good news” cultures
Common, important risk culture weaknesses include:
Complacency/overconfidence: A culture where people believe that their
organization is insulated or even immune from risk, because of its superior
position or people
Poor communication about risks: A culture where warning signs of internal
or external risks are routinely not shared – and especially, not escalated
Lack of risk knowledge/understanding: A culture where the organization fails
to properly or adequately understand the risks it is running, or believes that
such an understanding is the preserve of risk specialists
Unclear risk tolerance/appetite: A culture where the boundaries of acceptable
risks are not fully clear to all employees
No/inadequate challenge: A culture where individuals do not sufficiently
question or challenge each others’ attitudes and actions with regard to risks
Fear of “bad news”: A culture where management and employees feel
inhibited about communicating bad news, especially upwards
| 5
“Risk culture” is hard to define, but key elements of a strong risk culture
include effective internal discussion & Business Unit ownership of risks
Risk culture can be defined as:
• Business unit ownership of risks
• Horizontal information sharing – no “silos”
• Vertical escalation of threats or risks –
“bad news travels upwards” and junior
people speak up, routinely
• Continuous and constructive
challenging of the organization’s
actions and understanding about risks
• Committed leadership
• Incentives that reward thinking about the
whole organization
Central elements of a strong risk
culture include:
Industry definition (2009)
“The norms and traditions of
behaviour of individuals and
of groups within an
organization that determine
the way in which they
identify, understand,
discuss and act upon the
risks the organization
confronts and the
risks it takes.”
SOURCE: Mark Lawrence Group; adapted from “Reforms in the Financial Services Industry: Strengthening Practices for a
More Stable System” (Steering Committee on Implementation Report), December 2009 www.iif.com
| 6
Discussion topics
How can firms quickly and objectively assess the
strengths & weaknesses of their current risk culture?
Risk Culture – what is it, why does it matter, and what
are the key challenges for firms?
Practical lessons - how firms can effectively strengthen
and transform their risk culture
| 7
A firm’s unique risk culture “fingerprint” is quite difficult to objectively
assess and understand; a variety of risk culture frameworks exist
Industry experience globally has shown that it is very challenging for senior management, boards (and supervisors) to assess the risk culture in large and complex organisations
Risk culture weaknesses are really institutional “blind spots”, and these are often very difficult to see, especially for insiders
Nevertheless, many large firms overseas have been seriously attempting to perform risk culture assessments for at least 6 years, to strengthen their risk management effectiveness and reduce/eliminate conduct risks
Widely-used approaches often begin with analysis of results from diagnostic “culture surveys”, and many consulting frameworks now exist for this assessment1
The FSB’s Supervisory Intensity and Effectiveness group (SIE) published its first guidelines for supervisors to assess risk culture in firms in April 20142
Key elements of the FSB risk culture framework include: “Tone from the top”; Accountability; Effective Communication and Challenge; and Incentives
SOURCE: 1. “Risk Culture in Financial Institutions” http://www.lse.ac.uk/researchAndExpertise/units/CARR/pdf/Final-Risk-Culture-Report.pdf,
Appendix C
2. FSB Publication https://www.financialstabilityboard.org/publications/140407.htm
| 8
The quality of internal discussions about risks is of fundamental
importance, and should be assessed as part of any risk culture diagnostic
The existence and quality of the internal discussions about risks within the firm is a key driver of the health and strength of the firm’s risk culture, and underpins the effectiveness of risk management processes
International experience has demonstrated that the quality and effectiveness of the internal discussions about risks can be assessed directly
This assessment makes it possible to determine the key elements of the unique risk culture “fingerprint” of the organisation*, by enabling the direct observation of the most important risk culture strengths and weaknesses inside different business units, and also the effective identification of any cultural “blind spots”
SOURCE: Mark Lawrence Group * NB: this process does not provide a complete risk culture assessment, and should be
combined with other, relevant tools and analyses
| 9
Some possible reasons why internal risk discussions may be non-
existent, or ineffective within a particular business unit
“We don't discuss risks much/very well in this business unit because...”:
- “Here, your risks are your own responsibility”
- “To raise an issue in the group would mean that there is a "problem", and this would be both unusual, and also frowned upon”
- “We have a ‘good news’ culture here – we’re all pretending every day that everything is fine”
- “In practice we’re all very busy fulfilling our responsibilities and working very long hours, so we don't have much time to discuss risks”
- (For business line staff): “Risk is not a large part of our KPIs, and so most business people don't usually see it as part of their responsibility to have these discussions”
- (For junior staff): “We don't understand the risks in our area well enough to talk about them sensibly, and not much changes when we do. I personally don’t feel confident enough to start a conversation about risk”
- “My boss doesn't really encourage these discussions, and sometimes gets angry or reacts badly if someone raises a problem or risk issue”
- “In practice we don't discuss risks very often – so most of us aren’t sure what risks to discuss, how to discuss these, with whom, and when to have these discussions”
- “We are very strongly focused on controls, rather than risks – everyone has a clean desk all the time - we have a very strong control culture. But many of us don't deeply understand risks from a forward-looking perspective, and we rarely talk about them, if ever”
SOURCE: Mark Lawrence Group
| 10
Discussion topics
How can firms quickly and objectively assess the
strengths and weaknesses of their current risk culture?
Risk Culture – what is it, why does it matter, and what
are the key challenges for firms?
Practical lessons - how firms can effectively
strengthen and transform their risk culture
| 11
An effective approach to strengthen the risk culture is to first identify the
underlying causes of any observed blockages or deficiencies in the internal
discussions about risks, and then address these blockages directly
Staff responses and comments in interviews are very revealing and tell a great deal about risk culture. They often point to one or more of the risk culture weaknesses described earlier:
Lack of business unit ownership of risks
Unclear risk tolerance/unclear boundaries of acceptable risk-taking
Lack of “challenge” or questioning
Lack of prioritisation, or insufficient weight given, to risk responsibilities in job descriptions, especially for commercial, front-line staff
Insufficient risk awareness - inadequate risk knowledge or skills
Fear: people are too afraid to speak up about risks or issues, for fear of negative personal consequences
The last factor (fear) is very common in many large banks, and acts to strongly suppress most internal discussion of risks
The biggest challenge is usually to create an environment which empowers all employees – and especially, junior employees - to routinely question/challenge and escalate things that they don’t understand
It is essential for senior management and business leaders to “role model” & reward this behavior, and to make it safe for junior staff to speak up
SOURCE: Mark Lawrence Group
| 12
Conclusion: Key lessons from international experience
1. A strong risk culture underpins the effectiveness of all risk management, not just conduct risks
2. The key attributes of the risk culture in individual business units can be identified quickly, by examining whether or not risk is discussed internally, and assessing the quality of those discussions
3. The behaviours and culture in the bank are a direct reflection of the actions and behaviours of business leaders and senior managers – not their words
4. Risk culture in individual business units can be consciously and effectively strengthened, over time. The key ingredient to successful change, is leaders being willing to carefully examine their own actions and behaviours, and to change these as necessary
5. To strengthen the culture, it is effective to identify the needed actions to “unblock” and facilitate the discussion of risks in each business unit – e.g.:
Make time and prioritise regular discussions of risks, if these aren’t happening
Provide training on specific risks to staff, where risk knowledge is inadequate
Review and adjust incentives, if these are impeding discussion of risks
6. Overconfidence is deadly!
SOURCE: Mark Lawrence Group
| 13
APPENDIX
| 14
Risk Culture at ABC
To develop a culture of responsibility for the longevity of
the business among all ABC employees
To create a working environment in which risk management
occurs across the entire decision-making process at all levels
of the organization
Risk management is the responsibility and a duty of all
employees, it is part of the management of the business
To create a working environment in which the open
discussion of forward–looking risks is encouraged and
rewarded, and employees at all levels routinely speak up
and give voice to their questions and concerns regarding risk
issues
Purpose
SOURCE: Mark Lawrence Group
Risk Culture and Conduct Risk
What’s important for senior management
and boards - what have we learned from
international experience so far?
CONFIDENTIAL AND PROPRIETARY
Any use of this material without specific permission of Mark Lawrence Group is strictly prohibited
Dr. Mark Lawrence
Managing Director, Mark Lawrence Group
Adjunct Associate Professor, UNSW
AFR Banking and Wealth conference
Sydney
5 April 2016
Practical lessons from risk culture
transformation in large banks