Risk Culture and Conduct Risk

What’s important for senior management

and boards - what have we learned from

international experience so far?

CONFIDENTIAL AND PROPRIETARY

Any use of this material without specific permission of Mark Lawrence Group is strictly prohibited

Dr. Mark Lawrence

Managing Director, Mark Lawrence Group

Adjunct Associate Professor, UNSW

mark@marklawrencegroup.com

AFR Banking and Wealth conference

Sydney

5 April 2016

Practical lessons from risk culture

transformation in large banks

| 1

Discussion topics

How can firms quickly and objectively assess the

strengths & weaknesses of their current risk culture?

Practical lessons - how firms can effectively strengthen

and transform their risk culture

Risk Culture – what is it, why does it matter, and

what are the key challenges for firms?

| 2

Key questions that firms must address to create a strong risk culture

What exactly do we mean by “risk culture”? Why do we care about it? Why does it matter?

What is the relationship between risk culture, conduct risk, ethics and compliance?

How will a strong risk culture make us a better bank, or a better business?

What are the key elements of a strong risk culture, and what are the most common risk culture weaknesses?

How can we quickly and accurately identify the most important characteristics of our own risk culture, including strengths and weaknesses?

The leaders of every single financial institution think that their risk culture is strong!

Risk culture weaknesses are like institutional “blind spots”, and are very difficult to see – how can we objectively detect these?

What is our own unique, risk culture “fingerprint”?

How can we practically and efficiently transform our risk culture, to create a strong risk culture that is well-tailored to our organisation?

SOURCE: Mark Lawrence Group

| 3

The financial crisis demonstrated that effective risk management is

very difficult; “risk culture” is a dominant driver of RM effectiveness

The financial crisis was a catastrophic failure of risk management: many large banks took huge risks that they didn’t understand, unconsciously

Many boards did not understand the risks that management was taking; individual and aggregate risks were fundamentally opaque

Analyses of what went wrong were conducted by supervisors (SSG) and the industry (IIF) in 2008/2009. Both analyses separately concluded that for many large banks firm culture with regard to risks was the dominant element which determined whether their internal risk management processes were effective, or failed, when the crisis struck

Key risk management lesson from the crisis: Ultimately, opaque or rapidly changing risks can only be successfully understood within the organisation, and acted upon, through effective internal conversations

To avoid nasty risk and conduct surprises, it is essential to ensure that the internal discussions about risks are effective throughout the organisation, at all levels

Effective internal risk discussions inside business units are a central, key element of a strong “risk culture”

SOURCE: Mark Lawrence Group

| 4

Examples of typical risk culture weaknesses

SOURCE: Risk categories adapted from risk culture categories from IIF/McKinsey; Mark Lawrence Group

Many of these weaknesses are very common in large banks, and the “fear of

bad news” is ubiquitous – many firms have “good news” cultures

Common, important risk culture weaknesses include:

Complacency/overconfidence: A culture where people believe that their

organization is insulated or even immune from risk, because of its superior

position or people

Poor communication about risks: A culture where warning signs of internal

or external risks are routinely not shared – and especially, not escalated

Lack of risk knowledge/understanding: A culture where the organization fails

to properly or adequately understand the risks it is running, or believes that

such an understanding is the preserve of risk specialists

Unclear risk tolerance/appetite: A culture where the boundaries of acceptable

risks are not fully clear to all employees

No/inadequate challenge: A culture where individuals do not sufficiently

question or challenge each others’ attitudes and actions with regard to risks

Fear of “bad news”: A culture where management and employees feel

inhibited about communicating bad news, especially upwards

| 5

“Risk culture” is hard to define, but key elements of a strong risk culture

include effective internal discussion & Business Unit ownership of risks

Risk culture can be defined as:

• Business unit ownership of risks

• Horizontal information sharing – no “silos”

• Vertical escalation of threats or risks –

“bad news travels upwards” and junior

people speak up, routinely

• Continuous and constructive

challenging of the organization’s

actions and understanding about risks

• Committed leadership

• Incentives that reward thinking about the

whole organization

Central elements of a strong risk

culture include:

Industry definition (2009)

“The norms and traditions of

behaviour of individuals and

of groups within an

organization that determine

the way in which they

identify, understand,

discuss and act upon the

risks the organization

confronts and the

risks it takes.”

SOURCE: Mark Lawrence Group; adapted from “Reforms in the Financial Services Industry: Strengthening Practices for a

More Stable System” (Steering Committee on Implementation Report), December 2009 www.iif.com

| 6

Discussion topics

How can firms quickly and objectively assess the

strengths & weaknesses of their current risk culture?

Risk Culture – what is it, why does it matter, and what

are the key challenges for firms?

Practical lessons - how firms can effectively strengthen

and transform their risk culture

| 7

A firm’s unique risk culture “fingerprint” is quite difficult to objectively

assess and understand; a variety of risk culture frameworks exist

Industry experience globally has shown that it is very challenging for senior management, boards (and supervisors) to assess the risk culture in large and complex organisations

Risk culture weaknesses are really institutional “blind spots”, and these are often very difficult to see, especially for insiders

Nevertheless, many large firms overseas have been seriously attempting to perform risk culture assessments for at least 6 years, to strengthen their risk management effectiveness and reduce/eliminate conduct risks

Widely-used approaches often begin with analysis of results from diagnostic “culture surveys”, and many consulting frameworks now exist for this assessment1

The FSB’s Supervisory Intensity and Effectiveness group (SIE) published its first guidelines for supervisors to assess risk culture in firms in April 20142

Key elements of the FSB risk culture framework include: “Tone from the top”; Accountability; Effective Communication and Challenge; and Incentives

SOURCE: 1. “Risk Culture in Financial Institutions” http://www.lse.ac.uk/researchAndExpertise/units/CARR/pdf/Final-Risk-Culture-Report.pdf,

Appendix C

2. FSB Publication https://www.financialstabilityboard.org/publications/140407.htm

| 8

The quality of internal discussions about risks is of fundamental

importance, and should be assessed as part of any risk culture diagnostic

The existence and quality of the internal discussions about risks within the firm is a key driver of the health and strength of the firm’s risk culture, and underpins the effectiveness of risk management processes

International experience has demonstrated that the quality and effectiveness of the internal discussions about risks can be assessed directly

This assessment makes it possible to determine the key elements of the unique risk culture “fingerprint” of the organisation*, by enabling the direct observation of the most important risk culture strengths and weaknesses inside different business units, and also the effective identification of any cultural “blind spots”

SOURCE: Mark Lawrence Group * NB: this process does not provide a complete risk culture assessment, and should be

combined with other, relevant tools and analyses

| 9

Some possible reasons why internal risk discussions may be non-

existent, or ineffective within a particular business unit

“We don't discuss risks much/very well in this business unit because...”:

- “Here, your risks are your own responsibility”

- “To raise an issue in the group would mean that there is a "problem", and this would be both unusual, and also frowned upon”

- “We have a ‘good news’ culture here – we’re all pretending every day that everything is fine”

- “In practice we’re all very busy fulfilling our responsibilities and working very long hours, so we don't have much time to discuss risks”

- (For business line staff): “Risk is not a large part of our KPIs, and so most business people don't usually see it as part of their responsibility to have these discussions”

- (For junior staff): “We don't understand the risks in our area well enough to talk about them sensibly, and not much changes when we do. I personally don’t feel confident enough to start a conversation about risk”

- “My boss doesn't really encourage these discussions, and sometimes gets angry or reacts badly if someone raises a problem or risk issue”

- “In practice we don't discuss risks very often – so most of us aren’t sure what risks to discuss, how to discuss these, with whom, and when to have these discussions”

- “We are very strongly focused on controls, rather than risks – everyone has a clean desk all the time - we have a very strong control culture. But many of us don't deeply understand risks from a forward-looking perspective, and we rarely talk about them, if ever”

SOURCE: Mark Lawrence Group

| 10

Discussion topics

How can firms quickly and objectively assess the

strengths and weaknesses of their current risk culture?

Risk Culture – what is it, why does it matter, and what

are the key challenges for firms?

Practical lessons - how firms can effectively

strengthen and transform their risk culture

| 11

An effective approach to strengthen the risk culture is to first identify the

underlying causes of any observed blockages or deficiencies in the internal

discussions about risks, and then address these blockages directly

Staff responses and comments in interviews are very revealing and tell a great deal about risk culture. They often point to one or more of the risk culture weaknesses described earlier:

Lack of business unit ownership of risks

Unclear risk tolerance/unclear boundaries of acceptable risk-taking

Lack of “challenge” or questioning

Lack of prioritisation, or insufficient weight given, to risk responsibilities in job descriptions, especially for commercial, front-line staff

Insufficient risk awareness - inadequate risk knowledge or skills

Fear: people are too afraid to speak up about risks or issues, for fear of negative personal consequences

The last factor (fear) is very common in many large banks, and acts to strongly suppress most internal discussion of risks

The biggest challenge is usually to create an environment which empowers all employees – and especially, junior employees - to routinely question/challenge and escalate things that they don’t understand

It is essential for senior management and business leaders to “role model” & reward this behavior, and to make it safe for junior staff to speak up

SOURCE: Mark Lawrence Group

| 12

Conclusion: Key lessons from international experience

1. A strong risk culture underpins the effectiveness of all risk management, not just conduct risks

2. The key attributes of the risk culture in individual business units can be identified quickly, by examining whether or not risk is discussed internally, and assessing the quality of those discussions

3. The behaviours and culture in the bank are a direct reflection of the actions and behaviours of business leaders and senior managers – not their words

4. Risk culture in individual business units can be consciously and effectively strengthened, over time. The key ingredient to successful change, is leaders being willing to carefully examine their own actions and behaviours, and to change these as necessary

5. To strengthen the culture, it is effective to identify the needed actions to “unblock” and facilitate the discussion of risks in each business unit – e.g.:

Make time and prioritise regular discussions of risks, if these aren’t happening

Provide training on specific risks to staff, where risk knowledge is inadequate

Review and adjust incentives, if these are impeding discussion of risks

6. Overconfidence is deadly!

SOURCE: Mark Lawrence Group

| 13

APPENDIX

| 14

Risk Culture at ABC

To develop a culture of responsibility for the longevity of

the business among all ABC employees

To create a working environment in which risk management

occurs across the entire decision-making process at all levels

of the organization

Risk management is the responsibility and a duty of all

employees, it is part of the management of the business

To create a working environment in which the open

discussion of forward–looking risks is encouraged and

rewarded, and employees at all levels routinely speak up

and give voice to their questions and concerns regarding risk

issues

Purpose

SOURCE: Mark Lawrence Group

Risk Culture and Conduct Risk

What’s important for senior management

and boards - what have we learned from

international experience so far?

CONFIDENTIAL AND PROPRIETARY

Any use of this material without specific permission of Mark Lawrence Group is strictly prohibited

Dr. Mark Lawrence

Managing Director, Mark Lawrence Group

Adjunct Associate Professor, UNSW

mark@marklawrencegroup.com

AFR Banking and Wealth conference

Sydney

5 April 2016

Practical lessons from risk culture

transformation in large banks