Sound Risk Culture and Risk Culture Programs: An Evolving Necessity

By Eugene Ludwig

A sound risk culture is a vital component of an overall risk framework, and it is increasingly becoming a regulatory necessity. As Federal Reserve Bank of New York President William Dudley recently told a supervisory conference, “Improving culture in the financial services industry is a necessity.” Similar sentiments have been voiced by virtually all other regulatory leaders.

A successful risk culture that satisfies regulatory expectations requires strong formal risk management and compliance programs. Attempts to shape a sound culture without strong, formal risk and compliance programs will miss the mark. Regulators are looking for a risk culture that does not just foster good attitudes, but it produces results that support risk management and compliance efforts. Regulators have underlined this point both on and off the record.

A strong risk management framework today must include:

  • A strong risk appetite statement;
  • A strong board governance process, including credible challenge;
  • A strong three-lines-of-defense system consistent with heightened regulatory standards;
  • A strong compliance program, including BSA/AML and sanctions, FATCA, and consumer issues
  • High-integrity risk-related data and systems; and
  • For the largest banks, successful CCAR, CLAR, and resolution and recovery programs.

It is up to the board and senior management to ensure that such a framework is in place. Without it, it is hard to envision a successful risk culture that produces the kind of outcomes that the regulatory community would like to see. But a risk management framework that is not aligned with a strong culture will not work. If a financial entity’s employees do not display the ethics, behavioral norms, and attitudes that align with its governance and risk management policies, those policies will not be successfully implemented.

The risk-culture norms and program discussed below are meant to align with the emerging regulatory standards in this area. These standards are becoming less theoretical and more about behaviors and outcomes. Tone will always be important in terms of direction, as will institutional values. But increasingly regulators are looking for a positive alignment of tone, effort and—most important—concrete outcomes.

Fundamental principles for a sound risk culture

The foundation of a sound risk culture can be articulated in nine principles:

  1. Understand and follow, in letter and in spirit, all rules and regulations that apply to your business.
  2. Understand and follow, in letter and in spirit, all company policies and procedures applicable to your business, including those related to the risk and control systems.
  3. Understand and openly discuss the risks that are part of your business, and take risks that are consistent with the company’s risk appetite statement.
  4. Be open and honest with colleagues, particularly on any concerns about risk-related behaviors.
  5. Communicate truthfully on all matters within and outside the company. “Speak truth to power” when necessary for good of the company.
  6. Create products you understand and can readily explain to your customers, including all risks. In designing and selling those products, behave with customers as you would with a close friend or family member.
  7. Reject temptation to compromise standards in pursuit of competitive edge with others inside and outside company.
  8. Constructively challenge preconceptions, and escalate concerns in a timely, constructive way, encouraging the same of others.
  9. Learn from adverse outcomes through open dialogue and analysis of root causes.

Adherence to the elements of a sound risk culture should be regularly assessed, primarily by:

  • Second-line-of-defense and internal audit findings;
  • Regulatory feedback, including number of violations cited, MRAs, MRIAs, or other criticisms, as well as the topic of those regulatory actions;
  • Customer complaints received by the company or the regulatory community about the company, including indirect social media activity;
  • Periodic testing/surveys with other stakeholders (such as customers and suppliers); and
  • Group and individual attitudes about the company’s culture and commitment, as disclosed through formal and informal surveys and interactions.

Training for a sound risk culture

Training should be compulsory for all new employees and is meant to ensure that all colleagues, at every level, understand the bank’s risk appetite and risk focus—what the bank will and won’t do.

Continuing employment should be contingent upon participation in refresher training, which enables staff to continue to apply and contribute to the bank’s sound risk culture in all their work activities. The training will provide real-life examples of events in the company that led to sound risk decisions for the business and its customers.

The bank’s training program should include periodic “clinics” and bulletins, to highlight where a risk matter has emerged or been identified and how the company assessed, escalated, and addressed it.

The bank’s training program should also have a management dimension—what it means to lead, manage, incentivize, and measure within a sound risk culture. It should have a module for new managers and other modules for established managers.

The bank’s board should also receive dedicated training to reflect their role in overseeing and challenging the bank’s culture.

Enforcement of a sound risk culture

Violations of a bank’s rules should be reflected, on an ongoing basis, in appraisals, promotions, and advancement opportunities, as well as compensation and retention decisions.

What else does a bank need to have a sound risk culture?

In addition to enforcement mechanisms of the type outlined above, a bank should reinforce its risk culture efforts with the use of the following “tools.”

  • Management and the board of directors must set the “tone at the top” for the program, by articulating and enforcing the principles that drive it.
  • Management should continually work to strengthen the company’s risk and control program, staying alert to ensure it does not become a check-the-box exercise.
  • Management should measure the company’s and its professionals’ adherence to risk principles and use the results to fine tune as needed.
  • The company’s compensation and other incentive structures should support a healthy risk culture and the open consideration of risk issues.

In sum, banks need to have—and many have—a sound risk culture. Today, what is meant by risk culture and a risk culture program has become more clearly articulated by the regulatory community. However, the rules and expectations that the regulatory community applies to risk culture programs will evolve over the next several years.

One thing is clear: A strong risk culture and risk culture program will be increasingly important to the regulators. All banks should take these regulatory concerns very seriously.

Eugene Ludwig is the founder of Promontory Financial Group and a former comptroller of the currency.