By Michael Aiyetan
Over the years, improper risk practices have created serious and costly incidents in banks, and poor risk culture has been identified as the root cause. The effort to rebuild trust cannot be over-emphasized and separated from risk culture, as it is critical to protecting customers and meeting the banking needs of our communities.
Shared values that make up risk culture emerge from the risk decision-making process and communication protocol. Culture expresses itself mainly in decisions and communication. In other words, culture influences decision-making, and a healthy decision-making process nurtures culture. Culture evolves from communication, and communication shapes culture. Banks must take the steps necessary to identify, measure, monitor and control business decisions and internal communications across the enterprise for a sound risk culture.
People make a flood of decisions every day, and a few studies have heightened the need for banks to implement check and control systems for all business decisions. For example, Brian Wansink and Jeffery Sobal of Cornell University estimated that we make over 200 decisions each day on food alone, and we are aware of only a fraction of these decisions. Also, Grant Pignatiello et al. of Case Western Reserve University indicated that making decisions may negatively affect the quality of subsequent decisions. In essence, people’s minor decisions—from deciding to commute to work in a carpool in the morning to picking which toppings on a sandwich at lunch—deplete the energy needed to make critical decisions. Therefore, there is a strong tendency for impulsive and irrational decisions to cross the boundary from people’s personal life into the workplace.
The imperative of a systemic process
Banks strongly need to establish a systematic process for identifying and assessing all business decisions to foster risk culture. The risk management process should begin when a business need is recognized or a problem is identified, not after a business decision is acted upon. Since the factors that influence the decision-making process impact outcomes, it would be crucial for management to define and consistently apply enterprise-wide, decision-making criteria. By implementing a structured, risk-based, data-driven and multilateral decision-making (or SRDMD) process, people can quickly develop risk consciousness and mindsets. The SRDMD process should be established as a standard response to every business need and prompted whenever a business problem is identified in any part of the organization.
By structuring the decision-making process, fundamental requirements of business objectives can be fully addressed and every option can be carefully considered. Also, by viewing every business decision through a risk lens, banks can achieve effective risk outcomes.
General awareness of the bank’s risk appetite and tolerance is strongly needed so that potential risks from any decisions can be properly assessed against the risk appetite and risk tolerance. In addition, financial institutions need a coherent framework for the vast amount of their in-house data and people who possess the skills to collect, analyze and display the data for decision making. A broader range of perspectives and other people’s opinions or opposing views can be considered by ensuring multilateral decision-making. People should be empowered to make (and challenge) decisions, but not unilaterally. Everyone must ensure that no business decision is made in isolation.
Although banks have developed detailed approaches to assess and manage strategic decisions, they do little to monitor non-strategic decisions until a risk event occurs. As a result, non-strategic decisions are flawed with biases, such as cognitive (based on thinking) or emotional (based on feelings, impulse, or intuition) biases.
Empowering people to adhere judiciously to the SRDMD process while also thinking about what could go wrong is a good start for nurturing an effective risk culture. Consistent enterprise-wide elements for making decisions can improve understanding of how risk decisions are made. These elements may impact outcomes, as people can be sidetracked by irrelevant details or forget details. Whether a decision is strategic or it is not, the decision-making needs to follow a systematic process and have clearly defined elements.
Financial institutions hoping to foster risk culture may need to develop standard procedures for decision-making. These procedures should entail an overall approach to identify, measure, monitor and control decisions. As issues are recorded in an issue management system to capture needed actions and track remediation, business decisions should be recorded in an appropriate decision management system.
The system should capture who, what, where, when, why and how elements of decisions. It should also indicate whether a decision has been acted upon. By maintaining a check and control system, a wide net is cast to understand the universe of decisions that make up the enterprise’s risk profile. Risk exposure (or event) often emanates from decisions. So, it needs to be traced back to a specific source decision within an enterprise-managed system.
The power of language
Communication shapes thoughts and actions. Culture affects how we create meanings from communication, and it is expressed through (and intrinsic to) language. Language creates words specific to a culture, and a collective experience of culture affects the meaning of these words
Language and culture are intricately intertwined, interdependent, and inseparable. Language, in the context of risk in financial institutions, is not about the components of the human mind of those managing risks. It is about cultural rules of interaction and exchange across the institution. The way a word is spoken, used, even pronounced makes a difference. It can change the way people think and perceive that word. How we speak is the manifestation of our values and a reflection of our culture. The words we choose can have a significant effect on how we think about a particular issue.
In this vein, risk needs to be conveyed with the correct language, which effectively transmits risk culture. Policies, procedures, handbooks and memos—indeed, all forms of internal communication—should contain appropriate risk language geared towards raising risk-consciousness.
It should be everyone’s responsibility to ensure contents of risk communication emphasize sound risk practices and a culture of compliance. The tone in both internal and external communication plays a vital role in how employees perceive the attitude and commitment of the organization towards risks and ethics. Therefore, management should develop and implement a coherent communication strategy regarding risk and ethics. An understanding of the purpose for managing risks must be clear across the enterprise. The tone at the top, middle and bottom must be adequately monitored for consistency with the bank’s intended risk culture.
A consistent voice concerning ethics and risks across management levels can help nurture a sound risk culture. Tone-of-voice guidelines must be documented and followed whenever risk terms and processes are communicated.
These guidelines should lay out specifics about what to say and how to say it. All written and spoken languages should reflect the expected attitude toward risk. As risk culture matures, the tone-of-voice guidelines may need to be updated to reflect the bank’s size, scope, complexity and risk profile. Information regarding the level and sources of risk need to be communicated effectively, including a constant reminder to employees that risk management is an essential part of daily responsibilities. Risk messaging needs to be driven by clear cultural objectives. Tone-of-voice guidelines must be aligned with those objectives.
The critical role of risk culture in enterprise risk management cannot be overstated. Because risk culture influences every aspect of a bank’s business activity, management should regularly assess whether the culture is consistent with the desired appetite for risk. Independent audit and other internal review functions should help with this assessment. The SRDMD process does not need to be a rigidly prescribed approach for decision-making but a set of concepts and helpful steps that can be applied for all business decisions across management levels.
Likewise, risk language should be used as the primary tool for expression and communication. In the words of Cristina De Rossi, an anthropologist at Barnet and Southgate College: “Culture shares its etymology with many other words related to actively fostering growth.” The recommendation for any financial institution trying to improve its risk culture is to be pragmatic, consistent and to take gradual steps. Working to foster sound risk culture is a marathon, not a sprint.
Michael Aiyetan, CERP, is a business execution consultant at Wells Fargo.
