An integrated approach for assessing risk culture at financial institutions

Transcription

1 An integrated approach for assessing risk culture at financial institutions House of Finance, Goethe University, Frankfurt Dr, Head of Enterprise Standards,

2 What is risk culture? While there is no single definition, there is broad agreement. A bank s norms, attitudes and behaviours related to risk awareness, risk-taking and risk management, and controls that shape decisions on risks. culture influences the decisions of management and employees during the day-today activities and has an impact on the risks they assume. Guidelines Corporate governance principles for banks, Basel Committee on Banking Supervision, 2015 A sound risk culture bolsters effective risk management, promotes sound risk-taking, and ensures that emerging risks or risk-taking activities beyond the institution s risk appetite are recognised, assessed, escalated and addressed in a timely manner. Guidance on Supervisory Interaction with Financial Institutions on Culture A Framework for Assessing Culture, FSB, 2014 defines risk culture, in line with regulatory guidance, as that aspect of the bank's culture that determines our ability and willingness to identify, understand and act on risks. This includes understanding of, and adherence to, risk appetite. With a relatively abstract definition, comes the challenge of how to quantify or assess risk culture. 1

3 Early attempts at assessing risk culture A number of different approaches have been trialled, also reflecting the institution s organisational evolution. Phase 1 Focus on strengthening compliance with key policies and increasing general risk awareness Roll-out of awareness campaigns and training programmes Introduction of a more consistent way of monitoring policy adherence and addressing noncompliance Two ways of monitoring risk culture : i) number of implemented initiatives (e.g. training courses); and ii) level of compliance with key policies Phase 2 Compliance and training workstreams matured into run the bank processes Shift focus on understanding state of risk culture more broadly Discussion on, and decision against, introducing bespoke risk culture survey Inclusion of risk related questions in bank-wide employee engagement survey Development of risk culture dashboard, including various non-financial risk metrics and employee engagement survey data 2

4 highlighted common risk culture assessment pitfalls Tracking number of implemented initiatives rather than state of risk culture Assessing compliance with specific activities with no / limited root cause analysis Over-reliance on quantitative metrics Insufficient delineation between risk culture vs culture / limited link to risk awareness and risk appetite A new approach was needed. 3

5 s approach to assessing risk culture (1/4) The bank recognised the importance of taking a holistic approach to assessing risk culture. culture principles were defined to articulate what good looks like. The principles focus on: identification appetite understanding appetite adherence Material risk taker conduct Tone from the top 4

6 s approach to assessing risk culture (2/4) Assessment approach utilises existing metrics but adds value through discussion and qualitative analysis. Approach allows for: Key risk reports Feedback on material risk takers Key Compliance data Employee engagement survey Assessment at business unit and aggregation to divisional level Qualitative analysis against risk culture principles Rating per principle and overall assessment View of risk culture across businesses * View of current and projected status * This is a fictional illustration of how risk culture results could be presented. It does not depict the present, past or expected state of s risk culture. 5

7 s approach to assessing risk culture (3/4) Need for consistency is balanced against need for subjective analysis. Guidelines for each principle, including: Suggestions for relevant quantitative metrics to consider Feedback from relevant subject matter experts to consider Adherence to relevant processes Engagement/participation in relevant meetings/workshops Guidance on how to assign ratings to principles (e.g. red/amber/green ), including: How to reflect deterioration in relevant quantitative metrics How to consider business awareness of gaps and existence of remediation plans 6

8 s approach to assessing risk culture (4/4) culture results are incorporated into existing key reports and used to drive tangible outcomes at group and business level. Divisional assessments aim to identify and prioritise business-specific initiatives Divisional results are considered in risk appetite setting process Cross-divisional review aims to identify group-wide gaps Results are reported to Management Board as part of regular risk reporting An annual update, with group-wide recommendations, is provided to the Management Board and the Supervisory Board 7

9 Benefits of principles-based assessment Quantitative metrics used without over-reliance, enabling comparison of: year on year results even if underlying metrics change results across business units with different risk profiles Puts understanding of, and adherence to, risk appetite at heart of risk culture expectations Avoids binary, tick box, answers Drives discussion between business and control functions Emphasises importance of continuous improvement Avoids duplicate reporting 8

10 Key success factors It s a marathon, not a sprint Buy-in is key, so take time to engage stakeholders (business and control functions) Be ready for trial and error, conduct regular lessons learned, listen and be flexible Identify overlaps early on and turn them to your advantage (leverage what s already there) Make things as easy as possible Be patient! 9

11 Q & A 10