IIF IIF Issues Paper Promoting Sound Risk Culture 11. IIF Issues Paper

Transcription

1 IIF IIF Issues Paper Promoting Sound Risk Culture 11 Institute of International Finance IIF Issues Paper Promoting Sound Risk Culture: lessons learned, challenges remaining and areas for further consideration The issue of risk culture remains at the forefront of both the industry and supervisory agendas. Its importance has been highlighted by three recent reports: the IIF s October 2012 report on Governance for Strengthened Risk Management 1, the Financial Stability Board (FSB) s February 2013 Thematic Review on Risk Governance, and a survey of risk management major financial institutions released by the IIF and Ernst & Young in July To build on this work and earlier work on the importance of effective supervision, the IIF organized a symposium in July 2013 focusing on how firms and supervisors could jointly promote and ensure strong risk culture. Participants included industry representatives, non-executive board members, a number of major supervisors, and knowledgeable observers from around the world. This note is based on the observations made in that symposium, the earlier work, and further thinking by IIF staff and members. This note provides observations for firms, supervisors and policymakers to keep in mind as they work to better foster risk culture. It looks at areas of agreement, remaining challenges and suggests some further lines of enquiry. For the purposes of this note, we use the definition of risk culture first proposed in the 2009 IIF Paper: Reform in the Financial Services Industry: Strengthening Practices for a More Stable System : the norms and traditions of behavior of individuals and of groups within an organization that determine the way in which they identify, understand, discuss, and act on the risks the organization confronts and the risks it takes. 3 1 Please also see Final Report of the IIF Committee on Market Best Practices: Principles of Conduct and Best Practice Recommendations, IIF, July 2008, and Reform in the Financial Services Industry: Strengthening Practices for a More Stable System, IIF, December Thematic Review on Risk Governance: Peer Review Report, FSB, February 12, 2013, available at: publications/r_ pdf ; Governance for Strengthened Risk Management, IIF, October 2012, and Remaking financial services: risk management five years after the crisis, EY and IIF, July 2013, both available at: 3 Reform in the Financial Services Industry: Strengthening Practices for a More Stable System, IIF, December 2009 p AIII.2 This note and other IIF Issues Papers are issued by IIF Regulatory Department staff. They are not intended to be a definitive treatment of an issue but are designed to communicate current thinking and analysis in rapidly evolving areas. The views set out in this note are those of IIF staff and do not necessarily reflect the views of the IIF Board or members. We gratefully acknowledge the contribution of Nicholas LePan to this note. IIF.com Copyright The Institute of International Finance, Inc. All rights reserved.

2 2 Promoting Sound Risk Culture The Importance of Good Risk Culture A Shared Concern A key message from the symposium was that supervisors and firms agree on the importance of good risk culture and the broad outlines of how to ensure it. They agree that strong risk culture in firms is essential to their safety and soundness and to financial stability. This was backed up by the results of the industry survey: most banks surveyed had carried out some kind of review or audit 4. Nevertheless, risk managers and senior executives in firms are aware that more needs to be done to ensure that the importance and values are spread throughout the organization and are permanent. This priority is shared because firms and supervisors recognize that culture issues were an important contributor to problems at major firms during the financial crisis and are a contributor to major conduct of business issues that have recently come to light. These are closely linked to serious reputational risk problems. Further, there is consensus that management, boards and supervisors all have essential roles in setting and promoting risk culture; monitoring and assessing it; and enforcing and correcting it. All sides agree that the primary responsibility rests with firm management, overseen by an involved board. Tone from the top is essential, as is setting out the core principles or values that you expect everyone to comply with such as: integrity; common purpose; ingenuity; open culture where bad news can be escalated; and responsible finance (defined as conduct that is transparent, prudent and dependable). There is also recognition that the entire firm, be it business managers, risk officers, or internal and external auditors and control functions, has a role to play in creating and sustaining a sound risk culture. Nevertheless, both supervisors and firms are clear that this did not happen sufficiently in the past, and that they therefore need to work together completely differently than before the 4 The report notes that More than 85% of North American banks have programs to assess internal culture, and the figure is similar for Latin America. In Europe and Asia-Pacific, 60% or more of banks have programs to assess internal risk culture. crisis, with more time devoted to risk, and a much greater degree of attention to detail. Firms need to ensure that risk management is seen as everyone s responsibility and understood by all. The Chief Risk Officer s role is essential. One risk officer has described it as being a process manager and a cheerleader, interacting with business managers and the Board to define and reinforce risk culture, working with them to build trust but also understanding that the CRO s role is to protect the reputation and culture of the firm. Firms agree that in doing this, the CRO must be an enforcer and must be strictly independent and seen to be independent. Modeling of risk is important. Not only should CROs design, implement, test and validate the model but they should also communicate the model effectively internally and with the Board, including by providing training, seminars and workshops. Firms monitoring and assessing culture is important, though symposium participants recognized that no one tool such as metrics or internal surveys is best or should be relied on exclusively. Firms and supervisors share the view that good internal communication deserves emphasis and is about making openness, dialogue, constructive challenge and escalation of issues easy and valued, and not automatically associated with blame. Bad news must travel faster than good news should be embedded in the governance of the firm. There also needs to be awareness and training on key concepts and the culture of the firm. There was strong agreement that Boards need to be proactive and ask themselves What is the organization doing to support things that we value? What are we doing to deter things that we don t value? Do we have an organization that is constantly risk aware? They need to look at the business model and how the culture fits with the business model. The Board can contribute to the creation of the open environment above in the way that it functions, how it interacts with management and what expectations it has of management. The Board should ask itself regularly whether it is getting the right information from management. Is the information timely? Is it thoughtful? Is it focused and structured?

3 Promoting Sound Risk Culture 3 Ensuring that information coming to the board is what is used in running the business is important. Considering risk culture calls for a lot of high-level synthesis and above all, judgment. Experience and a thoughtful approach were also important: Boards could send very strong signals, notably by asking management to rethink a particular activity or approach. Part of what makes a Board effective is the relationship between individual Board members and in the Board as whole, as well as the relationship between the Board and management. These relationships need to be developed over time and can support the desired culture. Boards need to be able to understand and exercise good judgment and ask good questions, without intruding into management responsibilities so called nose in, fingers out approach. Firms and supervisors recognize that supervisors are in a unique position as they can see differences from firm to firm. They are in an even stronger position if they also have staff with industry experience. Sharing these observations and practices adopted by others with firm management is useful. But firms and supervisors feel that there should be no push to a single quasi-approved culture, particularly since each organization has its own values, business model and special characteristics. Supervisors keeping firms under pressure to formulate statements of their key values and reviewing behavior against them can also be very useful. Supervisors and firms recognize that there is an element of subjectivity in all this. Skills needed include the ability to interact at a range of levels within the organization, and soft skills to recognize and deal with intangible elements of culture. Even where all elements can not be assessed in quantitative terms, it is worthwhile capturing the more subjective elements as well to aid the dialogue with firms. Though traditional supervisory communication approaches may need to be adapted to dialogue on those matters. Supervisors recognize that they need to leave firms with discretion to set their own cultures. A number of supervisors rightly believe that understanding risk culture is key to understanding many of the findings they pick up in their examinations: how and why decisions are taken or why gaps exist. What the symposium brought out though is that managers, Boards and supervisors cannot act in isolation or in competition with each other, but need to work together and buttress each other s efforts. In particular, there is considerable value in having regulators and supervisors meet regularly with Board members, as well as management to discuss risk culture and other issues. Supervisors should feel that they have the ability to call the Chairman of the Board and the Chairman of the Risk Committee as valuable sources of insight as to how firms operate, their core values and culture and how those are lived throughout the organization. There also needs to be partnership and engagement between supervisors and the management of the firm: particularly with the CRO and risk management function but also with management at all levels. One supervisor has stressed the importance of engaging with middle management. Nothing beats walking the floor to visit different parts of an organization. Beyond this broad agreement though, what is also clear is that some supervisors remain at best concerned and at worst skeptical over whether risk culture in firms is improving at the right pace and whether firms are genuinely committed to action and cooperation or whether the emphasis on risk culture will be reduced as memories of the financial crisis fade. Alternatively some supervisors agree that there are those in firms who are committed to strong risk culture such as the CROs but are skeptical as to whether this commitment goes right down through the business units. Many industry participants have pointed to the work that they are doing within their firms to set and promote good culture. However, informal observations from participants at the symposium, and survey data suggest that progress is uneven and that there is still work to do in this area. Above all, what emerges from the symposium and the work carried out in the last year is an understanding that risk culture is both a work

4 4 Promoting Sound Risk Culture in progress and that there remain considerable challenges and unresolved questions. A work in progress: continued challenges and unresolved issues A major factor perhaps the most important factor - in this uneven progress is that risk culture is a complex concept as it involves a mix of hard and soft factors. This makes it challenging to discuss, assess and influence, both for firms themselves and their supervisors. Good risk culture is easy to articulate, hard to execute and requires ongoing attention, even when the starting point is acceptable. Cultural change programs are extensive and require persistence over significant time to be successful. As a result of this mix, there is no magic solution that will work across firms and as noted above, supervisors should avoid prescribing one. Firms have to assess for themselves which way would be most effective. Practical examples (and stories) can be very useful to illustrate what values and ethics statements mean in practice. Risk appetite statements can be very useful in illustrating and inculcating the risk culture desired, but only if these are communicated effectively across the organization, and are effectively aligned with the planning process and used in actual decision-making. This can though in turn make it harder for supervisors to compare firms. Effective use of Operational Risk Management (ORM) tools can also help spread good culture and speed up the escalation of issues, and identification and monitoring of risks. A major challenge is how best to tie evaluations of performance against values (or against risk appetite) to compensation, including how to make vesting periods long enough while retaining staff, and how to claw back from people who have left the firm. Fixing remuneration alone though is not enough: the challenge is to get the business model to consistently underpin statements of intended culture, including by ensuring that budgets or targets are consistent and do not, for instance, encourage greater risk. An important theme identified by the symposium is the difficulty of identifying and rewarding good or even excellent behaviors. This tends to get much less emphasis than penalizing bad behavior. How should you value someone on the business line saying no? How do you spot and reward those who acted by very good principles and values? Firms want to do so but find it difficult to figure out how in practice. There is also a challenge in understanding and defining the role of the CRO. A number see their role as regularly interacting with business managers, senior management and the Board, to define and reinforce risk culture and feel that being brought in on business decisions early, to ensure alignment with risk culture, is an important success factor. Nevertheless, some regulators are concerned that this might limit their independence, a point that some CROs contest, feeling that can actually be a sign of a culturally mature organization. An unresolved question is how much mobility between risk management functions and the business side there should be. Some CROs feel that this can assist in promoting the desired risk culture. In some firms, audit and compliance functions are increasingly considering cultural issues and could do more. However, there is a question of how far auditors and compliance functions should be expected to go. Equally, it needs to be kept in mind that the role of auditors can vary considerably across jurisdictions, so one size fits all solutions might not work. For the Board, while everyone agrees that they need to receive adequate information, Board members can feel overwhelmed by the amount of information that they receive, so there is a challenge over the right balance and how to distil and streamline information to get to the key issues. Further, while it is important that boards and supervisors maintain a distinction between the role of the board (oversight, strategy senior appointments and compensation) as distinct from management, there may be a tendency in some rules or guidance for the board and management to be lumped together relatively

5 Promoting Sound Risk Culture 5 automatically. An ongoing challenge will be the composition of Boards. Many believe that to perform effectively, Boards need a range of expertise and experience - management and business experience, a degree of technical expertise, and risk governance understanding. This approach can be described as a bit of everything in the Board as a whole. But one would not expect to find all sets of qualities in every member, so the challenge is getting the mix right. A number of participants at the IIF symposium cautioned against a one size, fits all approach. Different Boards work in different ways and a number of approaches could work. A challenge for both the firm and the Board is overseeing, enforcing and correcting culture across sectors and geography. Overseeing local subsidiaries can pose challenges in a complex global group. On the one hand it is desirable that non-executive outside directors of local subsidiaries are knowledgeable of the local situation. It is also desirable that directors also understood the wider interests of the firm. Differing interests of home and host regulators can complicate the situation. Supervisors are acutely aware of their own challenges and the limitations of what can be achieved. One issue is whether to require firms to undertake cultural assessments. These can be one useful input, but making it a formal requirement might lead to firms seeing it as a compliance exercise. There is an issue in considering metrics that different supervisors could interpret the same information differently. A whistleblowing hotline is a good example. Does a large number of uses indicate problems in a firm or a good culture in which people feel open to raise problems? A further issue is whether supervisors should regularly attend Board meetings. A number of people in the industry oppose this, feeling that this breaks down the culture of the Board, displacing decision-taking and discussions to side meetings and leaving Board members more reluctant to challenge in front of supervisors. The whole dynamic of the meeting could be affected. Some supervisors have questioned this and believe that attendance at board meetings is useful. Both Boards and supervisors need to invest more - in terms of time and expertise - on risk culture if they are to be effective. There is a range of practice currently and this issue, together with others that concern boards as well as supervisors such as strategy and business model, risk strategy, and board effectiveness, if not handled well could strain both supervisor and board resources. Nevertheless, ensuring the time and resources remains a significant challenge. The FSB s Supervisory Intensity and Effectiveness Group is doing work on risk culture and expects to have a draft report later in Supervisors are aware of the limitations of what can or should be achieved, so are aiming to set out a framework rather than giving prescriptions. Some areas for further consideration What the above shows is that even with the strongest commitment by firms and supervisors and even with the lessons learned in recent years, the setting, promotion, monitoring, assessment, enforcement and correction of risk culture still needs work, presents a number of challenging questions and will never be easy. The only way to ensure progress will be through continued discussion, sharing of practices and cooperation between firms and supervisors. There are though some areas where useful work can already be done (and is being done). The symposium shone a light on three in particular: i. As noted above, how to identify and reward good behaviors both in risk managers and in business units, and in firms as a whole. How should a Board recognize a CRO doing excellent work? How should a supervisor recognize and reward a firm with a best in class approach to risk culture? ii. Whether there are insights from behavioral economics that can be useful and if so how to translate them into improvements. Supervisors in de Nederlandsche Bank

6 6 Promoting Sound Risk Culture (DNB) are doing pioneering work in this field, looking for instance at cases where firms might appear to be doing well, but there might be patterns of behavior that could create risk and how supervisors should react. iii. The need to learn lessons from outside the financial sector. Examples from other areas include: the military s looking at behavioral influences in teams to learn how to better introduce new technologies with reduced accidents; lessons from oil and gas industries including reports on culture factors contributing to catastrophes; work in the nuclear industry; and, health care industries. Lessons also include ways to address cultural issues effectively. Examples include not immediately allocating blame rather finding ways to incent teams to behave differently and learn new approaches, involving middle management and front line team leaders in driving change, and finding ways for individual teams to learn from the successes of others in the organization. Sound risk culture then is a shared concern of supervisors, Boards and the management of firms. Firms need to make progress both now and on an ongoing and sustainable basis. Nevertheless, the practical questions and challenges remain significant. There is considerable scope for further work and thought on these in the coming years.