Making culture count Strengthening culture for better risk and compliance outcomes February 2018
Risk culture is the collective attitudes, perceptions, beliefs and behaviors that impact risk and affect outcomes 2 Making culture count
Making culture count 3
What is risk culture? Risk culture influences business strategy, its execution, risk governance and, ultimately, firm outcomes. Every organization has a risk culture that determines the collective ability to identify, understand, openly discuss and act on risk. Risk culture is an important subset of an organization s overall culture; there is high correlation between the two. A large organization will not have one risk culture smaller subcultures will exist in different lines of business, geographies, etc. Risk culture is not something you can design and execute. Rather, it is the outcome of a series of trade-offs across a number of dimensions. EY s definition and underlying methodology places a risk lens on: Attitudes: what people think Perceptions and beliefs: the conclusions people make about what s important Behaviors: what people do A sound risk culture is essential for ensuring effective risk governance Talent and incentives Risk transparency, MIS and data Board risk oversight Risk culture Risk appetite framework Risk governance Risk accountability (3LoD) Controls effectiveness Outcomes: the results Risk culture is the collective attitudes, perceptions, beliefs and behaviors that impact risk and affect outcomes 4 Making culture count
Why culture counts There is a strong causal link between conduct failings and poor risk culture. This has resulted in significant financial losses and fines. Over the past five years, firms have paid out more than US$300 billion in fines, settlements and remediation as a consequence of misconduct. ¹ Top reasons banks give for culture breakdown These costs are a big part of the reason that banks return on equity has fallen below their cost of capital. ² 1 Conflict between a sales-driven first-line culture and firm s risk culture Six years ago, the Global Financial Crisis tipped national economies into recession and brought to their knees some of the most hallowed names in the financial industry And six years after the Crisis broke, the global industry continues to be dogged by shocking revelations of financial malfeasance, mis-selling, and dishonesty. 3 Ravi Menon, Managing Director, MAS, January 2015 2 3 4 Lack of first-line accountability Too great a focus on meeting targets Profit and market share pressure Getting the culture right in financial institutions is critical because poor culture can be a driver of poor conduct. The financial industry s most valuable asset trust can be significantly undermined by poor conduct. And all financial institutions need their customers to trust them in order to build a sustainable business. 4 Lee Boon Ngiap, Assistant Managing Director, MAS, March 2017 5 Messages not cascaded effectively throughout the organization ¹ Conduct Costs Project Report, CCP Research Foundation, August 2017. ² Capital Markets: building the investment bank of the future, EY, October 2016. 3 MAS-Singapore Academy of Law Conference, 23 January 2015. 4 2017 Annual Luncheon of the Life Insurance Association Singapore, 6 March 2017. Making culture count 5
Regulatory focus on risk culture is growing Globally and across APAC, there has been a significant increase in the supervisory focus on risk culture. A growing number of regulators are more clearly documenting their risk culture expectations, e.g., the Financial Conduct Authority (FCA) in the UK, the Hong Kong Monetary Authority (HKMA) and the Australian Prudential Regulation Authority (APRA). Regulators have introduced, or are considering, senior manager or accountable executive regimes to increase accountability for risk culture and conduct outcomes, e.g., the FCA Senior Managers Regime, the Hong Kong Securities and Futures Commission Manager-In-Charge (MIC) regime and the APRA Banking Executive Accountability Regime. Some regulators are using multidisciplinary teams, including behavioral psychologists, when undertaking risk culture reviews (e.g., APRA). Key themes emerging from this regulatory focus include: 1. Tone from the top: does the bank s C-suite, especially its CEO, consistently send the right message on risk? Does the board reinforce this message? Is it communicated effectively across the organization, and is it consistent with the tone from the middle? 2. Accountability: do the bank hold senior managers accountable for managing risk effectively? 3. Incentives: does the bank s rewards program support effective risk management or inadvertently create an incentive for misconduct? 4. Effective communications and challenge: does the risk message get through? Are escalation paths clearly defined and understood? If the message is wrong, or the delivery goes awry, will someone point this out? How is effective challenge viewed and what protections for whistle-blowers exist? In Singapore, financial institutions report three key questions being asked during supervisory inspections: 1 2 3 What is your risk culture? What is this based on? What are you doing to improve risk culture? 55% 55% of firms report that regulators are showing interest in firm risk culture.* *Seventh annual global EY/IIF bank risk management survey 6 Making culture count
however, risk culture remains a challenge for many financial institutions Many firms continue to experience challenges in improving culture. Top challenges: Messages not cascading throughout firm Lack of first-line accountability Conflict between sales-driven first-line and firm s target culture 54% 54% of firms believe understanding of desired behaviors varies across their firm. * 1 Most firms are not investing significantly in understanding or transforming their organizational culture, and conduct risk is not well integrated into enterprise risk management frameworks. 2 Responses to date have been limited to internal senior management surveys, culture questions added to people engagement surveys or corporate communications initiatives with a focus on firm values. 3 Where surveys have been initiated, firms struggle to interpret the findings or identify where problems and conduct hot spots might exist. 4 CROs report that culture and conduct are not seen as core to firm strategy or business objectives and there remains a lack of alignment between tone from the top and tone from the middle. 5 Performance incentives are not used to drive the firm s risk, compliance and conduct agenda. Where KPIs for conduct, compliance, risk or governance objectives have been introduced, these remain poorly defined. *Seventh annual global EY/IIF bank risk management survey Making culture count 7
What should you be considering? Financial services firms face three simple questions when addressing risk culture: 1 What is our risk culture? 2 What is this based on? 3 What are we doing about our risk culture? To address these questions, financial institutions should consider the following actions: 1. Defining what risk culture means for your organization: Define a continuum of behaviors from unacceptable to desired Identify and prioritize the mechanisms that influence employees Agree on an assessment approach, e.g., determine the optimal combination of qualitative measures and quantitative analysis 2. Assessing risk culture to determine what is it based on: Identify areas of good risk culture along with areas of potential vulnerability, e.g., behavioral issues and mechanisms to strengthen to deliver desired behaviors Prioritize gaps and identify interventions Agree an ongoing monitoring or assurance process 3. Changing risk culture through interventions: Communicate and train desired behaviors Address immediate behavioral issues Strengthen the mechanisms that deliver the desired behaviors, e.g., HR processes, risk appetite and risk governance 8 Making culture count
EY s Risk Culture Framework To embed an appropriate culture and manage organizational risk, a variety of enablers need to be in place and be effective. When in place and effective, these enablers contribute to delivering desired behaviors and outcomes. EY s five enablers are described below. Risk culture enablers Organizational capabality Talent management Motivation Responsiveness Capabilities Relationships Risk Strategy transparency Risk appetite Tone at top and from middle Risk management framework Leadership Behaviors Organizational structure Roles and responsibilities Governance Leadership: tone from the middle is aligned with tone from the top and desired behaviors are established and role modeled. Organizational structure: risk governance and operating model support the delivery of desired behaviors and enable strong accountability and effective challenge. Risk management framework: risk management framework is embedded in the way the business manages risk and enables effective challenge. Organizational capability: lessons are learned and root causes are addressed. Constructive, collaborative behaviors are expected and measured. Behaviors Outcomes Talent management: employee life cycle and incentives are aligned to risk appetite and reinforce the delivery of desired behaviors. Making culture count 9
How EY can help Across APAC and globally, EY has supported banks and insurance organizations in their risk culture journey. Defining the ambition Support for boards and senior management teams to define their risk culture objectives and the target conduct principles, values and behaviors that will promote a sound risk culture Enhancements to governance and accountability frameworks for setting, promoting and overseeing culture Establishing the essentials of effective risk reporting and escalation on behavioral and conduct matters Embedding effective culture and conduct risk measures into performance management Multidisciplinary approach leveraging an experienced team of risk, regulatory and behavioral psychology professionals Risk culture assessment Proven methodology balancing quantitative data with qualitative assessments through a range of interview and focus group-based sessions to ensure a deep understanding of the drivers of risk culture and how these vary across the organization EY s market-leading research-backed analytics and diagnostic tool that focuses on behavior, culture and ethics and analyzes where these spheres are benefiting or hindering your risk and compliance objectives Bespoke and fully integrated culture transformation programs that are actionable and measurable, focusing on governance, communication and training initiatives addressing: Culture change programs Leadership capabilities and getting tone from the top right Strengthening and aligning tone from the middle Consolidating risk governance and accountability Aligning the talent life cycle to risk, compliance and conduct objectives Culture and conduct metrics and dashboards to track and monitor progress over time 10 Making culture count
Ready to start your risk culture journey? David Scott Key Singapore contacts Financial Services Risk +65 6309 8031 david.scott@sg.ey.com Maggi Hughes Financial Services Risk +65 6309 8268 maggi.hughes@sg.ey.com Joanne Abbott People Advisory Services +65 6309 6128 joanne.abbott@sg.ey.com Making culture count 11
EY Assurance Tax Transactions Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com. 2018 EYGM Limited. All Rights Reserved. EYG no: 00605-184GBL ED None This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice. ey.com