Why Risk Culture Building should be the most important item on the Board Agenda

Making the cultivation of an effective risk culture the foremost priority on the Board agenda is imperative for all corporate organisations, given its pivotal role in safeguarding long-term viability and reputation. In an era characterized by heightened regulatory scrutiny, evolving market dynamics, and escalating cyber threats, the establishment of an effective risk culture is essential for navigating uncertainties with resilience and confidence. By prioritizing risk culture building, boards can proactively address the root causes of compliance failures, ethical lapses, and operational inefficiencies that undermine trust, erode shareholder value, and expose the organisation to reputational and financial risks.

The significance of risk culture transcends mere regulatory compliance, encompassing a holistic approach to risk management that permeates every facet of the organisation. From frontline employees to senior executives, every member of the corporate entity plays a crucial role in identifying, assessing, and mitigating risks. By fostering a culture where risk awareness, ethical conduct, and accountability are deeply embedded in the organisational fabric, boards can create an environment where employees are empowered to make informed decisions aligned with the organisation’s risk appetite and strategic objectives. Furthermore, by embracing a culture of continuous learning, adaptation, and innovation, organisations can harness the collective intelligence of their workforce to anticipate emerging risks, capitalize on opportunities, and drive sustainable growth in an increasingly competitive and volatile marketplace.

The proactive cultivation of an effective risk culture can serve as a strategic differentiator, enhancing the organisation’s resilience, agility, and reputation in the eyes of customers, investors, and regulators alike. By investing in ongoing training and development initiatives, fostering open communication and collaboration, and embedding risk management competencies into the organisation’s core values and behaviours, boards can instil confidence in stakeholders and position the corporate entity for long-term success. Ultimately, by making risk culture building the foremost priority on the Board agenda, organisations can fortify their defences against emerging threats, seize opportunities for innovation and growth, and create sustainable value for all stakeholders in an increasingly uncertain and interconnected world.

Boards of Directors continue to face increasing accountability for ensuring their organisations are effectively managing risk. Yet, despite improvements in risk identification, reporting, and strategic risk management initiatives, regulators still question whether organisations are truly engaging in the right ways on the top risks that could bring down an individual bank or have a broader systemic impact.

Organisations rely on trust; and while it takes years to establish that with the public, it can be lost in a moment through failures caused by break-downs in ethics, values, and bad behaviors. Organisations and banking today stand in disrepute. Poor cultural fundamentals and significant people risk failures were major drivers of the financial crisis, and continue to be factors in the scandals since then, aggravated by staff with questionable conduct and values.

Huge fines imposed by regulators make spectacular newspaper headlines, but we have recently seen that this will not always be the case as the Monetary Authority of Singapore (MAS) closed down a bank for “serious breaches of anti-money laundering requirements, poor management oversight of the bank’s operations, and gross misconduct by some of the bank’s staff” (1) MAS also referred the names of some senior management and staff to the Public Prosecutor to evaluate whether they have committed criminal offences.

“Pursue a straightforward, upright, legitimate banking business. Never be tempted by the prospect of large returns to do anything but what may be properly done under the National Currency Act. ‘Splendid financiering’ is not legitimate banking, and ‘splendid financiers’ in banking are generally rascals or humbugs” (2) – Letter of guidance to bankers from the U.S. Comptroller of the Currency, December 1863

The Banking Industry continues to feel the pressure.  Increased regulatory attention, a sharper focus of shareholder value and better customer service expectations. Add to this, an ever more competitive and closely scrutinized market place where those who are not good at risk management are being exploited by those who are better in a race for much needed transformational change and often a rush for profits.

The Human Factor is the weakest link in cyber security and as organisations continue to push through their own cultural change programs aimed at instilling better behaviours, something that many risk practitioners attribute to the failings that led to the financial crisis, the role of operational risk in helping to embed the right approaches within the business seems to be gaining traction.

“Our people need to understand that, okay, so you can’t go and do that in your personal life, right? You can’t do that against family, against friends, against neighbors. You’ve got to still be a model citizen in cyberspace” (3) -Steven LaFountain, Centers of Academic Excellence in Information Assurance/Cyber Defense

There will always be people risk and some bad outcomes, but it’s got to be controlled and managed to within a risk appetite level that you’re comfortable with; and that is consistent with the performance and reputation that the bank would like to achieve.

We know that any organisation’s risk culture matures over a long period of time. You can’t just flick a switch to make it go from one culture to another.  “Carrots and sticks” also have limited success and often any of these just add to a bad situation of mistrust and frustration. Operational risk managers should avoid “one-size-fits-all “thinking and solutions and use their experience and foresight to exercise judgement as to which areas they should be focusing their attention.

All employees should learn basic operational risk management skills and the relevant operational risk competencies must be built into the bank’s competency framework. Skills gaps must be identified and structured training programs implemented to upskill staff. Employees could also be provided with internal and external case studies as operational risk touches literally every process and system in the bank. The key is to choose a range of examples that are both relevant to the bank and to different groups of employees at different levels within the bank. Generally, bankers have a good understanding of Operational Risks internal to the organisation, except maybe the people risks; but it is the external Operational Risks that can put you out of business very quickly.

As organisations strive to navigate an increasingly complex and dynamic landscape, the cultivation of an effective risk culture emerges as a linchpin for sustainable success. A robust risk culture transcends mere regulatory compliance, encompassing a mindset that prioritizes risk awareness, ethical conduct, and accountability across all facets of the organisation. By fostering a culture where risk management is ingrained in the fabric of daily operations, organisations can enhance resilience, mitigate vulnerabilities, and adapt more effectively to evolving threats and opportunities.

Building an effective Risk Culture will support executives to deal effectively with uncertainty and associated risk and opportunity. Risk Management does not operate in isolation but rather is an enabler of the management process. Over the past decade, risk management became more about quantitative models and less about behavioral models. Unfortunately, as we discovered during the global financial crisis, even the best quantitative models cannot predict the result of misguided behavior and when external operational risks materialize, it can kill your business.

References:

  1. Monetary Authority in Singapore, official press release, May 24th, 2016.
  2. Father of safe banking creed to be honored, Horward Wood, Chicago Tribune, February 28th, 1938
  3. Meet the NSA’s hacker recruiter, Eamon Javers, CNBC, Oct 1st, 2014

Leave a Comment

Your email address will not be published. Required fields are marked *