risk culture transformation in the organization€¦ · business practices is a way to make culture...
TRANSCRIPT
Risk Culture Transformation in the Organization
Mutlu Sencan, Director, Financial Risk
Management Services, EY
December 2014
2
The views expressed in the following material are the
author’s and do not necessarily represent the views of
the Global Association of Risk Professionals (GARP),
its Membership or its Management.
Why act now Regulatory requirements and market expectations
Page 2
Internal Audit should include within its scope the risk and control culture ...assessing whether the processes (e.g. appraisal and remuneration) and actions (e.g. decision making) are in line with the values, ethics, risk appetite and policies of the organisation.
Source: Chartered Institute of Internal Auditors (IIA) – Effective Internal Audit in the Financial Services Sector, Final Recommendations, July, 2013
► Regulatory fines, public settlements imposed have significantly increased in recent years
e.g., $2.6bn to date from Libor scandal, $9bn regarding alleged mortgage foreclosure wrongdoing…
….in many cases highlighting bad behaviours and weak culture
► Company directors and regulators are increasingly focused on assessing, and being seen to assess, risk culture
► Strong risk culture balances stakeholder needs, making it an organisation where:
► People want to work
► Customers are loyal
► Regulators have confidence
► Investors want to invest
Directors and management need to focus on strengthening risk culture, so that, put simply, there is clear and consistent understanding by management and employees of what constitutes “good” and “bad” risk behaviour. Risk culture should be supported by appropriate incentives and penalties.
Source: Michael Alix – SVP Federal Reserve “Remarks at the Risk USA November 2012 conference
Business failures, customer detriment and stakeholders’ expectations are resulting in increasingly interventionist regulators and a shift of debate from “risk culture can’t be measured” to “we need to demonstrate what we’re doing about strengthening risk culture by reinforcing the right attitudes and behaviours”
The board, with support from senior management, is expected to establish and maintain the firm’s culture…that promotes its compliance with laws, regulations, and supervisory guidance. The board should assign senior managers with the responsibility for ensuring that compensation arrangements and other incentives are consistent with the corporate culture and institutional risk appetite.
Source: Federal Reserve Board of Governors SR letter 12-17, December 2012
Introduction The essence of risk culture is the creation of an environment where decisions by individuals or business lines and by the executive management committee will be in line with the risk goals of the board.
Sayfa 3
Lack of focus on known but
unlikely risks
Trade-offs leading to too much risk
Failure of senior management to uncover risks
Risk reduction not seen as a priority
by employees
Individual risky behavior
Risk Culture Failures
Risk-taking and reporting lack transparency, especially at board level.
1 Risk appetite is not embedded in business decision-making, leading to inadequate control over risk, risk creep and strategic drift.
2 Behavior is compliance-focused or control-reliant, rather than focused on the risk that the controls might break and that there might be intrinsic risk in activities.
3
The front office lacks risk ownership, including for nonfinancial risk, making the risk organization or compliance the de facto first line of defense.
4 Effective control structures are lacking — breaches of controls do not always have consequences.
5 Incentive structures are driving poor behaviors, in particular a sales-driven culture.
6
Capacity, complexity and resourcing within risk functions have led to teams being too widely stretched, not having the right skills, or not keeping up with changes in the institution’s development.
7 There is a lack of oversight from the board on risk issues.
8 The presence of multiple cultures within one organization results in conflicting messages and different “tones from the middle.”
9
Selected Regulatory Texts on Risk Culture
Denetim Komitesi Eğitimi Sayfa 4
Walker Report: A review of corporate governance in UK banks and other financial industry entities Final recommendations, November 2009 Dutch regulator (DNB) has made it one of three audit themes for 2010: “In 2009 DNB assessed the influence of behavior and culture on the integrity of institutions and the role of the supervisor in this process. DNB will now implement the acquired insights in its supervisory tasks. [ …] DNB will explicitly focus on these two topics during supervision discussions and will perform an in-depth analysis at a number of institutions. [ …]” The Financial Stability Board (FSB), in “Guidance on Supervisory Interaction with Financial Institutions on Risk Culture (A Framework for Assessing Risk Culture), 2013, Financial Conduct Authority FCA Risk Outlook 2014
Denetim Komitesi Eğitimi Sayfa 6
Risk Transparency Data systems
& Infrastructure
People and Organization
Governance And Culture
Processes &
Controls Risk Appetite,
Strategy & Goals
How to relate risk culture to the Risk Operating Model With the evolvement of the risk management the attention moves to the importance and effectiveness of the risk culture within the organization.
2009 International Institute of Finance “Reform in the financial services industry: Strengthening Practices for a More Stable System” Risk Culture: The norms of behavior of the individuals and groups within an organization that determine the collective ability to identify and understand, to openly discuss and act on the organization’s current and future risks
Drivers of Strong Risk Culture Speech by Clive Adamson, Director of Supervision, the FCA, at the CFA Society - UK Professionalism Conference, London.
Denetim Komitesi Eğitimi Sayfa 7
Supporting the right behaviors through
performance management, employee development, and reinforcing through reward
programs.
Setting the tone from the top
Translating this into easily understood business
practices
Setting the tone is all about creating a culture where everyone has ownership and responsibility for doing the right thing, because it is the right thing to do. It is about setting values and translating them into behaviors.
This can only be established by the CEO and other members of the senior management team, who need to not only set out the key company values, but also personally demonstrate they mean them through their actions.
These clearly go wider than those that directly impact what we, as the conduct regulator, are looking for but should clearly include these.
The task then is to translate this tone into business practices that drive how business decisions are made, how the firm responds to events, how individuals should behave and how issues are elevated in an open way.
Translating culture into business practices is a way to make culture into something more hard edged.
Effective communication
Performance management, employee development and reward programs are clearly a powerful lever to influence the culture of any organization.
In financial services the misalignment between incentives structures and corporate values has led to significant damage.
Employees struggling to understand their own incentive schemes because of the complexity
The effective recruitment and promotion policies, development and performance management as being an important lever for the firm to incentivize and reward its employees in a responsible way to encourage the right outcomes.
Risk culture Page 8
Culture mechanisms
+
Behaviours outcomes
Risk framework
Behaviours
outcomes
Communicating the
right message
Establishing the
right environment
Providing the right
motivations
Taking the right
risks
Employee
life cycle
Rewards
Risk
transparency
Risk
appetite
Tone
from
the top
Risk
behaviours
standards
Roles and
responsibilities
Risk
governance
Organisation
Leadership Incentives
Advocate
Adaptable
Communicative
Ethical
and
compliant
Lead
and
influence
Analyse
and
interpret
Collaborative
Responsible
and
accountable
Risk culture
mechanisms
To deliver an
appropriate risk
culture, a variety of
mechanisms need to
be in place and be
effective.
When in place and
effective, the
mechanisms
contribute to deliver
the desired
behaviours outcomes
Attributes of a sound risk culture
Leadership – tone from the middle
aligned with tone from the top and
desired risk behaviours are
established
Organisation – governance and
business model support the delivery
of desired risk behaviours and
enable strong accountability and
effective challenge
Risk framework – risk
management framework is
embedded in the way the business
manages risk and enable effective
challenge
Incentives – employee lifecycle and
incentives support the delivery of
desired risk behaviors
Methodology Framework for mechanisms and behaviours
Page 9 Denetim Komitesi Eğitimi
Desired Risk Culture Designing risk culture through other initiatives Across the industry programs are in place to change/ redevelop the mechanisms needed for a strong culture
Risk Transparency
Risk Governance Training
Programs Risk Appetite Accountability
Operational Models and
Control Effectiveness
Redesigning the appetite and other frameworks including overall governance and board involvement.
Creation of risk appetite for non financial risks — conduct, compliance, legal, IT, HR
Embedding risk appetite in the business
Creation of clear front office accountability for all risk linked to activities defined by P&L responsibilities
Skills enhancement of internal audit and change in role so that they can independently review risk appetite framework and overall risk governance
With the LIBOR/FX insurance miss-selling and other conduct events have resulted in financial institutions undertaking: End to end
control effectiveness assessments focused on non financial risks
Firm wide risk assessment
Review controls for higher risk activities
To reinforce messages about culture, risk accountability and risk appetite, training programs should be developed including the understanding of risk goals, the case studies, board training programs
Effective risk transparency is essential to support a strong risk culture and ensure that risk appetite is adhered to This has a number of components: Management
information Risk
measurement
Programs are reviewing the effectiveness of risk governance covering a variety of aspects including: Redesign of
the three lines of defense
Effectiveness of risk systems
Improving risk monitoring
Risk Culture Approach Framework and AS IS Situation
Risk Culture-Governance Relation
Strategic Objectives
Governance Framework
Boards’ responsibilities & Tone at the top
Risk Governance Framework
Risk Culture
Formal Roles of Business
Formal Roles of Risk Mgmt
Formal Roles of Audit
Artifacts
Values & Norms
Stated Authority and Stature
Communication patterns
Espoused values
Informal Roles of Business
Informal Roles of Risk Mgmt
Informal Roles of Audit
Perceived Authority and Stature
Hidden Assumptions
Role Experience
AS IS Situation
“Trying to change something is like moving a cemetery. Change is not easy. People have a tendency to hold on to the dysfunctional patterns. The reason why they cling
to the status quo is not easy to determine.” (Kets de Vries, Balazs 2010)
Page 11
Transition to «Strong» Risk Culture
Denetim Komitesi Eğitimi
External forces
Market discipline
Regulatory requirements
Change in Boards’
responsibilities
Change in Tone
at the top
Change in espoused values
Change in formal roles of
L1-3
Change in role perception and
experience
Stages of Resistance to Change
Transition to To Be
The culture of an organisation is ultimately defined by the behaviours of its people. The best way to assess and improve the control environment is to assess the
behaviours of your people and identify interventions to change and sustain these in a tangible manner.
Page 12
Board Responsibilities In The Transition The Board Sets “Tone at the Top”, Has overall responsibility to measure and manage the organization's risk culture and delegates this responsibility to Management
Denetim Komitesi Eğitimi
► Creates an annual calendar of major topics to be presented to the board and its sub committees
► Defines the risk culture, supported by clear policies on how the culture will be developed and maintained
► Approves the firm wide risk governance framework and within this, the risk management framework,
including risk policies
► Is supported by a board risk committee and a board audit committee, where these are needed to increase
board efficiency and allow deeper analysis
► Sets the mandate for these committees
► Approves the supporting framework of internal controls and specifically, delegated authorities.
The way forward Steps towards successful Risk Culture
All financial institutions should take actions to assess risk culture and make it more robust. These include:
► Identifying the key aspects of a sound risk culture and reviewing the current culture against them
► Ensuring that risk appetite covers financial and nonfinancial risks and is embedded in business decisions
► Reviewing risk governance processes to ensure that responsibilities are clear, the framework is effective and the front office owns all the risk
► Reviewing people processes and reward mechanisms to ensure that these are aligned with the targeted risk culture
Auditing risk culture
Influencing culture to deliver better risk outcomes Page 14
In-line with the approach typically used for internal audits, our assessment of risk culture includes:
► Identifying and assessing risks;
► Identifying controls to mitigate those risks;
► Testing the adequacy and effectiveness of those controls.
The assessment needs to be relevant and comparable across time, geography, seniority and business units. The goal is to make the intangible tangible by using a model of risk culture which is evidence-based, in addition to conducting surveys and interviews:
► Interviews, which help assess organisational direction, and design of risk culture controls;
► Surveys, to assess team’s perceptions of the controls in place and their behaviours in hypothetical situations; and
► Documentation review, to evidence design and effectiveness of controls.
By using an approach consistent with that of any other internal audit and by following similar steps, we can better integrate this layer of cultural assessment in IA’s day to day approach.
It is important to introduce a common language and framework for risk culture which is evidenced-based and connected to the organisation’s existing infrastructure
► Creating a robust and sustainable testing approach on an otherwise subjective topic
► New ground for internal audit teams ► There is no one size fits all solution ► Understanding what is expected of internal auditors
over the next 12 months given the growing Regulatory and Board expectations on risk culture
► Determining which underlying employee behaviors to focus on
► Embedding considerations of risk culture into other audits
► Using risk culture findings to identify areas for further focus
► Resistance from management with concerns about extension of scope, the basis for assessment and the ability of the IA team to deliver
► Need to join the dots across different audits to identify emerging themes
Key Challenges for Risk Culture Audit
Denetim Komitesi Eğitimi Sayfa 15
► Combining traditional “hard” process and control challenges with more subjective and perception based analysis
► Translating values and behaviors into items that can be tested
► Surveys on risk culture provide only limited insight and need to be carefully designed, statistically tested and interpreted
► Combining both quantitative and qualitative methods may require an element of internal auditor judgment and “gut-feel”
► New skills will be needed by internal audit teams, potentially including additional resourcing with different skillsets and seniority to undertake the relationship, communication and analysis surrounding the new audit remit
► Reporting of culture issues needs to be enhanced as traditional audit reporting may not be sufficient
► Positioning of inappropriate culture as a root cause of specific control issues rather than a broader deficiency in its own right.