Risk culture

3 Risk culture

1Risk culture

Concerns about risk culture have arisen from the risk taking pre crisis and even more from the disclosures of conduct failures globally. This has led to a focus from boards and regulators on how to ensure that culture is appropriate.

The enhanced regulatory focus is underlined by papers from the Financial Stability Board and by changes in approach of many individual regulators including both the PRA and FCA in the UK, and the OCC in the US.

► This is reflected in a focus on a range of areas including tone from the top, approach to conduct issues and customers, quality of risk controls, embedding of risk appetite, true accountability of the front office and HR policies and incentives

► Banks and insurers can expect questions about culture and improvement enablers as part of the usual supervisory process

► Boards and senior management of financial institutions are expected to hold all levels of the organization accountable for their behavior and to monitor ongoing behavior

► Boards are now asking whether management are fostering a sound risk culture which supports their strategic thinking, specifically asking:

► “What behaviors do we want to see exhibited in the institution?”

► “How do we find out what the institutions’ risk culture is like today?”

► “How do we move risk culture to where we want it to be?”

► “Once we have attained the desired risk culture, how will it be sustained?”

While progress has been made by many financial institutions, embedding risk culture throughout the institution will remain a key challenge for many years to come — cultural change does not happen overnight.

Why now?

2 Risk culture

Frequent errors in risk culture improvement programs

► Believing there is only one “correct” answer

► Failure to sufficiently understand impact of variances in national cultures

► Time lost contemplating in the abstract. This results in scope and concentration “drift”

► Overlooking the power of “tone from the middle”

► Not recognizing the connectivity between risk culture and related organizational initiatives — e.g., risk appetite, consequence management, control embeddedness.

What are the key questions you should be asking yourself?Financial institutions face three simple questions when addressing risk culture:

► What is our risk culture?

► How do we assess risk culture?

► What are we doing to sustain and/or change our risk culture?

Addressing the key questionsFirms should consider the following actions …

► Understand emerging regulatory expectations

► Define the institution’s framework for risk culture with risk appetite and governance as its foundations

► Define what a sound risk culture means for the institution

► Determine how culture is supported and enabled by existing risk frameworks (e.g., embedding risk appetite), human resources (e.g., performance management) and operating model (e.g., delegation of authority) activities within the firm

► Clearly define roles and responsibilities across the institution, e.g., the three lines of defence model

► Conduct an “as-is” analysis to highlight the “good” elements of the firm’s risk culture and identify the “vulnerable” areas

► Develop an action plan to remediate the vulnerable areas and monitor culture on an on-going basis to show progress

► Develop a clear, consistent and sustainable approach to monitoring and assessing behaviors going forward

► Report to Management and the Board for improvement endorsements.

3Risk culture

Reasons firms engage in risk culture initiatives

► Recognise the contribution of attitudes and behaviors towards risk outcomes

► Develop tangible fact-based evidence from which to prioritize and assess differential investments

► Establish an internal reference point for longitudinal comparison across time, geographies and business units

► Facilitate smoother regulatory engagements

► Meet Board’s expectations to define and evidence risk culture

► Contribute to a defendable position being established.

Our EY approachWe can help clients in building a sustainable end-to-end risk culture program, incorporating behavioral framework development, assessment, prioritization and implementation of cultural change initiatives, and the development of ongoing monitoring/assurance programs for sustainability. We recognize that our clients may have differing degrees of maturity on their culture programs. We can assess their program, build their program or assist in part of their program.

We have developed a suite of frameworks and tools to assess, build and deliver culture frameworks.

Features of our approach ► We believe that risk culture should be viewed from

a number of angles and effective review needs to take into account HR aspects as well as risk governance, tone from the top, accountability and other elements

► We will provide a team with all the requisite skills to assess all these elements and the experience to organize a targeted interview approach to substitute or complement wider surveys/assessments

► Our framework is our starting point — we work with our clients to tailor this to their specific organization and needs, we can deploy a range of assessment approaches to suit clients’ needs, leaving a bespoke framework, repeatable process and skills to facilitate future assessment of risk culture over time

► Our assessment is focused on reviewing and assessing three elements of each mechanism design, execution, outcome

► We build upon existing, available data and information without “boiling the ocean”

► We can tailor a survey which can be quickly and cost-efficiently rolled out to parts of, or the whole of an organization

► We leverage and synthesize a firm’s existing risk culture data into a framework for a phased assessment

► Our approach is designed to be a robust, repeatable process which is based on both quantitative and qualitative analysis reducing bias and subjectivity

► The outputs of our work are designed to be applicable and usable for different audiences such as Board, executive, shareholders and regulators

► We truncate time frames and scale investment because our assessment is risk based

► The assessment is only one element of a risk culture program. We can undertake an end-to-end program, define risk culture, build a behavioral-based framework, assess, develop and implement prioritized initiatives to change behaviors and develop sustainable, ongoing monitoring/assurance programs

► We can also help you to move on from assessment to effective change of culture by harnessing our wide experience of different programs to ensure an approach which will deliver results.

4 Risk culture

Considerations for strengthening risk culture: embedding a risk culture program

Financial institutions should consider the steps below to strengthen and sustain a sound risk culture. Indicators should be defined to allow for assessment, benchmarking, reporting and on-going monitoring. Regular assessments along with a related monitoring and assurance process would help identify and prioritize areas where changes to risk behaviors are required.

Define and assess risk culture Strengthen and sustain risk culture

1 2 3 4Framework definition Change initiativesOn-going monitoring/

assuranceAssessment

► Define objectives of framework

► Define risk values and related risk behaviors

► Identify mechanisms which influence risk behaviors

► Define risk culture roles and responsibilities across the three lines of defence

► Alignment of risk values with day to day behaviors

► Mechanism framework identifying the areas of impact on risk culture

► Defined roles and responsibilities for risk culture

► Identification and prioritization of key initiatives to change culture:

► Organizational e.g., TOM, governance arrangements, 3LoD, control framework

► Risk e.g., risk appetite, risk information, stress testing

► HR e.g., incentive programs, performance management, leadership

► Operations e.g., IT, operating model

► Practical and prioritized initiatives to drive the greatest impact to change risk culture, linking in with wider initiatives such as Conduct Risk, Governance, Behavior Economics, Reward

► Conduct fieldwork and analysis e.g.,:

► Survey based approach including leadership perceptions

► Process based approaches (qualitative and quantitative)

► Customer experience approaches

► Benchmarking and reporting

► Robust analysis of the “as is” risk culture through mechanism assessments

► Provides clear evidence of “as is” culture

► Early identification of culture “hot spots” across the business through identifying undesirable risk culture outcomes

► Risk culture indicators for ongoing monitoring

► Triggers for action

► On-going risk culture assessment, benchmarking and reporting

► Tracking risk culture change

► Audit of risk and control culture, e.g., within each audit, targeted audits of high-risk areas

► Ongoing monitoring tools to monitor progress independently

► Sustainable assurance methodology

5Risk culture

Our market leading expertise

► We have experience in delivery of culture projects and subsequent change projects

► Working on behalf of IFRI, we developed a market leading paper on risk culture practices. We combined our insights of industry practices on risk culture with the 27 Global CRO IFRI members, presenting our report in New York in May 2014

► We have surveyed the industry to understand challenges and actions taken

► Extensive information on progress and approach in 50 or more major international banks from our EY/IIF Risk Governance surveys

► Close working relationships with regulators across regions

► Sought input from academics on methodology

► Provided input on the new IIA code in the UK

► A member of the group who wrote the FSB paper recently joined EY

► We are working closely with Tapestry Networks on risk culture initiatives, e.g., how to demonstrate, assess and instil a strong risk culture

► 2013/14 initiative with the Bank Governance Leadership Network

► One-to-one discussions with CROs of the top 15–20 global banks

► Roundtables with CROs and NEDs (New York, London)

► We have an established global risk culture working team

► We have developed our risk culture solutions, leveraging cross-service line skills and experience across EY

► We have joined up our client offerings across wider propositions such as risk appetite, conduct risk, behavioral economics, corporate ethics, etc.

Key UK contactsClive Martin

T: + 44 20 7951 1850 E: cmartin1@uk.ey.com

Patricia Jackson

T: + 44 20 7951 7564 E: pjackson@uk.ey.com

Gayle Sparkes

T: + 44 20 7951 9704 E: gsparkes@uk.ey.com

Neal Writer

T: + 44 20 795 17028 E: nwriter@uk.ey.com

Stuart Steele

T: + 44 (0) 207 9518 405 E: ssteele1@uk.ey.com

Vishal Khosla

T: + 44 207 951 5402 E: vkhosla@uk.ey.com

Andrew Deveney

T: + 44 207 197 9313 E: adeveney@uk.ey.com

EY | Assurance | Tax | Transactions | Advisory

About EYEY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

© 2014 EYGM Limited. All Rights Reserved.

EYG No. XX0000

1488310.indd (UK) 09/14. Artwork by Creative Services Group Design.

ED None

In line with EY’s commitment to minimize its impact on the environment, this document has been printed on paper with a high recycled content.

This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice.

ey.com