promontory.com INFOCUS OCTOBER 14, 2015 BY SUSAN KRAUSE BELL Developing a Sound Risk and Compliance Culture Seven years after the financial crisis and five years since the Dodd-Frank Act s passage into law, supervisors expectations are still rising. In addition to the numerous new or strengthened regulations emerging in the wake of the crisis, regulators are increasingly talking about problems with financial firms culture of risk and compliance. The emphasis on risk culture is motivated, in part, by recent high-profile conduct missteps at several large banks, lapses that occurred in spite of the significant strengthening of prudential standards. It also reflects a long-standing and consistent regulatory focus on sound and sustainable risk management practices. Susan Krause Bell is a managing director at Promontory, where she advises clients on regulatory issues, including the Dodd-Frank Act and Basel capital rules, and supervisory priorities, including enterprise risk management and corporate governance. She also assists financial institutions in managing and implementing regulatory directives. That regulators expect banking organizations and other financial institutions to have effective governance, risk management, and compliance programs is nothing new. What discussions of risk culture add to the mix is a sharper focus on whether the company s employees demonstrate the behavioral norms and attitudes that align with the risk appetite and other governance and risk management policies that management has adopted and the board has approved. If this is not the case, the approved policies are not likely to be implemented as intended, leading to ineffective risk management and possible missteps that may be costly to the banks and their shareholders, and potentially harmful to the public and broader financial system. While conceptually not difficult to understand, risk culture is not easily observable or measurable, particularly in large organizations where subcultures often exist. Knowing whether an effective risk culture exists within an organization, what steps to take to improve it, and when to do so can be somewhat baffling. The issue becomes less daunting if one looks at culture as a prerequisite for effective risk management. Behaviors, attitudes, and incentives that are aligned with a financial company s risk policies are just as important to effective risk outcomes as are, for example, comprehensive, well-governed risk data, or robust internal controls. Focusing on risk culture may become more tractable and its value better appreciated if it is viewed as an essential element of an effective and sustainable independent risk management program. Risk Culture s Rising Prominence The Financial Stability Board issued the first official policy focused on risk culture with its April 2014 guidance to supervisors on how to evaluate risk culture at financial institutions. 1 Since then, U.S. supervisors have only addressed risk culture in a limited way in official guidance or regulations. 1 See http://www.financialstabilityboard.org/wp-content/uploads/140407.pdf; for more information, see Spotlight Turns to Risk Culture, Promontory Sightlines InFocus, March 2014, https://www.promontory.com/uploadedfiles/articles/insights/140320_sightlines_infocus_riskculture%20final.pdf.
The Office of the Comptroller of the Currency included references to risk culture when it finalized its heightened-standards guidance in September 2014. Specifically, a bank covered by the standards must include a qualitative description of a safe and sound risk culture in its risk-appetite statement. Many institutions have also found that examiners often point to culture as a weakness if they conclude risk or compliance functions are not working well. U.S. regulators have also been vocal on the subject in speeches and meetings. Federal Reserve, OCC, and Securities and Exchange Commission officials have made numerous speeches that emphasize sound risk culture, effective compliance programs, and the importance of ethics and are expected to continue to do so. The Federal Reserve hosted a workshop last year on culture for large-bank chief executive officers and has another scheduled this November. A similar chorus can be found among regulators in the U.K., Canada, Europe, and Australia. Notably, the Basel Committee on Banking Supervision s recently updated guidance on corporate governance mentions risk culture frequently, including as a key component of risk governance. 2 There have been private-sector efforts as well to bring attention to the importance of risk culture, including from academia, advisers, and industry associations. Regulatory forays into risk culture can be expected to continue, both through the bully pulpit and written rules and guidance. Supervisors of individual institutions can also be expected to continue their focus on cultural weaknesses through the examination and enforcement process. While the cadence and intensity of the supervisory response will be influenced somewhat by the extent to which conduct problems continue to arise at financial firms, the supervisory concerns reflected in the culture discussions are likely to have a long life. In what follows, we offer some practical ways for directors and management to consider the issue of risk culture at their institutions and potential steps to take to ensure that the firm s culture adequately supports sound risk management and compliance. Building Blocks of Risk Culture The cornerstone of an effective risk culture is a well-designed architecture for risk and compliance management. Additional building blocks provide focus on achieving the behaviors and attitudes needed to ensure the programs work as intended and are sustainable. 1. Robust risk and compliance programs First and foremost, a banking organization must have an independent risk management framework that includes a board-approved risk-appetite statement and policies and procedures for enterprisewide risk identification, measurement, management, and control. At the highest level, the framework should: Establish accountability and clarify roles and responsibilities for managing risks in all three lines of defense Include oversight, governance, and reporting protocols Ensure that information and risk-measurement systems support meaningful, timely risk reports Ensure robust controls and independent testing The basic design elements of the risk and compliance framework must also address the behaviors and attitudes needed to align with and support the risk-appetite statement and risk and compliance policies. These include initiatives to: 2 Corporate-governance principles for banks, Basel Committee on Banking Supervision, July 2015 PROMONTORY Sightlines InFocus OCTOBER 14, 2015 2
Define the desired behaviors and attitudes that are required in all three lines of defense to effectuate and adhere to the firm s risk-appetite statement Foster compliance both in spirit and letter of the requirements Require firmwide training on risk management policies, roles, and responsibilities, covering not only what is required, but why it is required Institute a process to investigate adverse risk events when they occur to ascertain their causes such as drivers rooted in culture and behavior and make appropriate changes 2. Stature of risk and compliance personnel Risk and compliance personnel must have the authority, expertise, and influence to carry out their responsibilities to implement risk management and compliance policies, independently assess risk, and challenge business decisions when necessary. Respect within the organization for the role of the second line of defense including the role of challenge is an essential component of an effective risk and compliance culture. Without it, business decisions may be too heavily driven by short-term revenue considerations, regardless of what written policies require. 3. Structures for effective communication and challenge The risk management framework should provide regular opportunities for communication about risk issues, and constructive challenge of reports, initiatives, and decisions by applicable stakeholders. For example, a risk-committee hierarchy should include a board risk committee, a top-tier enterprise-risk committee, and risk committees within the business lines and in the second-line departments, as appropriate. A number of policies and processes should create avenues for effective communication and challenge. Examples include risk policies such as those governing regular risk assessments, new-product review processes, stress testing, and the like. In addition, the risk-appetite statement should provide a framework for the board to question senior management about appropriate risk-taking. Even reports from the business lines, such as revenue growth from individual product lines, should be subject to constructive questioning to ensure that potential emerging risks are identified. 4. Incentive structure to reinforce risk-appetite and compliance imperatives Incentive compensation and performance-review standards should be aligned with the organization s risk objectives and not favor short-term revenue generation over long-term risk concerns. Performance development and promotions should incorporate risk management and compliance considerations. Compensation policies have a significant influence over behaviors and can be a powerful tool in achieving risk and compliance objectives. 5. Leadership: board and management The board and management have an important role in setting, communicating, and modeling the firm s strategy, core values, risk appetite, and risk framework. Employees are highly influenced by what they perceive as their own managers expectations, which gives all levels of management a powerful role in shaping the culture of a company. The board has an important role in: Ensuring adequate resources are available for risk and control functions Approving the risk appetite Scheduling adequate agenda time for risk and compliance issues Approving compensation policies that align incentives between risk control and revenue Executing effective challenge of each other and of management PROMONTORY Sightlines InFocus OCTOBER 14, 2015 3
Management has a particular role in: Promoting risk awareness and encouraging an open and constructive dialogue about risktaking throughout the organization Demonstrating through their actions their own commitment to the organization s risk and compliance objectives Ensuring that risk committees receive adequate information and discussion about risks, encourage challenge, and escalate risk issues as necessary Ensuring employees in the first and second lines of defense understand their risk management roles and responsibilities and are held accountable for carrying them out 6. Linking business success with core values and effective risk and compliance practices Employees should understand what behaviors are expected of them and how these behaviors will help them, and the organization, succeed. Employees must understand the objectives of the risk-appetite statement, and the risk and control functions, and how those elements help the bank survive through normal and stressful times. This message should be conveyed through training and by all levels of management on an ongoing basis. 7. Monitoring and reinforcing an effective risk culture Finally, a risk culture, no matter how good at a point in time, is vulnerable to drifting off track. Management should monitor risk culture over time. While culture can be difficult to measure in an absolute sense, management can tailor indicators consistent with the institution s risk appetite, agreed norms, and acceptable behaviors to signal improvements or potential problems in risk culture. These indicators can include survey results, audit response times, performance-review trends, and similar gauges of risk culture. Particular attention should be given to an individual firm s areas of vulnerability. For example, a large bank may need to closely track far-flung or specialty offices where rogue cultures may emerge, or newly acquired businesses where the firm s risk appetite and culture may be less well understood. Similarly, businesses undergoing significant growth or facing other structural pressures and changes may be vulnerable to changing culture. Adjustments can and should be made over time as weaknesses are identified. Determining Potential Steps to Improve Risk and Compliance Culture As noted earlier, risk culture must be firmly rooted in well-designed risk and compliance programs, and can make the difference between a risk and compliance program that works and one that does not. Financial institutions can use the building blocks to reflect on the current state of their risk culture, and what steps might need to be taken to address gaps. The table below provides some questions that can guide institutions in these considerations. Conclusion Financial institutions that want sustainable, effective risk and compliance programs must consider, on an ongoing basis whether the institution s culture aligns with the objectives of those programs. Taking steps where needed to improve risk and compliance culture can reduce losses, and save reputational and regulatory missteps. PROMONTORY Sightlines InFocus OCTOBER 14, 2015 4
BUILDING BLOCKS AND GAPS OF RISK CULTURE Building Blocks of Risk Culture Potential Gaps Robust risk and compliance programs Is the risk framework fully implemented throughout the organization? Is there a well-communicated and monitored code of conduct? Do employees generally know the defined risks and acceptable tolerances of the company? Do all applicable employees understand what the risk and compliance programs expect of them? Is there a practice of pinpointing root causes of adverse risk or compliance events, and implementing lessons learned? Stature of risk and compliance personnel Does the chief risk officer have regular access to the board risk committee and CEO? Does business management visibly seek the views of risk or compliance employees on strategic issues, well before decisions are final? Do risk and compliance employees have access to updated information and training to align with developments in the businesses? Structures for effective communication and challenge Is challenge encouraged by the board and various levels of management? Is constructive challenge included in training courses? Incentive structure to reinforce risk and compliance objectives Does the incentive compensation scheme properly balance revenue goals with risk controls? Are inappropriate attitudes and behaviors toward risk and compliance reflected in compensation? Is there a clawback provision or other mechanism to reflect results over the longer term in compensation? When there are risk failures, are appropriate personnel held accountable, including business leaders? Leadership: Board Do board and board-committee meeting agendas and minutes reflect active board oversight of risk and control issues? Is the information the board receives on risk and compliance comprehensive, clear, and digestible? Leadership: Senior management Does senior management communicate regularly with employees outside of their normal chain of command? Do senior managers, including business leaders, regularly express their commitment to a robust second line of defense? Leadership: Front line Do managers in front-line units actively demonstrate and communicate to employees the expected behaviors and attitudes related to risk-taking decisions and compliance standards? Linking business success with core values and effective risk and compliance practices Maintaining an effective risk culture over time Do employees understand why the risk and compliance policies are critically important to the organization s stability and customer and investor well-being? For systemically important financial institutions, do employees understand how the risk and compliance policies are important to financial-market stability? Have the board and management considered what cultural vulnerabilities the firm may have and taken targeted steps to address them? Are metrics being tracked to shed light on cultural differences across the organization and possible drift in culture? Is training linked to metrics, lessons learned, and similar ongoing feedback about the firm s culture? Is risk training included in the onboarding process? PROMONTORY Sightlines InFocus OCTOBER 14, 2015 5
Contact Promontory For more information, please call or email your usual Promontory contact or: Michael Dawson mdawson@promontory.com +1 202 384 1080 Kathy Dick kdick@promontory.com +1 202 384 1092 Douglas Harris Managing Director, New York dharris@promontory.com +1 212 365 6568 Sheryl Kennedy Chief Executive Officer, Promontory Financial Group Canada ULC, Toronto skennedy@promontory.com +1 416 863 8555 Susan Krause Bell skrausebell@promontory.com +1 202 384 1151 Elizabeth McCaul Partner-in-Charge, New York emccaul@promontory.com +1 212 365 6581 Yoko Otani Managing Director, New York yotani@promontory.com +1 212 542 6744 Pat Parkinson pparkinson@promontory.com +1 202 384 1052 Wayne Rushton wrushton@promontory.com +1 202 384 1015 Julie Williams Managing Director and Director of Domestic Advisory Practice, Washington, D.C. juwilliams@promontory.com +1 202 384 1087 To subscribe to Promontory s publications, please visit promontory.com/subscribe.aspx Follow Promontory on Twitter @PromontoryFG Promontory Financial Group helps companies and governments around the world manage complex risks and meet their greatest regulatory challenges. We are the world s foremost experts in financial risk, regulation, and compliance. Former U.S. Comptroller of the Currency Eugene A. Ludwig founded Promontory in 2001. Promontory Financial Group, LLC 801 17th Street, NW, Suite 1100, Washington, DC 20006 Telephone +1 202 384 1200 Fax +1 202 783 2924 promontory.com 2015 Promontory Financial Group, LLC. All Rights Reserved. PROMONTORY Sightlines InFocus OCTOBER 14, 2015 6