Risk culture matters

Anecdotally and empirically over two decades, I have realized that the best predictor of successful risk management, is the risk culture within an enterprise.

Risk culture is ambiguous to measure adequately from the outside. However it is a very tangible attribute and one that can be assessed objectively by any risk manager worth his / her salt, from the inside, or given some insight into the internal workings of a firm.

Early in my career, I would scoff at the statement I just made. “Management jargon and consulting talk” I would have balked.

And yet despite rigorous controls, detailed risk metrics and risk inventories in place, regardless of the advanced analytics, models, reporting infrastructure, inspite of the risk policies, procedures, governance controls and established risk appetites – if there wasn’t an understood, collectively adopted and established culture of risk management alive within firm, it was usually all for naught.

Understood culture of risk management

This refers to an expectation that every employee will conduct themselves prudently, regardless of their organizational hierarchy or department. It pertains to employees proactively protecting the enterprise from harm big or small, from internal or external sources, from mundane, emerging, expected or unexpected issues.

It refers to a collective consciousness embedded within the firm’s employees to do what’s right, eschew what’s wrong, as a baseline. And having the objectivity, capability, and maturity to rank risk and reward part of everyday work.

It requires an environment where employees are empowered to manage risk, make decisions, educate themselves as needed, and leverage the specialist abilities of their colleagues and internal resources when required.

A strong culture of risk entails a disciplined, educated and informed board of directors and C-suite, that communicates the organizational priorities in no uncertain terms, enshrines a culture of empowered responsibility, and practices what it preaches.

It requires an acknowledgment and ownership of the risk agenda from all departments, and provides the Chief Risk Officer, Risk Management and Compliance departments authority, independence and the ability to assess, escalate, and action resolution in a format best suited to the situation, with the full support of the senior leadership team and board of directors.

A well understood culture of risk entails timely communication, the ability for individuals or departments to report issues without fear of penalty. It enables an ability to fail and learn from mistakes, encourages an environment that proactively tests control environments for weak links, and provides departments the ability and resources to self assess and prioritize fixes.

Anecdotally, the risk committee of the board of a large SIFI’d commercial bank I was involved with, would invite the line managers and owners of specific risk agenda’s to attend their meetings, as they felt that direct communication lines to and from the front lines was an effective way to impress upon all employees their commitment to effective risk management. They stood behind what they preached and actually practiced it. It was not uncommon for The C-Suite to organize skip level lunches, meetings with line managers and front line stakeholders. They valued feedback from employees and saw an opportunity to reinforce their own priorities and the companies agenda at a grass roots level.

Another investment bank I advised, the enterprise risk committee meeting was a gladiators contest, where participants with agenda’s took pot shots at their colleagues. Certain individuals in senior leadership used it as a platform to advance themselves politically, even as risk managers were often asked to hold their tongue, for fear of raising an emerging or topical risk item to the attention of the board, “prematurely”, or without enough consensus amongst the commercial leaders. Suffice to say, a lot of content was glossed over providing everybody a sense that risk was being managed, and some important agenda items were not tabled for discussion.

There is no one solution to ensuring an ingrained and understood risk culture. It is a combination of

• instituting a core set of risk priorities instituted at the top, communicated continually and demonstrably throughout the organization
• having a board and senior leadership team that is well aware and educated about its risk and compliance requirements, has well thought out risk appetites
• applied risk governance, consistent adoption of policies and procedures with proactive escalation and issue remediation
• hiring bright, capable and ethical people across the chain
• empowering risk management at every level, individually and collectively
• establishing the right set of controls, incentives, disciplinary measures and rewards for being a custodian and responsible stakeholder
• ensuring an independent and empowered risk and compliance department

Collectively adopted risk culture

A top down push in the risk management agenda only goes so far. A heavy handed control approach instituted from the top with fear of non compliance at its core, will stop short of being optimally effective.

In many cases adoption of a certain risk management and compliance framework is a regulatory requirement. Processes, controls, reporting metrics can all become staid and ineffective if they are being used to check boxes and for solely reporting purposes.

A large and ‘well run’ hedge fund compounded its country, credit, concentration risk exposures by inadvertently allowing its origination and structuring team to be permissive and lax in their controls. Controls were being monitored, and protocols being followed, but the growing risk exposure across varied buckets were seen through siloed optics. A massive credit loss event followed, and by the time the origination, risk and finance teams all connected the dots and worked with each other, a half a billion loss was in the cards.

A collective adoption of a risk mindset mean teams and individuals should be taught to think creatively. They should know the benefit to themselves and the firm by embedding the needed risk controls and checks within their processes. They should have enough of an ownership stake in the outcome of their responsibilities and the execution of it, to feel the need to limit risks.

There should be incentives provided for prudent risk management. Incentives don’t always have to be monetary. Employees are just as motivated with recognition, the ability to prove themselves and showcase their creative capabilities to peers and managers.

• 

Managers should encourage employees to stress test their controls theoretically and practically. They should break control processes, visualize adverse scenarios, simulate failure and all that leads to it, collaborate with their peers on adjacent responsibilities and weak links, and encourage employees to think through tangible recovery and resolution scenarios.

Senior leadership teams should foster an environment of collaborative thinking, process management, and connect and network siloed operations into the whole. Agenda owners should be identified and given the ownership to be custodians of their risk portals, and have the ability to work in cross functionally.

A multinational industrial conglomerate has an integrated procurement team that combines business leaders, procurement managers, treasury and risk management experts, economists, commodity, FX specialists, finance and accounting personnel to best optimize the collective procurement budget and purchase requirements. This group works strategically to identify opportunities and allay risk and is independently empowered to make suitable decisions by the senior leadership team.

A collectively adopted risk management approach embeds ‘risk think’ within the DNA of the firm. Key to successful adoption is-

• enabling, empowering and educating employees on why risk management matters to them individually
• educating employees on the collective objectives of the firm and letting them know how they can step up as stakeholders
• training employees with tangible examples of risk events and mitigation efforts seen from the perspective of their departments, teams and the company
• allowing employees to think creatively, to imagine failure scenarios along with mitigating controls to stave it off
• encourage employees to work in cross functional teams
• build controls that are integrated along with transparent reporting and uncluttered metrics

Establishing and Institutionalizing risk culture

As important as understanding and adopting the enterprise’s risk culture are, it will only be effective if the organization were to enshrine and institutionalize best practice.

The governance of enterprise risk should be a dynamically oriented process that allows communication across the organization quickly and effectively. Topical and emerging risks and risk sensitivities should be studied with a fresh pair of eyes as frequently as common sense demands.

ERMC and ALCO meetings should not be the only avenues or placeholders where material risk topics or those picked up via horizon scans are discussed. There should be an active monitoring and discussion of risk topics happening across the relevant stakeholders being led by the risk and compliance teams.

Thresholds for escalation of required issues to the senior leadership team should follow a policy construct but equally they should be dynamically optimized to reflect out of the box events.

The development of well thought out and pragmatic risk appetites, risk policies, procedures and guidelines is crucial. None of them should lead to checking box exercises. Rather they should facilitate the creation of appropriate key risk indicators and material risk inventories that stakeholders can stay atop.

Adequate investment in the required models and analytics; acquisition, maintenance and warehousing of related data; investments in technology and infrastructure required to generate relevant and timely risk metrics and regulatory reporting if appropriate would be key underpinnings to a successfully run risk framework. Of course CRO’s should adopt a pragmatic and proportionate approach.

Systems and processes should be leveraged for maximal front to back utilization. Consistency in data usage, adequate documentation of controls, review of the appropriateness of models, assessing quality of market data and calibrated parameters – all of that ‘boring’ rigmarole, should be crisp, repeatable, refreshed and run smoothly in the background. Where possible automated and semiautomated solutions should be utilized.

The appropriate utilization of custom built analytics and FinTech, RegTech tools will go a long way in disseminating key risk metrics and much needed risk dashboards to the C-Suite, Boards and line managers, so they have an active common and control panel they can monitor for event risks.

An established risk culture encourages the rank and file to search for inefficiencies in processes, and possible error entry portals, and make them redundant. It encourages top down, a periodic review of all risks across the board and challenges to status quo.

A US based algo trading shop was getting more active in international markets, and for the first time were faced with many more Risk Management Framework and Compliance requirements from the U.K. and EU regulators. Rather than respond to the regulatory requests using a scripted approach and putting into place controls robotically, they invested in reinventing their risk framework. Subsequent investments to the market, credit, op, capital and liquidity risk frameworks, metrics, analytics and reporting frameworks were appreciated by the entire organization as bringing value to the table, not just another regulatory exercise.

Equally enshrined to such controls should be debates around the risk return profile, measuring RAROC’s of specific projects, desks, investment portfolios and a revisit of their performance subsequent to origination on day 1, to enhance accountability across the duration of the commitment to specific ventures.

In conclusion

Every institution is on a different risk journey or continuum. Each enterprise has different requirements to manage, to aspire to a level of risk culture across the organization that works best for it.

The tone should be always set on the top. The C-Suite and Boards own the risk agenda and they need to shape it and craft it in a way that enhances the overall commercial viability of the firm, whilst simultaneously optimizes its defenses to potential losses.

At the most elemental level, each board member within the risk committee, members of ERMC’s, Operational Risk Committees, ALCO’s, etc. should be honest with themselves about their own understanding of enterprise risks and their wherewithal to manage them. Conduct a health check, perform an audit, benchmark your unique practices to codified or like comparables.

And then act, fearlessly and boldly. Hire the best practitioners, hire challengers, visionaries and the pragmatic process experts. Leverage your risk and compliance teams. Have them be your independent eyes and ears. Arrange skip levels, get a pulse from the organization periodically. Conduct risk culture and awareness polls.

Invest in people, technology and controls. Empower your people. Demonstrably lead them by showing them you practice what you preach, by being consistent in your risk agenda execution.

Good luck !