“For all the tin you have bought, for all the tricks of the trade, for all the steps you have taken, if you have “done” Cyber Risk without fixing the culture AND the risk culture, then you have not “done” Cyber Risk… Likewise Conduct Risk, or Credit Risk, or any other Risk… Get the culture AND the risk culture right, and only then can the rest come good.”
Take a regulator – any regulator – and they will tell you precisely what interests them right now: Culture or perhaps the Risk Culture. If you Google “Bank Risk Culture” you get almost 30m hits in only a fraction of a second longer than it takes to hit “enter”. So this is a crowded space!
Whether you are supervised under the SSM by the ECB, the PRA and FCA in the UK or the APRA in Australia, you will find an increasing interest in the Risk Culture of your organisation. The FSB no less, produced a paper on assessing the Risk Culture back in 2014 (see here for a copy). In this paper they said:
“An anticipatory and strategic approach to supervision rests, among other things, on the ability to engage in high-level sceptical conversations with the board and senior management on the financial institution’s risk appetite framework, and whether the institution’s risk culture supports adherence to the board-approved risk appetite.”
They go on to say:
“Culture can be a very complex issue as it involves behaviours and attitudes. But efforts should be made by financial institutions and by supervisors to understand an institution’s culture and how it affects safety and soundness. While various definitions of culture exist, supervisors are focusing on the institution’s norms, attitudes and behaviours related to risk awareness, risk taking and risk management, or the institution’s risk culture.”
They describe the conditions for a good risk culture, being good governance, a clear understanding of risk appetite and compensation practices. They also provide four indicators:
- Tone from the top;
- Effective communication and challenge; and
While they acknowledge that assessing each of these, and their interdependence is complex, there is comparatively little guidance as to how this might be interpreted. This leaves the space open for management to make appropriate assessments of their own culture, and many are struggling right now to put qualitative assessments in place, let alone quantitative assessments.
A new approach
Up to now, most culture assessment projects have been based on surveys, interviews and observation. All well and good, but hardly definitive (and riddled with inherent biases, weaknesses and information “gaps”.) Working with our technology partners, we have developed an approach that looks at the discussions that take place in your organisation about risk, what we term the Risk Conversations, in other words we examine the real artefacts of your culture AND your risk culture.
By using Risk Conversations, you can now Identify whether your organisation has a healthy culture AND a healthy risk culture. We can help you to identify real indicators of the effectiveness of the “tone from the top”, or whether “accountability” is really embedded into the organisation. We can measure the level of “effective communication and challenge” and the impact of “incentives”. At the same time, we can help you to identify those aspects of your culture (AND risk culture) where you should be concerned: for example are your espoused values those that are real in the organisation. What is your staff’s attitude to Cyber Risk, or conduct risk and do these attitudes persist in pockets or right through the organisation. Just as a CT Scan will identify tumours in cancer patients, Risk Conversations will identify the signs of cancerous attitudes in your business.
Whether you use this for a periodic check-up, or a real time constant monitor is up to you. But Risk Conversations can put dashboard reporting about the culture and risk culture of your organisation at your fingertips.
If you would like to find out more about Risk Conversations, contact us here.