Culture and risk intelligence - gcu.ac.uk · Specific portion of culture and risk intelligent...
Transcript of Culture and risk intelligence - gcu.ac.uk · Specific portion of culture and risk intelligent...
© 2014 Deloitte LLP. Private and confidential.
Culture and risk intelligenceDrivers, challenges, solutions and themes
November 2014
by Stephen Gould
© 2014 Deloitte LLP. Private and confidential.
Objectives of this session
2 Culture and risk intelligence
Introduce culture and risk intelligence and how to visualise them as not
so airy, fairy
Explain why risk intelligence matters
Cover the challenges financial services organisations are experiencing
when trying to strengthen their risk intelligence
Provide a high level overview of ‘levers’, ‘expectations’ and an
approach for strengthening risk intelligence
Share some high level themes for making risk intelligence change
happen
Answer your related questions
© 2014 Deloitte LLP. Private and confidential.
Culture and risk intelligence- What is culture – is it all airy, fairy?
There is no consistent definition of culture in the Financial Services Sector. A working definition used
by some is: “the way we do things around here (Bower, 1966)…even when no one else is watching”,
the DNA of the organisation.
3 Culture and risk intelligence
Management systems and infrastructure:
Organisational processes and infrastructure
e.g. Risk Appetite Statements, Compliance policies, processes and controls.
Hardware: Top down
Behaviours:
What people visibly do within and around structured Systems
e.g. How people interact with systems and each other; such as front office
personnel taking short cuts on trading systems because everyone does it that way
round here.
Symbols:
Inherent interpretations of what is important
e.g. What is perceived to be valued or important; such as the AML risk a customer
poses to the firm if on-boarded has a greater weighting than any potential
revenue gains.
Software: Bottom up
Not so airy, fairy: Organisations typically try to influence culture through a focus on the tangible ‘hardware’
(‘systems and infrastructure’). In reality the majority of incidents and failings in organisations are a result of the
‘software’ (‘behaviours’ and ‘symbols’):
© 2014 Deloitte LLP. Private and confidential.
Culture and risk intelligence- What is risk intelligence?
Risk intelligence or risk intelligent culture - means that “everyone understands the organisation’s
approach to risk, takes personal responsibility to manage risk in everything they do, and encourages
others to follow their example”; Deloitte’s definition.
4
Key characteristics of
risk intelligence
Culture and risk intelligence
Commonality of purpose
Universal adoption
and application
A learning organisation – collective
ability to continuously improve
Prompt, transparent, and
honest communications
Understanding the value of
effective risk management
Responsibility –
individual and collective
Expectation of challenge
Risk Competence
The collective risk
management competence
of an organisation.
Organisation
How the organisational
environment is structured
and valued.
Relationship
How people in the
organisation interact with
others.
Motivation
The reason why people
manage risk the way that
they do.
There are four main organisational influences to building risk intelligence
© 2014 Deloitte LLP. Private and confidential.
Culture and risk intelligence- What is conduct risk culture?
Conduct risk: is the risk that the firm’s behaviour will result in poor outcomes for customers. Conduct
risk is a specific risk category and accordingly conduct risk culture is a specific portion of overall risk
culture. Risk intelligence shifts mind sets and behaviours to focus on fair outcomes for customers.
5
Specific portion of culture
and risk intelligent culture
Culture and risk intelligence
Organisations must make sure that they have a well-defined and articulated conduct risk framework
focusing on the risk culture that puts customers at heart of the organisation, as well as or as part of a
risk culture framework.
Risk culture and incentive mechanisms: play a key role in the distribution of
products and organisation’s interactions with consumers. Addressing cultural
issues will promote better risk management, including conduct risk management.
© 2014 Deloitte LLP. Private and confidential.
�Increasing regulatory focus;
e.g. PRA ‘Approach to
Supervision
Why risk intelligence matters- Throwing down the gauntlet to the Financial Services Sector
Banks, building societies, insurers, asset managers and broker firms are being driven to understand,
measure, strengthen and report on their risk culture and the risk intelligence of their people as part
of enhancing their risk management and control systems.
6
�Alignment of risk culture,
strategy, appetite and
remuneration frameworks
�CIIA’s Code for ‘Effective
Internal Audit in the FS Sector’
�Boards, NEDs, Audit and
Risk Committees,
Remuneration Committees
�Internal Audit, Risk
Management, Human
Resources and Tax
External
drivers
Internal
drivers
�Standard & Poor’s approach
for assessing companies’ ERM
Key drivers for risk intelligent cultures What the future looks like
�Increasing stakeholder
pressures
Culture and risk intelligence
What other drivers are you
seeing?
�FSB final paper ‘Guidance on
Supervisory Interaction with
Financial Institutions on Risk
Culture’.
Within three years, risk
intelligence is likely to be a priority
measure for assessing the quality
and embedding of a organisation’s
strategic plan, risk appetite,
governance structure and its risk
management and remuneration
frameworks.
© 2014 Deloitte LLP. Private and confidential.
Challenges in strengthening risk intelligence- Blinkered view: “There is a problem, but less so at my bank”
7 Culture and risk intelligence
Perception of cultural problem across the industry versus own bank
% respondents who rate culture as being a problem across the industry and at their own bank
Note: Survey rating ranked 1 to 7 where, 1 = no cultural problem; 7 = catastrophic problemsSource: Deloitte Culture in Banking Survey 2013
No cultural problemCatastrophic
cultural problem
Significant problems
4%
14% 14%
36%32%
18%
25%
14%
29%
11%
0%
10%
20%
30%
40%
50%
1 2 3 4 5 6 7
Banking industry Your bank
70% of senior bankers believe there is a significant cultural problem in the industry. 40% of
respondents rated culture “at their own bank” as at least 5 out of 7 where, 1 = no cultural problem,
and 7 = catastrophic cultural problems.
© 2014 Deloitte LLP. Private and confidential.
5.45.3
5.25.1
5.04.94.9
4.84.64.54.4
3.83.5
3.33.2
0 1 2 3 4 5 6 7
Management teams’ understanding of the risk on their balance sheetsCompensation structure (i.e. fixed vs variable, cash vs equity, deferred)
Performance metricsBoard oversight
Compensation levelsQuality of supervision
Upward communication of concerns to managementLax capital requirements (i.e. too much leverage)
The increasing size and scope of banksLight-touch regulation
Loose monetary policyThe internationalisation of the City after the ‘Big Bang’ in 1986
A free market ethosHaving retail and investment banking under the same roof
The replacement of unlimited liability partnerships by limited liability…
Challenges in strengthening risk intelligence- The cause of the problem: “The buck stops with us”
8 Culture and risk intelligence
Causes of cultural problems
Average rating amongst respondents of the causes
Bankers cite the main causes of cultural problems across the industry as those predominantly within
their sphere of influence. Failures began at the top, from board oversight and management teams’
understanding of their balance sheets and percolated through organisations via skewed employee
incentives – including sub-optimal compensation structures, misaligned performance metrics, and
excessive compensation levels.
Significant causeVery minor cause
Note: Survey rating ranked 1 to 7 where, 1 = very minor cause; 7 = significant causeSource: Deloitte Culture in Banking Survey 2013
© 2014 Deloitte LLP. Private and confidential.
Challenges in strengthening risk intelligence- “Getting performance metrics right is the biggest challenge”
9 Culture and risk intelligence
Biggest challenges when making culture more effective
3.0
4.4
4.5
4.5
4.7
5.5
0 1 2 3 4 5 6
Ensuring that culture is always on the Board’s agenda
Aligning culture to evolving regulations
Competitive pressures
Prioritising investment in culture when resources areunder pressure
Developing a framework to drive cultural change
Defining the right metrics against which to measureculture
Defining the right metrics to measure culture is the biggest challenge to improving culture.
Extremely challenging
Not challenging
Note: Survey rating ranked 1 to 6 where, 1 = not challenging; 6 = extremely challengingSource: Deloitte Culture in Banking Survey 2013
© 2014 Deloitte LLP. Private and confidential.
No amount of external or internal regulation and surveillance is going to prevent determined people
from committing illegal behaviour. Directors should realise that they can expect a sympathetic
hearing after having made real and sensible efforts to address issues to do with the culture and risk
intelligence of the organisation they control.
Challenges in strengthening risk intelligence - We need to continually monitor and immediately react to cultural change
10 Culture and risk intelligence
The oldest mercantile bank in London until collapse in 1995.
Board members and executives didn’t set a consistent example of high
integrity and ethical behaviour.
Enron’s ethics code was based on Respect, Integrity, Communication, and
Excellence.
Nevertheless, Enron has been described as having a culture of arrogance
that led people to believe that they could handle increasingly greater risk
without encountering any danger.
At Barclays we have five values: Respect, Integrity, Service, Excellence,
Stewardship, which we expect all our people to live by.
© 2014 Deloitte LLP. Private and confidential.
How to strengthen risk intelligence- Five key levers for how people pick up on cultural messaging
Whilst defining and articulating the organisational values is a critical first step on the journey to
strengthening risk intelligence, the greatest challenge most organisations face is how to embed and
sustain those values across the organisation.
11
#2 Explicit
Enculturation
Recruitment, induction,
rulebooks training,
policies
and manuals
#1 Role
Models
Imitation of key
individuals, example
set by leadership
#3 Incentives
Structure and levels of
remuneration
promotions; non-
financial rewards; the
employee
proposition
#5 Symbols and Fables
Symbolic actions and
stories with a moral
that transit values and
priorities
#4 Revealed PreferencesWhat happens on the ground, what it implies about the company’s priorities
Employees pick up cultural
messaging across five
channels or levers. They are
alert to contradictions and
inconsistencies in the
messaging. They use it to
work out what to do, and
show others – through their
own behaviour – how they
have interpreted the ‘rules’.
Culture and risk intelligence
© 2014 Deloitte LLP. Private and confidential.
How to strengthen risk intelligence- Set expectations on what ‘good’ and ‘bad’ look like
A risk culture manifests itself through observable systems, behaviours and symbols. It is often visible
through the choices and actions people make and at other times it is not as evident, as some of the
culture drivers and ethos operate below the surface.
12 Culture and risk intelligence
Risk CompetenceThe collective risk
management competence
of an organisation.
OrganisationHow the organisational
environment is structured
and valued.
RelationshipHow people in the
organisation interact with
others.
MotivationThe reason why people
manage risk the way that
they do.
Detrimental behaviours Desirable behaviours
Reluctance to
learn from
past mistakes
Following the
herd
Proactive
sharing of best
practices
Consulting
with others
when in doubt
Shooting the
messenger
Rewarding
excessive risk
taking
Admitting to
making
mistakes
Being
personally
accountable
for risks
Reticence to
escalate risks
appropriately
Cutting
corners
Following risk
management
policies and
processes
Involving risk
experts in risk
decisions
Inadequate
challenge of
excessive risk
taking
Yielding to
inappropriate
pressure from
others
Open and
honest
dialogue
regarding risks
Constructive
response to
challenge
© 2014 Deloitte LLP. Private and confidential.
How to strengthen risk intelligence- Assessing and monitoring risk intelligence is key to strengthening it
13
Our approach to measure, strengthen and report on risk intelligence is to review four main
organisational influencers of risk intelligence (risk competence, motivation, organisation and
relationships), by assessing 16 key indicators in our Risk Intelligence Assessment Framework.
Risk Intelligence Assessment Framework or ‘Wheel’
This diagnostic includes human capital and risk management perspectives to give a ‘richer’ measure
of the risk intelligence of the sample population. It measures people’s perception of risk and not
their propensity to take risk.
Phase I
Define the current profile - using the Risk
Intelligence ‘Wheel’, supported by e.g.
diagnostic survey and/or interviews.
Phase II
Define the desired risk intelligence and
create a ‘risk intelligence shift plan’ to
reach target state.
Phase III
Execute ‘risk intelligence shift plan’ and
make it stick – via rolling out newly
developed and enhanced levers (from the
shift plan) across different levels, teams
and business units.
Indicative approach
Culture and risk intelligence
See Appendix 1 for fuller details
© 2014 Deloitte LLP. Private and confidential.
Making risk intelligence change happen- Addressing the underlying cause of the detrimental behaviour
Set out below are a range of examples of where we have helped other organisations to create a shift
in their risk intelligence. Common to all these examples is addressing the underlying cause of the
detrimental behaviour.
14 Culture and risk intelligence
Risk CompetenceThe collective risk
management competence
of an organisation.
OrganisationHow the organisational
environment is structured
and valued.
RelationshipHow people in the
organisation interact with
others.
MotivationThe reason why people
manage risk the way that
they do.
Detrimental behaviour
(symptom)What we did
Taking unnecessary
risks
Trained supervisors and staff on the organisations’ values.
Implemented monthly unit meetings to clarify goals and
improve two-way communication. Improved
communications by sharing decisions and implementing
biweekly email updates
Employees not
taking accountability
We identified and worked on a small number of critical
events that were significant to the organisation and the
customer. Through this, an opportunity arose for employees
to understand how they could behave in a way that would
deliver the attributes of the brand.
Lack of adherence to
policy and process
Re-designed job roles and organisation structure to support
desired outcomes. Introduced a leadership alignment
programme. Re-designed reward and performance
management to encourage ‘right’ behaviours.
Ineffective challenge
of first line risk taking
1-1 interviews with Group and Regional risk officers and
regional MD’s to understand what’s working and what’s not.
Identification of areas of friction and lack of clarity.
Refreshed role descriptions. Implemented oversight
planning process. Baselined new way of working.
Underlying cause
(influencer)
No clear guidelines or
training in place
Lack of awareness of
how job contributes
to achieving strategy
Organisation systems
did not support
compliance
Unclear roles,
responsibilities and
interactions between
group and regional
risk officers
© 2014 Deloitte LLP. Private and confidential.
Making risk intelligence change happen- ‘Quick win’ themes identified by our diagnostic approach
15
Many FS companies have introduced campaigns to reinforce their ‘risk culture’ message from the top.
Those few that believe they have made significant progress tend to have embedded a Risk Intelligent
Culture in pockets and not throughout the entire organisation.
Culture and risk intelligence
Finding: Middle management hoarding risk
management information because they want to
hoard power or hide mistakes made by their team.
Recommendation: Promote visible peer to peer review and
challenge. Encourage regular and frequent peer group
discussions on risk behaviours. Review, assess and enhance
the reporting framework to make sure that its reports are
informative, regularly updated, prompt, transparent and
readily accessible to staff.
Finding: Continuous breaches of risk limits negatively
impact bonus payments, whereas exceeding
expectations in managing risks is not rewarded.
Recommendation: Annual performance objectives should
consider risk intelligence and accountabilities for effective
management of risk as well as reward of those
demonstrating the desired risk management behaviours.
Finding: There is a disconnect between how overall risk
strategy relates to individual roles and responsibilities (in
particular for more junior grades in front office functions).
Recommendation: Align organisation’s symbols, systems, and
behavioural norms to encourage people to make the right
risk-related decisions, and exhibit appropriate risk
management behaviours. Design risk education programmes
for staff at all levels.
Finding: Insufficient business knowledge across oversight
functions up to middle management and insufficient risk
management skills and awareness of front office staff at
junior grades.
Recommendation: Targeted secondments from oversight
functions into front office and vice versa is effective in
developing business knowledge across oversight functions
and risk management skills and awareness of junior front
office staff.
Risk
IntelligenceRelationship
OrganisationRisk Competence
Motivation
Examples of our insights and recommendations to your peers
© 2014 Deloitte LLP. Private and confidential.
Q&A and key contacts
16
Key contacts
Any questions?
Culture and risk intelligence
Mariia Speranska
Risk and Regulation+44 (0) 20 7303 [email protected]
Stephen Lucas
Partner, Risk and Regulation+44 (0) 20 7303 [email protected]
Tim Thompson
Partner, Risk and Regulation+44 (0) 20 7007 [email protected]
Stephen GouldRisk and Regulation+44 (0) 20 7303 [email protected]
© 2014 Deloitte LLP. Private and confidential.
Example Survey – just for fun!
17
© 2014 Deloitte LLP. Private and confidential.
Survey- Example questions for a risk intelligence diagnosis
18
Q1.My risk management capabilities are assessed
regularly.
Strongly
disagreeDisagree Neutral Agree
Strongly
Agree
I don’t
know
Q2.Being good at managing risks can help people to
get ahead in my organisation.
Strongly
disagreeDisagree Neutral Agree
Strongly
Agree
I don’t
know
Q3.Managers and leaders in my organisation role
model the right risk behaviours.
Strongly
disagreeDisagree Neutral Agree
Strongly
Agree
I don’t
know
Q4.People in my organisation know how to escalate
risks.
Strongly
disagreeDisagree Neutral Agree
Strongly
Agree
I don’t
know
Q5.People in my organisation always try to do the
right thing.
Strongly
disagreeDisagree Neutral Agree
Strongly
Agree
I don’t
know
A good risk intelligence diagnostic survey helps to capture individual risk management attitudes and
intelligence; and accordingly assists identification of strong and weak areas of the risk intelligence in
an organisation. Most good risk intelligence surveys have positively phrased questions to reduce bias
and support anonymous responses to increase validity.
The below survey is for fun - to give a feel for the types of questions in a risk intelligence diagnosis.
Culture and risk intelligence
© 2014 Deloitte LLP. Private and confidential.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.co.uk/about for a detailed description of the legal structure of DTTL and its member firms.
Deloitte LLP is the United Kingdom member firm of DTTL.
This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from acting on any of the contents of this publication. Deloitte LLP would be pleased to advise readers on how to apply the principles set out in this publication to their specific circumstances. Deloitte LLP accepts no duty of care or liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication.
Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom. Tel: +44 (0) 20 7936 3000 Fax: +44 (0) 20 7583 1198.
© 2014 Deloitte LLP. All rights reserved.
Member of Deloitte Touche Tohmatsu Limited