Culture and risk intelligence - gcu.ac.uk · Specific portion of culture and risk intelligent...

© 2014 Deloitte LLP. Private and confidential.

Culture and risk intelligenceDrivers, challenges, solutions and themes

November 2014

by Stephen Gould


Objectives of this session

2 Culture and risk intelligence

Introduce culture and risk intelligence and how to visualise them as not

so airy, fairy

Explain why risk intelligence matters

Cover the challenges financial services organisations are experiencing

when trying to strengthen their risk intelligence

Provide a high level overview of ‘levers’, ‘expectations’ and an

approach for strengthening risk intelligence

Share some high level themes for making risk intelligence change

happen

Answer your related questions


Culture and risk intelligence- What is culture – is it all airy, fairy?

There is no consistent definition of culture in the Financial Services Sector. A working definition used

by some is: “the way we do things around here (Bower, 1966)…even when no one else is watching”,

the DNA of the organisation.


Management systems and infrastructure:

Organisational processes and infrastructure

e.g. Risk Appetite Statements, Compliance policies, processes and controls.

Hardware: Top down

Behaviours:

What people visibly do within and around structured Systems

e.g. How people interact with systems and each other; such as front office

personnel taking short cuts on trading systems because everyone does it that way

round here.

Symbols:

Inherent interpretations of what is important

e.g. What is perceived to be valued or important; such as the AML risk a customer

poses to the firm if on-boarded has a greater weighting than any potential

revenue gains.

Software: Bottom up

Not so airy, fairy: Organisations typically try to influence culture through a focus on the tangible ‘hardware’

(‘systems and infrastructure’). In reality the majority of incidents and failings in organisations are a result of the

‘software’ (‘behaviours’ and ‘symbols’):


Culture and risk intelligence- What is risk intelligence?

Risk intelligence or risk intelligent culture - means that “everyone understands the organisation’s

approach to risk, takes personal responsibility to manage risk in everything they do, and encourages

others to follow their example”; Deloitte’s definition.

4

Key characteristics of

risk intelligence

Culture and risk intelligence

Commonality of purpose

Universal adoption

and application

A learning organisation – collective

ability to continuously improve

Prompt, transparent, and

honest communications

Understanding the value of

effective risk management

Responsibility –

individual and collective

Expectation of challenge

Risk Competence

The collective risk

management competence

of an organisation.

Organisation

How the organisational

environment is structured

and valued.

Relationship

How people in the

organisation interact with

others.

Motivation

The reason why people

manage risk the way that

they do.

There are four main organisational influences to building risk intelligence


Culture and risk intelligence- What is conduct risk culture?

Conduct risk: is the risk that the firm’s behaviour will result in poor outcomes for customers. Conduct

risk is a specific risk category and accordingly conduct risk culture is a specific portion of overall risk

culture. Risk intelligence shifts mind sets and behaviours to focus on fair outcomes for customers.

5

Specific portion of culture

and risk intelligent culture


Organisations must make sure that they have a well-defined and articulated conduct risk framework

focusing on the risk culture that puts customers at heart of the organisation, as well as or as part of a

risk culture framework.

Risk culture and incentive mechanisms: play a key role in the distribution of

products and organisation’s interactions with consumers. Addressing cultural

issues will promote better risk management, including conduct risk management.


�Increasing regulatory focus;

e.g. PRA ‘Approach to

Supervision

Why risk intelligence matters- Throwing down the gauntlet to the Financial Services Sector

Banks, building societies, insurers, asset managers and broker firms are being driven to understand,

measure, strengthen and report on their risk culture and the risk intelligence of their people as part

of enhancing their risk management and control systems.

6

�Alignment of risk culture,

strategy, appetite and

remuneration frameworks

�CIIA’s Code for ‘Effective

Internal Audit in the FS Sector’

�Boards, NEDs, Audit and

Risk Committees,

Remuneration Committees

�Internal Audit, Risk

Management, Human

Resources and Tax

External

drivers

Internal

drivers

�Standard & Poor’s approach

for assessing companies’ ERM

Key drivers for risk intelligent cultures What the future looks like

�Increasing stakeholder

pressures


What other drivers are you

seeing?

�FSB final paper ‘Guidance on

Supervisory Interaction with

Financial Institutions on Risk

Culture’.

Within three years, risk

intelligence is likely to be a priority

measure for assessing the quality

and embedding of a organisation’s

strategic plan, risk appetite,

governance structure and its risk

management and remuneration

frameworks.


Challenges in strengthening risk intelligence- Blinkered view: “There is a problem, but less so at my bank”


Perception of cultural problem across the industry versus own bank

% respondents who rate culture as being a problem across the industry and at their own bank

Note: Survey rating ranked 1 to 7 where, 1 = no cultural problem; 7 = catastrophic problemsSource: Deloitte Culture in Banking Survey 2013

No cultural problemCatastrophic

cultural problem

Significant problems

4%

14% 14%

36%32%

18%

25%

14%

29%

11%

0%

10%

20%

30%

40%

50%

1 2 3 4 5 6 7

Banking industry Your bank

70% of senior bankers believe there is a significant cultural problem in the industry. 40% of

respondents rated culture “at their own bank” as at least 5 out of 7 where, 1 = no cultural problem,

and 7 = catastrophic cultural problems.


5.45.3

5.25.1

5.04.94.9

4.84.64.54.4

3.83.5

3.33.2

0 1 2 3 4 5 6 7

Management teams’ understanding of the risk on their balance sheetsCompensation structure (i.e. fixed vs variable, cash vs equity, deferred)

Performance metricsBoard oversight

Compensation levelsQuality of supervision

Upward communication of concerns to managementLax capital requirements (i.e. too much leverage)

The increasing size and scope of banksLight-touch regulation

Loose monetary policyThe internationalisation of the City after the ‘Big Bang’ in 1986

A free market ethosHaving retail and investment banking under the same roof

The replacement of unlimited liability partnerships by limited liability…

Challenges in strengthening risk intelligence- The cause of the problem: “The buck stops with us”


Causes of cultural problems

Average rating amongst respondents of the causes

Bankers cite the main causes of cultural problems across the industry as those predominantly within

their sphere of influence. Failures began at the top, from board oversight and management teams’

understanding of their balance sheets and percolated through organisations via skewed employee

incentives – including sub-optimal compensation structures, misaligned performance metrics, and

excessive compensation levels.

Significant causeVery minor cause

Note: Survey rating ranked 1 to 7 where, 1 = very minor cause; 7 = significant causeSource: Deloitte Culture in Banking Survey 2013


Challenges in strengthening risk intelligence- “Getting performance metrics right is the biggest challenge”


Biggest challenges when making culture more effective

3.0

4.4

4.5

4.5

4.7

5.5

0 1 2 3 4 5 6

Ensuring that culture is always on the Board’s agenda

Aligning culture to evolving regulations

Competitive pressures

Prioritising investment in culture when resources areunder pressure

Developing a framework to drive cultural change

Defining the right metrics against which to measureculture

Defining the right metrics to measure culture is the biggest challenge to improving culture.

Extremely challenging

Not challenging

Note: Survey rating ranked 1 to 6 where, 1 = not challenging; 6 = extremely challengingSource: Deloitte Culture in Banking Survey 2013


No amount of external or internal regulation and surveillance is going to prevent determined people

from committing illegal behaviour. Directors should realise that they can expect a sympathetic

hearing after having made real and sensible efforts to address issues to do with the culture and risk

intelligence of the organisation they control.

Challenges in strengthening risk intelligence - We need to continually monitor and immediately react to cultural change


The oldest mercantile bank in London until collapse in 1995.

Board members and executives didn’t set a consistent example of high

integrity and ethical behaviour.

Enron’s ethics code was based on Respect, Integrity, Communication, and

Excellence.

Nevertheless, Enron has been described as having a culture of arrogance

that led people to believe that they could handle increasingly greater risk

without encountering any danger.

At Barclays we have five values: Respect, Integrity, Service, Excellence,

Stewardship, which we expect all our people to live by.


How to strengthen risk intelligence- Five key levers for how people pick up on cultural messaging

Whilst defining and articulating the organisational values is a critical first step on the journey to

strengthening risk intelligence, the greatest challenge most organisations face is how to embed and

sustain those values across the organisation.

11

#2 Explicit

Enculturation

Recruitment, induction,

rulebooks training,

policies

and manuals

#1 Role

Models

Imitation of key

individuals, example

set by leadership

#3 Incentives

Structure and levels of

remuneration

promotions; non-

financial rewards; the

employee

proposition

#5 Symbols and Fables

Symbolic actions and

stories with a moral

that transit values and

priorities

#4 Revealed PreferencesWhat happens on the ground, what it implies about the company’s priorities

Employees pick up cultural

messaging across five

channels or levers. They are

alert to contradictions and

inconsistencies in the

messaging. They use it to

work out what to do, and

show others – through their

own behaviour – how they

have interpreted the ‘rules’.



How to strengthen risk intelligence- Set expectations on what ‘good’ and ‘bad’ look like

A risk culture manifests itself through observable systems, behaviours and symbols. It is often visible

through the choices and actions people make and at other times it is not as evident, as some of the

culture drivers and ethos operate below the surface.


Risk CompetenceThe collective risk


of an organisation.

OrganisationHow the organisational


and valued.

RelationshipHow people in the


others.

MotivationThe reason why people


they do.

Detrimental behaviours Desirable behaviours

Reluctance to

learn from

past mistakes

Following the

herd

Proactive

sharing of best

practices

Consulting

with others

when in doubt

Shooting the

messenger

Rewarding

excessive risk

taking

Admitting to

making

mistakes

Being

personally

accountable

for risks

Reticence to

escalate risks

appropriately

Cutting

corners

Following risk

management

policies and

processes

Involving risk

experts in risk

decisions

Inadequate

challenge of

excessive risk

taking

Yielding to

inappropriate

pressure from

others

Open and

honest

dialogue

regarding risks

Constructive

response to

challenge


How to strengthen risk intelligence- Assessing and monitoring risk intelligence is key to strengthening it

13

Our approach to measure, strengthen and report on risk intelligence is to review four main

organisational influencers of risk intelligence (risk competence, motivation, organisation and

relationships), by assessing 16 key indicators in our Risk Intelligence Assessment Framework.

Risk Intelligence Assessment Framework or ‘Wheel’

This diagnostic includes human capital and risk management perspectives to give a ‘richer’ measure

of the risk intelligence of the sample population. It measures people’s perception of risk and not

their propensity to take risk.

Phase I

Define the current profile - using the Risk

Intelligence ‘Wheel’, supported by e.g.

diagnostic survey and/or interviews.

Phase II

Define the desired risk intelligence and

create a ‘risk intelligence shift plan’ to

reach target state.

Phase III

Execute ‘risk intelligence shift plan’ and

make it stick – via rolling out newly

developed and enhanced levers (from the

shift plan) across different levels, teams

and business units.

Indicative approach


See Appendix 1 for fuller details


Making risk intelligence change happen- Addressing the underlying cause of the detrimental behaviour

Set out below are a range of examples of where we have helped other organisations to create a shift

in their risk intelligence. Common to all these examples is addressing the underlying cause of the

detrimental behaviour.


Risk CompetenceThe collective risk


of an organisation.

OrganisationHow the organisational


and valued.

RelationshipHow people in the


others.

MotivationThe reason why people


they do.

Detrimental behaviour

(symptom)What we did

Taking unnecessary

risks

Trained supervisors and staff on the organisations’ values.

Implemented monthly unit meetings to clarify goals and

improve two-way communication. Improved

communications by sharing decisions and implementing

biweekly email updates

Employees not

taking accountability

We identified and worked on a small number of critical

events that were significant to the organisation and the

customer. Through this, an opportunity arose for employees

to understand how they could behave in a way that would

deliver the attributes of the brand.

Lack of adherence to

policy and process

Re-designed job roles and organisation structure to support

desired outcomes. Introduced a leadership alignment

programme. Re-designed reward and performance

management to encourage ‘right’ behaviours.

Ineffective challenge

of first line risk taking

1-1 interviews with Group and Regional risk officers and

regional MD’s to understand what’s working and what’s not.

Identification of areas of friction and lack of clarity.

Refreshed role descriptions. Implemented oversight

planning process. Baselined new way of working.

Underlying cause

(influencer)

No clear guidelines or

training in place

Lack of awareness of

how job contributes

to achieving strategy

Organisation systems

did not support

compliance

Unclear roles,

responsibilities and

interactions between

group and regional

risk officers


Making risk intelligence change happen- ‘Quick win’ themes identified by our diagnostic approach

15

Many FS companies have introduced campaigns to reinforce their ‘risk culture’ message from the top.

Those few that believe they have made significant progress tend to have embedded a Risk Intelligent

Culture in pockets and not throughout the entire organisation.


Finding: Middle management hoarding risk

management information because they want to

hoard power or hide mistakes made by their team.

Recommendation: Promote visible peer to peer review and

challenge. Encourage regular and frequent peer group

discussions on risk behaviours. Review, assess and enhance

the reporting framework to make sure that its reports are

informative, regularly updated, prompt, transparent and

readily accessible to staff.

Finding: Continuous breaches of risk limits negatively

impact bonus payments, whereas exceeding

expectations in managing risks is not rewarded.

Recommendation: Annual performance objectives should

consider risk intelligence and accountabilities for effective

management of risk as well as reward of those

demonstrating the desired risk management behaviours.

Finding: There is a disconnect between how overall risk

strategy relates to individual roles and responsibilities (in

particular for more junior grades in front office functions).

Recommendation: Align organisation’s symbols, systems, and

behavioural norms to encourage people to make the right

risk-related decisions, and exhibit appropriate risk

management behaviours. Design risk education programmes

for staff at all levels.

Finding: Insufficient business knowledge across oversight

functions up to middle management and insufficient risk

management skills and awareness of front office staff at

junior grades.

Recommendation: Targeted secondments from oversight

functions into front office and vice versa is effective in

developing business knowledge across oversight functions

and risk management skills and awareness of junior front

office staff.

Risk

IntelligenceRelationship

OrganisationRisk Competence

Motivation

Examples of our insights and recommendations to your peers


Q&A and key contacts

16

Key contacts

Any questions?


Mariia Speranska

Risk and Regulation+44 (0) 20 7303 [email protected]

Stephen Lucas

Partner, Risk and Regulation+44 (0) 20 7303 [email protected]

Tim Thompson

Partner, Risk and Regulation+44 (0) 20 7007 [email protected]

Stephen GouldRisk and Regulation+44 (0) 20 7303 [email protected]


Example Survey – just for fun!

17


Survey- Example questions for a risk intelligence diagnosis

18

Q1.My risk management capabilities are assessed

regularly.

Strongly

disagreeDisagree Neutral Agree

Strongly

Agree

I don’t

know

Q2.Being good at managing risks can help people to

get ahead in my organisation.

Strongly


Strongly

Agree

I don’t

know

Q3.Managers and leaders in my organisation role

model the right risk behaviours.

Strongly


Strongly

Agree

I don’t

know

Q4.People in my organisation know how to escalate

risks.

Strongly


Strongly

Agree

I don’t

know

Q5.People in my organisation always try to do the

right thing.

Strongly


Strongly

Agree

I don’t

know

A good risk intelligence diagnostic survey helps to capture individual risk management attitudes and

intelligence; and accordingly assists identification of strong and weak areas of the risk intelligence in

an organisation. Most good risk intelligence surveys have positively phrased questions to reduce bias

and support anonymous responses to increase validity.

The below survey is for fun - to give a feel for the types of questions in a risk intelligence diagnosis.



Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.co.uk/about for a detailed description of the legal structure of DTTL and its member firms.

Deloitte LLP is the United Kingdom member firm of DTTL.

This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from acting on any of the contents of this publication. Deloitte LLP would be pleased to advise readers on how to apply the principles set out in this publication to their specific circumstances. Deloitte LLP accepts no duty of care or liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication.

Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom. Tel: +44 (0) 20 7936 3000 Fax: +44 (0) 20 7583 1198.

© 2014 Deloitte LLP. All rights reserved.

Member of Deloitte Touche Tohmatsu Limited

Culture and risk intelligence - gcu.ac.uk · Specific portion of culture and risk intelligent...

Documents

Transcript of Culture and risk intelligence - gcu.ac.uk · Specific portion of culture and risk intelligent...