Making culture countStrengthening culture for better risk and compliance outcomes

February 2018

Risk culture is the collective attitudes, perceptions, beliefs and behaviors that impact risk and affect outcomes

2 Making culture count

3Making culture count

4 Making culture count

What is risk culture?

• Every organization has a risk culture that determines the collective ability to identify, understand, openly discuss and act on risk.

• Risk culture is an important subset of an organization’s overall culture; there is high correlation between the two.

• A large organization will not have “one” risk culture — smaller subcultures will exist in different lines of business, geographies, etc.

• Risk culture is not “something” you can design and execute. Rather, it is the outcome of a series of trade-offs across a number of dimensions.

EY’s definition and underlying methodology places a risk lens on:

• Attitudes: what people think

• Perceptions and beliefs: the conclusions people make about what’s important

• Behaviors: what people do

• Outcomes: the results

Board risk oversight

Risk culture

Risk governance

Risk appetite

framework

Contro

ls

effec

tiven

essRisk

transparency,

MIS and data

Risk

accountability

(3LoD)Tale

nt a

nd

ince

ntiv

es

A sound risk culture is essential for ensuring effective risk governance

Risk culture influences business strategy, its execution, risk governance and, ultimately, firm outcomes.

Risk culture is the collective attitudes, perceptions, beliefs and behaviors that impact risk and affect outcomes

5Making culture count

Why culture counts

There is a strong causal link between conduct failings and poor risk culture. This has resulted in significant financial losses and fines.

¹ Conduct Costs Project Report, CCP Research Foundation, August 2017. ² Capital Markets: building the investment bank of the future, EY, October 2016.3 MAS-Singapore Academy of Law Conference, 23 January 2015. 4 2017 Annual Luncheon of the Life Insurance Association Singapore, 6 March 2017.

Top reasons banks give for culture breakdown

Six years ago, the Global Financial Crisis tipped national economies into recession and brought to their knees some of the most hallowed names in the financial industry … And six years after the Crisis broke, the global industry continues to be dogged by shocking revelations of financial malfeasance, mis-selling, and dishonesty.3

Ravi Menon, Managing Director, MAS, January 2015

Getting the culture right in financial institutions is critical because poor culture can be a driver of poor conduct. The financial industry’s most valuable asset – trust – can be significantly undermined by poor conduct. And all financial institutions need their customers to trust them in order to build a sustainable business.4

Lee Boon Ngiap, Assistant Managing Director, MAS, March 2017

• Over the past five years, firms have paid out more than US$300 billion in fines, settlements and remediation as a consequence of misconduct.¹

• These costs are a big part of the reason that banks’ return on equity has fallen below their cost of capital.²

Messages not cascaded effectively throughout the organization

Profit and market share pressure

Too great a focus on meeting targets

Lack of first-line accountability

Conflict between a sales-driven first-line culture and firm’s risk culture1

2

3

4

5

6 Making culture count

Regulatory focus on risk culture is growing …

• A growing number of regulators are more clearly documenting their risk culture expectations, e.g., the Financial Conduct Authority (FCA) in the UK, the Hong Kong Monetary Authority (HKMA) and the Australian Prudential Regulation Authority (APRA).

• Regulators have introduced, or are considering, senior manager or accountable executive regimes to increase accountability for risk culture and conduct outcomes, e.g., the FCA Senior Managers Regime, the Hong Kong Securities and Futures Commission Manager-In-Charge (MIC) regime and the APRA Banking Executive Accountability Regime.

• Some regulators are using multidisciplinary teams, including behavioral psychologists, when undertaking risk culture reviews (e.g., APRA).

Key themes emerging from this regulatory focus include:

1. Tone from the top: does the bank’s C-suite, especially its CEO, consistently send the right message on risk? Does the board reinforce this message? Is it communicated effectively across the organization, and is it consistent with the “tone from the middle”?

2. Accountability: do the bank hold senior managers accountable for managing risk effectively?

3. Incentives: does the bank’s rewards program support effective risk management or inadvertently create an incentive for misconduct?

4. Effective communications and challenge: does the risk message get through? Are escalation paths clearly defined and understood? If the message is wrong, or the delivery goes awry, will someone point this out? How is effective challenge viewed and what protections for whistle-blowers exist?

Globally and across APAC, there has been a significant increase in the supervisory focus on risk culture.

In Singapore, financial institutions report three key questions being asked during supervisory inspections:

What are you doing to improve risk culture?

3

What is your risk culture?

1

What is this based on?

2

55% of firms report that regulators are showing interest in firm risk culture.*

55%

*Seventh annual global EY/IIF bank risk management survey

7Making culture count

Many firms continue to experience challenges in improving culture.

… however, risk culture remains a challenge for many financial institutions

Top challenges:

• Messages not cascading throughout firm

• Lack of first-line accountability

• Conflict between sales-driven first-line and firm’s target culture

54% of firms believe understanding of desired behaviors varies across their firm.*

54%

*Seventh annual global EY/IIF bank risk management survey

Performance incentives are not used to drive the firm’s risk, compliance and conduct agenda. Where KPIs for conduct, compliance, risk or governance objectives have been introduced, these remain poorly defined.

5

CROs report that culture and conduct are not seen as core to firm strategy or business objectives and there remains a lack of alignment between “tone from the top” and “tone from the middle.”4

Responses to date have been limited to internal senior management surveys, “culture” questions added to people engagement surveys or corporate communications initiatives with a focus on firm values.2

Most firms are not investing significantly in understanding or transforming their organizational culture, and conduct risk is not well integrated into enterprise risk management frameworks.1

Where surveys have been initiated, firms struggle to interpret the findings or identify where problems and “conduct hot spots” might exist.3

8 Making culture count

What should you be considering?

Financial services firms face three simple questions when addressing risk culture:

1What is our risk culture?

1. Defining what risk culture means for your organization:

• Define a continuum of behaviors — from unacceptable to desired

• Identify and prioritize the mechanisms that influence employees

• Agree on an assessment approach, e.g., determine the optimal combination of qualitative measures and quantitative analysis

2. Assessing risk culture to determine what is it based on:

• Identify areas of “good” risk culture along with areas of potential vulnerability, e.g., behavioral issues and mechanisms to strengthen to deliver desired behaviors

• Prioritize gaps and identify interventions

• Agree an ongoing monitoring or assurance process

3. Changing risk culture through interventions:

• Communicate and train desired behaviors

• Address immediate behavioral issues

• Strengthen the mechanisms that deliver the desired behaviors, e.g., HR processes, risk appetite and risk governance

2What is this based on?

3What are we doing about our risk culture?

To address these questions, financial institutions should consider the following actions:

9Making culture count

Talen

t management Leadership

Organizational capabality Risk management framework

Organ

izat

iona

l str

uctu

re

Behaviors

Capabilities

Tone

at t

op a

nd

from

mid

dle

Behav

iors

Roles and responsibilities

Governance

Risk

app

etite

Risk

tr

ansp

aren

cy

Relatio

nships

Responsiveness Strategy

Motivation

Outcomes

EY’s Risk Culture Framework

To embed an appropriate culture and manage organizational risk, a variety of “enablers” need to be in place and be effective.

When in place and effective, these enablers contribute to delivering desired behaviors and outcomes.

EY’s five enablers are described below.

Risk culture enablers

Leadership: tone from the middle is aligned with tone from the top and desired behaviors are established and role modeled.

Organizational structure: risk governance and operating model support the delivery of desired behaviors and enable strong accountability and effective challenge.

Risk management framework: risk management framework is embedded in the way the business manages risk and enables effective challenge.

Organizational capability: lessons are learned and root causes are addressed. Constructive, collaborative behaviors are expected and measured.

Talent management: employee life cycle and incentives are aligned to risk appetite and reinforce the delivery of desired behaviors.

10 Making culture count

How EY can help

Across APAC and globally, EY has supported banks and insurance organizations in their risk culture journey.

• Support for boards and senior management teams to define their risk culture objectives and the target conduct principles, values and behaviors that will promote a sound risk culture

• Enhancements to governance and accountability frameworks for setting, promoting and overseeing culture

• Establishing the essentials of effective risk reporting and escalation on behavioral and conduct matters

• Embedding effective culture and conduct risk measures into performance management

Defining the ambition

Risk culture assessment

• Multidisciplinary approach leveraging an experienced team of risk, regulatory and behavioral psychology professionals

• Proven methodology balancing quantitative data with qualitative assessments through a range of interview and focus group-based sessions to ensure a deep understanding of the drivers of risk culture and how these vary across the organization

• EY’s market-leading research-backed analytics and diagnostic tool that focuses on behavior, culture and ethics and analyzes where these spheres are benefiting or hindering your risk and compliance objectives

• Bespoke and fully integrated culture transformation programs that are actionable and measurable, focusing on governance, communication and training initiatives addressing:

• Leadership capabilities and getting “tone from the top” right

• Strengthening and aligning “tone from the middle”

• Consolidating risk governance and accountability

• Aligning the talent life cycle to risk, compliance and conduct objectives

• Culture and conduct metrics and dashboards to track and monitor progress over time

Culture change

programs

11Making culture count

Ready to start your risk culture journey?

Key

Sing

apor

e co

ntac

ts

David Scott

Financial Services Risk +65 6309 8031 david.scott@sg.ey.com

Maggi Hughes

Financial Services Risk +65 6309 8268 maggi.hughes@sg.ey.com

Joanne Abbott

People Advisory Services +65 6309 6128 joanne.abbott@sg.ey.com

EY | Assurance | Tax | Transactions | Advisory

About EY

EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

© 2018 EYGM Limited. All Rights Reserved.

EYG no: 00605-184GBL ED None

This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice.

ey.com