Regulatory focus on banks’ risk culture has grown over the last year and a half or so.
“It has been heard loud and clear in this market that the regulators would like banks to look at their culture, assess it, and make improvements where they need to be made,” says EY’s Tom Campanile in an interview with two colleagues.
Much of this focus comes from ripples of pronouncements by the international Financial Stability Board, the Basel Committee on Banking Supervision, and similar bodies, often with an emphasis on very large banking organizations, says Campanile, partner and leader of the risk governance team of the firm’s Financial Services Risk Management practice.
The increased emphasis here has come out in U.S. regulators’ speeches over the last year.
For example, in a speech titled “The Call for Proactive Risk Culture” last June, Chicago Federal Reserve Bank President and CEO Charles Evans noted that it is easier to discuss specific regulatory requirements than it is “to talk about institutional culture—especially risk culture. … [But] I think we can agree it starts broadly with how all ranks of an organization’s personnel—from entry level staff to the CEO—identify and respond to risks and threats—even when they’re not explicitly covered by specific rules and regulations.”
Added Evans later in his speech: “While our largest firms have a responsibility to foster a proactive risk culture that is rooted in financial stability considerations, smaller firms would also do well to pay attention to the evolving conversation about risk culture.”
In the same month, Comptroller Thomas Curry remarked in a speech that “many of the compliance, operational, and safety and soundness problems we’ve seen over the past decade could never have happened in organizations with healthy cultures, and so our approach to prudential supervision today includes an assessment of organizational values.”
While a good deal of what regulators have had to say directly involves larger banks, “the destination is the same for everybody eventually. It’s a matter of emphasis,” says Campanile. “It’s a trickle down—hopefully, a thoughtful trickle down.”
“Trickle down” regulation and regulatory expectations are mostly seen as burdensome, with concepts originally intended for larger banks being visited, informally at first, on much smaller companies. But sometimes trickle-down concepts can be beneficial.
Campanile notes that the Comptroller’s “heightened standards,” finalized in September 2014, which formalized the “three lines of defense” approach to risk management, applies overall to organizations $50 billion and larger in assets. However, he points out, “there are a lot of principles in there that you can’t argue with at $40, $30, even $10 billion.”
Risk requires a continuum
Banking Exchange met with Campanile and two fellow EY risk experts to discuss risk culture issues. The discussion concentrated especially on how the increasing emphasis on risk culture comes at the same time that many banks have been conducting or considering mergers.
Besides Campanile, meeting with Banking Exchange were Mark Watson, executive director, global banking and capital markets, who focuses on the intersection of risk and regulatory matters, and Peter Davis, principal in the EY Financial Services Office, who frequently works on financial reform issues.
One point the trio makes concerns the fixation on bank size thresholds when discussing what approaches an organization is taking—the implication being that this is dictating decisions about an organization’s size.
True, there are requirements that kick in at specific size points.
“But we believe risk governance becomes more of a continuum,” says Campanile. “I don’t think you wake up at $10 billion and decide that the board’s got to talk about risk because it’s suddenly become an important issue.”
“You adopt principles,” Campanile continues. “Then, as your bank hits various thresholds some structural pieces must be put in place.”
For Peter Davis, such transitions may be pegged to measures like Dodd-Frank, but they aren’t really solely the result of legislation.
“Over the years,” says Davis, “as firms grew bigger, there was usually a point where they saw that what used to work suddenly didn’t work anymore. There was a realization, for example, that an informal dialogue now had to have metrics around it.”
Organizations did, and do, gap assessments to see if their ongoing growth was taking them into a new league, so to speak.
“Now there are more formal checkpoints,” says Davis, but the scaling up of risk infrastructure needs isn’t new.
Another wrinkle is that size by itself doesn’t dictate all. Mark Watson points out that all banks, for example, must focus on “providing the right products in the right way with the right distribution at the right price with the right disclosures.”
The challenge is much the same with anti-money-laundering efforts, Watson says—a small bank has to get it just as right.
Here is more of the conversation, edited for length and clarity.
Banking Exchange: When banks merge, how do you marry two different risk cultures?
Campanile: There’s the overall culture of a bank versus the risk culture and that’s important to consider going into a merger. What are the bank’s values? What kind of business is it now and what kind of business does it want to be at the other side of the merger?
The cultural question will be part of the change management process, as two smaller institutions join and potentially become subject to new requirements.
You don’t want to have a culture within a culture. That’s not a great place to be.
All of the facets of a risk culture that should be in the bank’s risk framework after the merger hinge on overall culture, not risk culture being treated as a separate issue.
Watson: I think banking companies are more conscious today about the challenges of combining two different kinds of organizations. In the past you would not necessarily have had people talking about planning the combined culture. There was more living with multiple cultures, because they thought that was appropriate. Pre-financial crisis, there were lots of firms that had multiple cultures in their organization.
But today there is a political focus on financial institutions. They need to know what kind of institution they want to be. And that includes strategy, the value that will be delivered to customers, and risk appetite.
People are really focused on this when they are doing a merger now. They realize that they can’t have pockets in the organization with a different culture. And they discuss how to design those differences out in the course of the merger process. They understand that they can’t have one part of the company pushing the edges.
They understand that a bank can’t not have a single risk culture.
Davis: Also, this is on the checklist of banks that are growing, something they consult as they approach thresholds. They are asking, “Will we run afoul of new rules and new expectations that kick in? What’s our plan to address that? We don’t want to be in the penalty box right out of the gate.”
Watson: Banks have to think about such things even as they grow organically, now.
Davis: And growth by any means is not a certainty. A lot of firms grew a great deal bigger during the crisis but it’s clear that they are not going to get bigger again.
I don’t think they’ll have permission to continue to grow.
Banking Exchange: Where does the conversation begin, once you have considered such points as we’ve been discussing? How do you start deciding what the overall unified culture and risk culture will look like?
Campanile: It can be tough to define and measure culture. It’s kind of in the DNA of both organizations.
One area that must be discussed is the employee side of things, the human capital issues. This includes deciding how the united company will handle compensation, variable compensation, bonuses, hiring, promotion, and more.
The leadership element represents another important area. Not only does the organization have to decide what its combined risk appetite will be, it must determine how the company is going to manage risk. What will the systems and reports look like, to enable that? How does the tone at the top get down to all units, all employees?
Watson: Other dynamics, such as an explicit risk capital time framework, and financial approaches in general, also play a role. One example is each bank’s philosophy on when to write down a loan. I know that sounds like a technical factor, but it is part of the discussion of what kind of a bank do we want to be.
There has been a regulatory shift to be aware of, too. Ten years ago bank regulators looked at the merger partners’ strategy, product, and business plan “as read.” Their analysis focused on the management and on the controls that would be in place. Now they are validating that the strategy is suitable, that it’s not an over-the-top strategy.
Today the two boards of merging banks must address what their unified strategy will be and what that will imply for risk tolerances.
Banking Exchange: When you have a so-called mergers of equals don’t literally exist, but there are deals where there is an attempt to pour two banks into one vessel. Do such organizations simply take an entirely fresh look at risk?
Campanile: Any banking combination is going to change the risk profile. The risks brought aboard by both organizations won’t be discrete and separate. You could end up with concentrations that didn’t exist before, for example.
So it is important to take that fresh look. Say a retail banking buyer picks up an entirely new kind of lending or a broker-dealer operation. You have to dribble it down to see how that will affect the combined organization.
Watson: Today you are more likely to see organizations get rid of businesses, as well, even if they are performing. The process is called “de-risking”—there’s much more rigor around getting rid of non-core activities. Companies acknowledge when something just doesn’t fit their overall strategy.
Banking Exchange: What other effects has the increase in M&A had on banking?
Watson: The banking industry is much more focused on data systems and technology than it ever was. This isn’t just a matter of M&A. They are looking at this area because of cost reasons, data reasons, and competitive reasons. But specifically in the M&A area, banks more often now are using deals as an opportunity to flush out redundant legacy systems.
Davis: And this relates to risk. Systems integrity, data integrity, and governance are all important to having a consolidated risk profile for a bank. Stress tests, regulatory reports, and more all depend on it.