Effective risk management is hard.
To get it right, a bank must combine several elements into a coherent capability that helps management make better tradeoffs of risk and opportunity in everyday decision-making.
A strong risk culture is by far the most important element of effective risk management. Unfortunately, it is by far the most neglected element in banking. Without a strong risk culture, a bank will be chronically exposed to unnecessary or excessive risks, no matter how much it spends on its risk management apparatus.
After the financial crisis, banks invested heavily in basic elements of risk management: risk data; risk analytics; and risk controls. This is a good thing, since deficiencies in any of these elements can doom the entire effort. But these necessary elements are not sufficient to field an effective enterprise risk management capability.
A strong risk culture ties all the elements together in a coherent fashion. And a strong risk culture is what turns dusty policy manuals into living, breathing business practices that drive better risk decisions throughout the bank.
Ingredients for an essential
So what is a strong risk culture? To some, it may sound like one of those warm and fuzzy initiatives dreamed up by the HR department and inflicted on a reluctant organization. Not so.
Building a strong risk culture is a pragmatic and hard-headed business process that enables and encourages better risk decisions. A strong risk culture has specific, observable attributes.
Gaps between actual attributes and desired attributes can be identified and actions taken to close the gaps. There is nothing warm and fuzzy about this if done right.
A bank’s culture drives its behavior and decisions—for good or ill. In a strong risk culture, people make better risk decisions because they have the capability and desire to do so, not simply because they are expected to follow rule books or formulas.
A strong risk culture displays the values, behaviors, and capabilities that are necessary for effective risk management:
• Vigilance—Being alert to emerging threats and opportunities.
Example: Does management have a disciplined and continuous process for gathering and evaluating intelligence about what is going on inside and outside the bank? Or does management wing it, by relying on random anecdotes and seat-of-the-pants guesswork?
• Agility—Deciding and acting in time.
Example: If an unusual threat or opportunity arises, can the bank quickly mobilize and empower the right people to deal with it? Or does bureaucratic inertia prevent a proper and timely response?
• Collaboration—Being able to work together effectively on risk issues.
Example: When necessary, can people work effectively as a team, even though they may come from different businesses or functions? Or does political infighting make cooperation difficult?
• Communication—Sharing information and ideas about risks.
Example: Do business lines and risk functions routinely engage each other in constructive and honest debate on risk issues? Or do they live in separate worlds of mutual incomprehension that let problems fester out of sight and opportunities slip away?
• Discipline—Knowing and doing what is right from a risk perspective.
Example: Are limit-setting and transaction approval processes tied to risk measures? Or are they based only on volume or size measures that allow riskier business to crowd out good business?
• Talent—Attracting and motivating people who have the necessary risk knowledge and skills.
Example: Do risk modelers have the analytical skill and the business judgment to understand and communicate the limitations of their models? Or do they naively roll out error-prone models based on outdated or simplistic assumptions?
• Leadership—Inspiring, supporting, practicing, and rewarding good risk management.
Example: When top management makes decisions on promotions and compensation, do officers send a clear message to the organization that good risk management will be rewarded? And bad risk management will be punished? Or is “risk management” just for flowery speeches and colorful posters in the cafeteria or break room?
Beyond the first inch of the pool …
These examples just scratch the surface of what makes a strong risk culture. I will be digging deeper in future blogs.
The main messages for today are that a strong risk culture is absolutely necessary for effective risk management.
And that if you don’t have a strong risk culture you can build one over time by taking specific, pragmatic steps to do so.