Home > Audit, Compliance, Governance, GRC, Risk > Interesting new paper on risk culture

Interesting new paper on risk culture

February 22, 2014 Leave a comment Go to comments

The topic of risk culture has been receiving a lot of attention ever since it was identified as a cause of many of the problems that led to major issues at financial services organizations a few years ago.

Risk culture drives behavior when it comes to taking the desired risks and levels of risk. As I say in my KEY POINTS section at the end of this post, traditional risk management metrics will tell you whether risk levels are unacceptable, but that is after the fact (of taking the risk) and after damage may have been done!

One learned paper (I was a minor contributor) was published by the excellent Institute of Risk Management. I wrote about the topic in a 2011 blog post, with reference to a couple of excellent articles, and included these quotes:

“The most remarkable finding of the survey is that most risk professionals – on the whole a highly analytical, data rational group – believe the banking crisis was caused not so much by technical failures as by failures in organisational culture and ethics.

Most risk professionals saw the technical factors which might cause a crisis well in advance.  The risks were reported but senior executives chose to prioritise sales. That they did so is put down to individual or collective greed, fuelled by remuneration practices that encouraged excessive risk taking. That they were allowed to do so is explained by inadequate oversight by non‐executives and regulators and organisational cultures which inhibited effective challenge to risk taking.

Internally, the most important area for improvement is the culture in which risk management takes place (including vision, values, management style and operating principles).”


“Risk Culture is the ‘tone at the top’ shaped by the values, strategies, objectives, beliefs, risk tolerances and attitudes that form how everyone .. views the trade off between risk and return. The risk culture … determines how individuals and business units take risks.

While some risk-taking will be governed by rules and controls, much is governed directly by culture – where rules and controls are not effective, fail or where they do not apply.”

I like the definition above, that “Risk Culture is the ‘tone at the top’ shaped by the values, strategies, objectives, beliefs, risk tolerances and attitudes that form how everyone .. views the trade off between risk and return. The risk culture … determines how individuals and business units take risks.”

In other words, risk culture is what drives human behavior. That behavior can and hopefully is to take the risks that the organization wants taken. But too often, people react to a situation by taking the ‘wrong’ risk (including taking either too much or too little risk).

Now a new paper has been published. By three respected professors, Risk Culture in Financial Organisations tackles the topic in great depth. It doesn’t include a clear (at least to me) definition of risk culture, but I believe if they did it would be consistent with my discussion, above. They certainly talk about the trade-offs and identify many of the same factors that contribute to an organization’s risk culture.

I suspect that readers of the research paper will appreciate the discussions of such matters as whether the risk function should try to be an independent monitor or a partner to the business; whether the risk function is focused on enabling effective decisions to advance the organization, or on compliance; whether organizations know where behaviors and their drivers need to change; and the questions it suggests organizations ask to probe the issues.

I particularly enjoyed some of the quotes the authors included, such as:

“…the leaders of industry must collectively procure a visible and substantive change in the culture of our institutions, so as fundamentally to convince the world once again that they are businesses which can be relied on.”

“…development of a ‘risk culture’ throughout the firm is perhaps the most fundamental tool for effective risk management.”

“The institutional cleverness, taken with its edginess and a strong desire to win, made Barclays a difficult organisation for stakeholders to engage with. Barclays was sometimes perceived as being within the letter of the law but not within its spirit. There was an over-emphasis on shortterm financial performance, reinforced by remuneration systems that tended to reward revenue generation rather than serving the interests of customers and clients. There was also in some parts of the Group a sense that senior management did not want to hear bad news and that employees should be capable of solving problems. This contributed to a reluctance to escalate issues of concern.”

“The strategy set by the Board from the creation of the new Group sowed the seeds of its destruction. HBOS set a strategy for aggressive, asset-led growth across divisions over a sustained period. This involved accepting more risk across all divisions of the Group. Although many of the strengths of the two brands within HBOS largely persisted at branch level, the strategy created a new culture in the higher echelons of the bank. This culture was brash, underpinned by a belief that the growing market share was due to a special set of skills which HBOS possessed and which its competitors lacked.”

“In contrast to JPMorgan Chase’s reputation for best-in-class risk management, the whale trades exposed a bank culture in which risk limit breaches were routinely disregarded, risk metrics were frequently criticised or downplayed, and risk evaluation models were targeted by bank personnel seeking to produce artificially lower capital requirements.”

“Culture has played a significant part in the development of the problems to be seen in this Trust. This culture is characterised by introspection, lack of insight or sufficient self-criticism, rejection of external criticism, reliance on external praise and, above all, fear….from top to bottom of this organisation. Such a culture does not develop overnight but is a symptom of a long-standing lack of positive and effective direction at all levels. This is not something that it is possible to change overnight either, but will require determined and inspirational leadership over a sustained period of time from within the Trust.”

“Absent major crises, and given the remarkable financial returns available from deepwater reserves, the business culture succumbed to a false sense of security. The Deepwater Horizon disaster exhibits the costs of a culture of complacency… There are recurring themes of missed warning signals, failure to share information, and a general lack of appreciation for the risks involved. In the view of the Commission, these findings highlight the importance of organizational culture and a consistent commitment to safety by industry, from the highest management levels on down.”

Simons’ Risk Exposure Calculator (1999) is composed of 12 keys that reflect different sources of pressure for a company. Managers should score each key from 1 (low) to 5 (high). ‘Alarm bells’ should be ringing if the total score is higher than thirty-five. The keys are: pressures for performance, rate of expansion, staff inexperience, rewards for entrepreneurial risktaking, executive resistance to bad news, level of internal competition, transaction complexity and velocity, gaps in diagnostic performance measures, degree of decentralised decisionmaking.

“You go to a management meeting and you talk about management issues and then you go to a risk committee and you talk about risk issues. And sometimes you talk about the same issues in both but people get very confused and I don’t know … I don’t know how right it is but I really think you should be talking about risk when you talk about your management issues because it kind of feels to me again culturally that’s where we are.”

“Too many bankers, especially at the most senior levels, have operated in an environment with insufficient personal responsibility. Top bankers dodged accountability for failings on their watch by claiming ignorance or hiding behind collective decision-making. They then faced little realistic prospect of financial penalties or more serious sanctions commensurate with the severity of the failures with which they were associated. Individual incentives have not been consistent with high collective standards, often the opposite […] Remuneration has incentivised misconduct and excessive risk-taking, reinforcing a culture where poor standards were often considered normal. Many bank staff have been paid too much for doing the wrong things, with bonuses awarded and paid before the long-term consequences become apparent. The potential rewards for fleeting short-term success have sometimes been huge, but the penalties for failure, often manifest only later, have been much smaller or negligible. Despite recent reforms, many of these problems persist.”

This is clearly the work of academics and practitioners may find it hard to digest the long piece. However, the authors have tried to be practical and if you focus on the questions at the end of each section there is some good material.


In particular, focus on the underlying message. In my reading, it is essential that management and boards of organizations, including but not limited to the risk office, understand how behavior is being driven when it comes to taking desired risks – and levels of risk.

  • Are the positive influencers, like policies and related training, effective?
  • Are the potentially negative influencers, such as short-term financial incentives, understood and mitigated?

This understanding should then be used to assess whether actions need to be taken to improve the likelihood that desired risks will be taken.

Whether you call this risk culture or not, I believe it is very important. Traditional risk management metrics will tell you whether risk levels are unacceptable, but that is after the fact and after damage may have been done!

By the way, the Bibliography is excellent and the publication is worth downloading just to get it!

I welcome your views and comments.

  1. February 22, 2014 at 12:13 PM

    As always, my perceptions and visibility are tainted through IT risk, but, regardless, this research is spot on.

    Formal exception processes at billion dollar enterprises exist to maintain the status quo of full speed ahead until the iceberg is struck.

    It’s simple math, really. If the risk mitigation costs more than estimated losses or the potential revenue, it’s not worth the “risk.”

    Never spend a dollar to protect a dime.

  2. Daoud Abu-Joudom
    February 22, 2014 at 1:30 PM

    Thanks Norman for sharing, Based on my quick reading, I was checking on two important aspects for building/assessing risk culture: one is strengthening the lines of defense by building professional relationships as quoted:

    [1] one recognised the need for the risk function to invest heavily in relationships with the front-line (& IT) and to help them to take more responsibility. [2] …. Authority and credibility enables risk personnel to build relationships and networks across the organisation and to aspire to become trusted business advisors.

    The other point, the way business/risk functions appreciates listening to audit issues and closing pending ones: as quoted:

    [3] FSB links the idea of a strong risk culture to good governance and suggest that metrics, such as unclosed audit issues and employee survey results, should be used to monitor the risk cultures …..

    • Norman Marks
      February 24, 2014 at 6:31 AM

      Daoud, I think this goes further than the role and status of risk and audit. What will management do while nobody is watching? That behavior will be driven by risk culture.

  3. Kathryn M. Tominey
    February 22, 2014 at 3:44 PM

    Look at who was buying naked CDSs for useful data set to examine, regarding who knew & understood what and when. These pernicious instruments of financial mass destruction (referring to Buffet’s prescient observation about unregulated derivatives) were purchased by many.

    Those many including hedgefund Paulson, Kyle Bass’s firm, GoldmanSachs, Deutsche Bank, Societe Generale, Barclays, etc all betting against the triple A-rated MBSs. Almost 90% of the outstanding derivatives at the time of the crash were naked CDSs.

    Goldman even bet against their own securities – of course they knew exactly how bad they really were.

    Any of these organizations or individuals could have raised alarms. Of course the FBI & multiple states attorneys general had raised the alarm in the early 2000s and were ignored. Maybe that is why so many proceeded to rake in short term profits rather than try to avert disaster.

  4. February 22, 2014 at 6:39 PM

    Hi Norman,

    As usual, this post is excellent and informative. I have one doubt.

    While reading this post about risk culture some times I felt that we are talking about Risk appetite.

    Per my understanding, Risk appetite lets decision maker to decide whether risk is acceptable or not and if not then put additional control

    Therefore I feel, risk culture is closely linked with risk appetite and level of accepted risk as risk appetite and compliance to such risk appetite

    Am I missing something?


    • Norman Marks
      February 24, 2014 at 6:29 AM

      Kushal, risk appetite (or criteria) reflect the desired level of risk. Risk culture is all about whether people are likely to know about and comply with it.

  5. February 24, 2014 at 1:48 AM

    “risk culture” do not mean anything! or may mean lots of different things. It should either be “risk aware culture” or “risk managment culture”, which makes sense.

    And should be defined as:
    A type of organization culture which uses a standardized risk management principles, framework and process effectively and interacts (communicates and consults) its internal and external stakeholders within the same attributes homogeneously AND PROACTIVELY through the organization to achieve its objectives.

  6. Norman Marks
    February 24, 2014 at 6:32 AM

    Alpasian, you can have all of that process and framework and not have the risk culture you want. Just look at BP and the quote in the piece.

    Maybe what I said in another reply captures it for me:

    “What will management do when neither risk nor audit are watching?”

  7. February 24, 2014 at 4:46 PM

    Thanks Norman for another great piece.

    ‘Tone at the top’ is a great term – but what does it really mean in large, disperse organisations? Simply put, it means the tone of the immediate supervisor of the lowest level in the organisation as that, to them, is ‘the top’. They see the behaviours and actions of their immediate supervisor and take that as the cue to how they should behave or can behave, and what risks they should take and avoid.

    Setting the right culture requires continuous education and training throughout the organisation. It means having in place appropriate mechanisms that support and enhance the desired behaviours (including risk taking) and punishing inappropriate behaviours.

    There is no right culture as the context of each organisation needs to be taken into consideration. A ‘carrot and stick’ culture can work in some instances, whereas an open, sharing and caring culture works best in others.

    AS/NZS 3806:2006 Compliance Programs standard, which forms the basis of the draft ISO standard for compliance management systems, is an excellent starting point to assist organisations to have in place the appropriate commitment in having the culture and behavioural norms in the context of each individual organisation.

    Alf Esteban

  8. John Fraser
    February 25, 2014 at 10:08 AM

    Thanks Norman for pointing to this paper. For anyone interested in the topic of Risk Culture I would suggest you read Chapter 6 “Creating a Risk Aware Culture” by Doug Brooks in Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives (2010 Wiley). This is an easy to read explanation from a CEO (and an actuary) that predates most of the current literature on this topic. Note: I edited this book and was impressed that such a senior executive was able to nail this topic so succinctly.

  9. Raymond Ang
    February 25, 2014 at 6:14 PM

    Norman, thanks for sharing this. A timely reminder that all the policies and procedures in the world won’t mean a thing if an organisation is only adhering to them to avoid regulatory penalties.

    Your comment, “What will management do when neither risk nor audit are watching?” reminds me of an organisation from years back that had very clear rules on what can or cannot be done drummed into its members. Members then added a casual, unspoken rule along the lines of “You can do whatever you want, but don’t get caught”.

  10. February 27, 2014 at 11:11 AM

    I just attended the SCCE Utility & Energy Conference in Houston (very good by the way) and one of the common themes was that Corporate Ethics need to be much more than a statement or video released from the top. It needs to be practiced, measured and lived day-to-day at every level.

  11. March 2, 2014 at 7:07 AM

    Norman, I read the Executive Summary only because my comment is regarding the consideration of an organization’s cultural values in managing risk, and I did not want to be off-topic. This paper is about the culture of risk managers and their relation to management, which has nothing to do with assessing risk based on cultural values — it assumes that revenues and profit are the only values worth considering (at least in the Executive Summary).
    I remember a class I took in Information Assurance & Risk Management, in which a CISO at UW displayed his typical To-Do List for the day of approximately 40 action items.
    His question to the class, which no one got right, was, “Out of all these pressing needs, which one is my first priority?” The answer was “a female student complaining about internet stalking”. Protecting the well-being of students was the university’s most important obligation,
    derived from its values. There are many other examples, in healthcare where “do no harm” is the most cherished value. Or the Challenger disaster in which NASA was faulted for prioritizing business needs over safety.
    So I am off-topic, but my view is that this paper emphasizing risk culture is energy badly misplaced. We need to break out of our bubble and also consider the broader cultural context as relevant to the decisions we make as risk managers.

  12. April 8, 2014 at 5:41 AM

    Thanks Norman , here is a look into the future,


    Any comments welcome!

  13. Kathryn M. Tominey
    April 8, 2014 at 10:02 AM

    There is an old saying that “what gets measured is what gets done”. Mortgage brokers were compensated based on fees they collected which were higher for subprime than prime. So, the put people into subprimes who actually qualified for prime. They sold loans immediately to securitizers like Goldman Sachs so subprime ninja loans were okay. GS could ratings shop to get the unwarrented triple A rating sell everything (pocketing fees along the way) & go to AIG and bet the securities would fail using naked CDSs. The few voices of caution were ignored or fired until the house of cards collapsed.

    They were paid for quarterly returns and senior mgt convinced themselves they would spot the bubble getting ready to blow and get out ahead of it. At least that was Greenspan’s assessment. Of course it didn’t quite work out that way.

    Jamie Dimon did better than most at spotting the risks and moving out of the corner. Hedgefund Paulson, Kyle Bass & others who saw it coming made out very
    well indeed.

    It takes really tough minded executives with sharp intellects and serious steel in their backbones to standup to the push to relax standards just a little bit more or longer.

    They are in seriously short supply due to
    the ultra short term focus of the environment they evolve in.

  1. February 27, 2014 at 11:07 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: