Embedding a sound Risk Culture: why is it failing so often?

Christmas and New Year are a typical moment to take time to reflect. And this time, I took the time to reflect on a question that was bothering me for a long time: why do so many (financial) institutions fail to implement an effective risk culture, although they put in a lot of effort through training programs, e-learnings, creating measurement reports, frequently testing knowledge, et cetera?

So please indulge me in sharing my reflections on this topic.

Reflection 1: Owning responsibility matters

The 3 lines of Defense model clearly states it. The 1st line is responsible to own and manage their risks. So departments like Client Service, Operations, IT, sales, should all manage their own risks.

Let us look at a couple of real life examples why a department is not feeling responsible to manage their risks:

-????????? Who is responsible for accepting a client or a loan: sales or another department? In manybanks the KYC acceptance process is centralized in a Backoffice. Larger loans are decided upon in a credit (risk) committee, smaller loans by a model, created by another department. Can sales really manage the risks if the criteria and the how are determined by another department?

-????????? Who is responsible accepting a risk related to a change: The Product owner or the Change risk committee?? How would you feel if you had to appear before a risk committee to discuss risks and mitigating actions and have to do what they tell you to do: would you feel responsible for the risks or would you think: they will tell me anyway….?

-????????? Who is responsible designing a process or procedure? During a ?meeting with a client service department I asked what could go wrong, what losses could occur. Their almost unanimous answer was: “we stick to the prescribed processes and procedures, so nothing can go wrong”. All these processes and procedures were developed and implemented by people outside of the department. The client service staff did not feel ?responsible if anything could go wrong when the procedures would be misused.

So what does this mean? If a person is not feeling responsible, (s)he will not act accordingly. If you really want managing risks to be the responsibility of respective departments: it only makes sense to give ?them the tools and the mandate and involve them actively in the designs of processes and procedures.

Reflection 2: Naming matters….

Wording matters. How someone phrases something can influence the thinking and behaviour of others. How does this relate to risk? Let’s have a look at the name of the department and the function titles. The ?2nd line department that is involved in Risk is generally called “Risk Management” and the 2nd line function Risk Manager: This wording signifies that the 2nd line is managing the risks. Maybe a better term would be something like “Risk control & oversight” But be creative!

Reflection 3: Practice what you preach

To my children I often said: “Do not do what daddy is doing, I am giving a bad example.” Do you think it helped? The same is true for all managers: And do you really think this doesn’t happen? Think again! Some real-life examples:

-????????? “We have to cut costs” and at the same time go as management team in a luxury hotel for an offsite to determine strategy

-????????? Strict gift policy for treating clients, but inviting as managing board the supervisory board to a sports event, with complete hospitality offerings

-????????? Implementing a new organizational structure, without following the change risk assessment methodology.

if managers do not follow the same procedures, rules and guidelines that are applicable to all, embedding these procedures etcetera will fail or at least not be as successful as expected.

Reflection 4: Avoid Risk Jargon

If risk management truly wants to embed Risk management in the genes of the 1st line, it should not use jargon – Risk technical language –. Although a 2nd line risk expert is confronted with the jargon on a daily basis, the 1st line employee uses a risk instrument no more than a couple of times a year. Take again the example of a product owner: on average how may Change Risk Assessments does a product owner do per year: 2 to 3 per year? Jargon is like a different language: if you do not use it, it is hard to understand. And if something is hard to understand and formulate correctly, there is a hurdle[KR1]?. One common language that is used frequently is essential.

Therefore, it is vital that risk jargon is avoided as much as possible. Suggestion: Translate it in terms the 1st line is using regularly or in common language.

Reflection 5: Processes eat Culture for breakfast????????????

What is culture? For a corporate culture (the subject we are talking about in this article), Merriam Webster provides the following definition: “the set of shared attitudes, values, goals, and practices that characterizes an institution or organization”. One element of this is “the set of shared practices”. If we then lookup the word Practice, the definition is : to do or perform often, customarily, or habitually”. This means that to embed a risk culture, it is absolutely necessary that risk- activities ?are done? often and habitually. And this means embedding it in the regular processes of the 1st line.If you do not do so, it is quite likely that the desired risk culture will not be obtained. .?? To give an example: Embed Risk questions in the Agile way of working. Every time a scrum team does a refinement, let them - as part of the process-, discuss a couple of risk questions such as:

o?? What is the worst that can happen if (implementing) this change goes wrong?

o?? Is there any specific regulation applicable to this change? Have we taken it into account?

Reflection 6: (Risk) ownership requires facilitation.

Risk Owner, control owner, process owner, system owner…. So many ownership roles have been included in RACI’s, procedures et cetera, with a clear description of what the responsibilities are. But too often it ends there. They are not or hardly facilitated in their role. No reports or systems to gain sufficient insight. The 2nd line is almost always not addressing an ownership role, but a hierarchical management role or management team. To go a bit further: If a reorganization occurs, these roles are rarely attributed to a person during the reorganization, leaving (sometimes during a long time) a ownership role unfulfilled.

So if you want to really use risk ownership roles, embed these truly in the organization and facilitate them? with reports, tooling, conversations, et cetera.

?

Reflection 7: Behavior not in line with desired risk culture should have consequences

Is behavior that is not in line with the desired risk culture – for example because a person is a great salesrep, a top manager sugar coated or covered up with the cloak of charity in your company? That basically means you accept this behavior. A good example how it can be done differently can be found in for example Shell. Since safety measures are very important in this company, also at head office everybody has to adhere to safety measures. For example holding a handrail when walking down the stairs. Even if one is a top manager, or a top sales rep, ?(s)he can get fired if this safety rule is not followed.

What are your reflections on Risk culture?

Above I have mentioned some of my reflections on why Risk Culture is so often not well embedded. With these reflections, I hope to better serve the organizations I will be helping and that it helps you in improving your risk culture.

But I am sure you have thoughts and reflections on this topic as well. ?Please feel free to share these by adding your comments!

?