Weekend Reading: Culture Risk Governance (part 1) — Towards a New Diagnostic Framework

By: Stephen J. Scott , Founder & CEO of Starling

"It is challenging to observe and measure risk culture because it comprises many qualitative elements," the European Central Bank (ECB) offered, shortly before the bank failures of spring 2023. But it was precisely these qualitative challenges that were found to be at the root of those failures, which took place only a month later.

In its post-mortem study, the International Monetary Fund (IMF) pointed again to this challenge in qualitative analysis, arguing that effective supervisory judgement — which seemed to have gone missing in the run up to the turmoil of 2023 — "depends upon a holistic understanding of the financial institution, including non-quantifiable elements such as risk management culture and corporate governance."

Last weekend, I argued that we're in a muddle in trying to contend with these "non-quantifiable" risk management challenges, in large part because it's not clear whether officialdom believes a 'good' risk culture to be contingent upon good risk governance, or whether desirable risk governance instead hinges upon first establishing the right cultural supports.

For instance, in the chapter on "Corporate and Risk Governance" appearing in the 2019 issue of its "Comptroller's?Handbook," the US Office of the Comptroller of the Currency asserts that, "A responsible corporate culture and a sound risk culture are the foundation of an effective corporate and risk governance framework." So, effective governance clearly hinges on the right cultural "foundation."

But later the Handbook stipulates that, "The board should create a corporate and risk governance framework to facilitate oversight and help set the bank's strategic direction, risk culture, and risk appetite." In this formulation, setting an appropriate risk culture hangs on first establishing the right risk governance framework.

Here again we see that the relationship between governance and culture is made unhelpfully murky in policymaking discussions thereof. Later in this article, I'll try to outline a path out of the murk. But first, some recap and illustrative context.

As I've been saying…

In past weeks I've sought to describe how poorly structured discussions of 'culture?problems'?contribute to current confusions, as seen in the financial sector, the audit space, and in our approach to the curative 'monitorships' ordered in the wake of culture-driven scandals. And I've questioned why we have yet to see behavioral science fully embraced in connection with addressing culture challenges.

In its consultation on governance and risk culture, announced this past July, the ECB has signaled that addressing these challenges is a policy priority. And the Europeans are not alone: culture is now firmly established as a core element of the supervisory policy agenda worldwide.?

But if relevant initiatives are to permit for clarity of discussion, and facilitate productive industry activities, then regulators must first explain how they believe governance shapes culture and behavior, how culture and behavior shape governance, how management is to assure and evidence that the two are working in a complementary fashion to drive desired outcomes, how this is to be tested for other than watching for evidence of failure, and how a successful dynamic is to be (re-)established after such failure appears.

I don't mean to suggest here that regulators have been lax. Many have grappled admirably with the challenges I outline in the preceding paragraph. But full understandings have yet to be reached, and practical applications have yet to be established.?

A 2021 academic paper, "Banks' risk culture and management control systems: A systematic literature review," identifies some of the challenges faced. While there are many reasonable views regarding culture and its relationship to risk in banks, the authors contend, these have yet to be "integrated to develop a more coherent understanding that allows banks to develop their risk culture in an appropriate direction."

Explicitly seeking to consider risk culture in terms of management controls, the authors argue, "to foster the possibility to assess risk culture, regulators have to strengthen their case regarding risk culture."

In this connection, they call attention to regulatory vacillation on the topic. "On the one hand, regulators demand a targeted development of risk culture, but on the other hand, they emphasize its elusive character and the difficulties to evaluate and interpret it (e.g., FSB, 2014)."?

"This is of little help to foster banks' understanding of what is expected from them when dealing with risk culture," they criticize correctly. Things are made worse by the fact that different national regulators work with different definitions of risk culture and pose different ideas as to how it can be made to yield to supervisory scrutiny. What's to be done??

"One way to clarify the prevailing concept of risk culture is the involvement of regulators in the process of designing instruments to measure risk culture," the authors suggest. "This involvement in turn fosters their understanding of practical problems when trying to assess and manage risk culture, which in turn can help to improve regulatory guidelines."

We've been calling for the formation of precisely such a public-private initiative, but neither national regulators nor international standard-setting bodies have yet appeared ready to lead in this direction.

Where does this leave us?

Prioritizing policy priorities

Firms that would placate irate regulators have a relatively safe starting point: assuring that company policies reflect those of company overseers.

Consider the example of Lloyd's of London. In the wake of a misconduct scandal that involved allegations of heavy drinking, bullying, and sexual harassment, the iconic insurer embarked on a culture change program. According to recent reports, Lloyd's is now working to update its operating bylaws to assure its policies align more closely with those recently established by the Financial Conduct Authority rity (FCA).

In a "Notice to Provide Information" letter sent to Lloyds in February this year, the FCA announced its intention to step up examination of how the firm is working to better manage non-financial misconduct risk, to include "individuals' conduct for issues such as (but not limited to) bullying, sexual harassment, and discrimination whether in or outside the workplace," the FCA explained.

With this in view, Lloyd's has launched a "consultation" on a proposed new Lloyd's Market Conduct and Behaviours Framework "to advance and protect the interests, reputation and culture of the Lloyd's market and its people through the promotion of good conduct and the timely intervention into and remediation of conduct that fails to meet Lloyd's expectations." The new framework is to operate under "a single internal governance model," with oversight from Lloyds' General Counsel and Chief of Markets.

Not bad, as a first step, and the FCA will surely be pleased that Lloyd's is making efforts to assure that its operating policies reflect regulatory policy. But policy alignment isn't enough. In its February letter, the FCA reminded that, "We expect firms to have effective systems in place to identify and mitigate risks relating to non-financial misconduct."?

In this connection, many will look to the Financial Stability Board (FSB) 's 2018 publication, "Strengthening Governance Frameworks to Mitigate Misconduct Risk: A Toolkit for Firms and Supervisor," which called attention to the importance of governance frameworks.

"A governance framework influences the way the business operates, including its systems, controls and risk management processes," the FSB explained. "When these governance frameworks are poorly designed or ineffectively implemented, they can contribute to the risk of misconduct."

The word "process" or "processes" appears 97 times in the 72-page FSB paper, providing some indication of the emphasis regulatory policymakers put on moving past policy alignment to practical measures. But while it's relatively easy to conduct some sort of "gap analysis" to compare company policy against the policy requirements stipulated by officials, it's less obvious what specific processes regulators expect.

"Systems Intentionality"

Australian legal scholar Elise Bant has argued that the processes and systems a firm establishes can, in and of themselves, be taken to evidence its operational intent. Where those processes and systems produce bad outcomes, then, such can be seen as occurring by design, and those responsible for establishing and maintaining these systems can therefore be held accountable for the outcomes they produce.

A "system of conduct," in Bant's formulation, connotes "an internal method of working" or a plan of procedure. Such systems may operate pursuant to specific organizational policies, they may develop organically as common organizational practices, or they may reflect some combination of the two.

Notably, a recent Australian High Court decision referenced Professor Bant's "Systems Intentionality" perspective, specifically citing her work: "corporations manifest their intentions through the systems of conduct that they adopt and operate," Bant writes, "both in the sense that any system reveals the corporate intention and in the sense that it embodies or instantiates that intention."

The Court went on to describe its view of a "system of conduct."

Evidence of a system of conduct can be both internal and external to the corporation. Internally it may include employee testimony, internal scripts, remuneration or promotion criteria, complaint processes and scripts, audit outcomes, and default settings on automated programs. Externally it may include patterns of harm to an identified class of customer, communications, incentives and disincentives provided to a target market, and user experiences. Those lists are not exhaustive.

In sum, it is now legal jurisprudence in Australia to view the processes by which a firm seeks to govern its culture and conduct related risks as evidence of intent for which leaders may be held to personal account.

The leadership team at 澳新银行 should take heed.

ANZ: setting the wrong example

In August 2017, the Australian Prudential Regulation Authority (APRA) announced a "Prudential Inquiry" into the "frameworks and practices in relation to the governance, culture and accountability within the Commonwealth Bank group (CBA), following a number of incidents that damaged the reputation and public standing of the bank."

In May 2018, a Final Report indicated that the institution suffered from "a number of shortcomings in CBA's governance, culture and accountability frameworks, particularly in dealing with non-financial risks." Following from these findings, APRA entered into an "Enforceable Undertaking" with CBA, requiring it to improve its risk governance and applied a $1 billion add-on to the firm's minimum capital requirement.

With culture playing so prominent a role in the troubles seen at CBA, in June 2018, APRA ordered 36 of the country's largest banks, insurers and superannuation licensees to conduct their own culture "self-assessments," to see if they were subject to any of the shortcomings found at CBA.

Subsequent self-assessment reports were modeled largely on the analytical review conducted at CBA and, when reported by APRA in May 2019, they revealed consistent findings across firms:

• non-financial risk management requires improvement;
• accountabilities are not always clear, cascaded and effectively enforced;
• acknowledged weaknesses are well-known and some have been long-standing; and
• risk culture is not well understood, and therefore may not be reinforcing the desired behaviours.?

To help focus minds, in July 2019, APRA imposed additional risk capital add-ons of $500 million at 澳洲国民银行 , Westpac , and ANZ.

After imposing the $1 billion capital charge at CBA in 2018, APRA halved the charge in November 2020, as the firm demonstrated progress in fulfilling the obligations imposed by its Enforceable Undertaking and, in October 2022, APRA lifted the remaining $500m capital charge.

Following successful remediation efforts, the $500m culture risk capital charge imposed at Westpac in 2019 was lifted in February this year, and the $500m charge imposed at NAB was removed in March.

By contrast, the charge imposed at ANZ remains in place and, last month, APRA increased the charge by an additional $250m to reflect continuing "non-financial risk management concerns."

And ANZ is exceptional in another way.?

The findings regarding culture risk challenges at CBA, reported after APRA's Prudential Inquiry, were made public. After APRA ordered culture risk self-assessments across the sector, Westpac released its "Culture, Governance and Accountability Self-Assessment" to the public in November 2018 and a re-assessment report was made public in July 2020. NAB also released its own self-assessment report in November 2018 and published a 2019 Progress Report and another in 2020.

Among Australia's 'Big Four' banks, only ANZ elected to withhold the results of its 2018 self-assessment. That said, in a 2019 statement, ANZ Chairman David Gonski remarked, "In relation to governance, we found fragmented infrastructures, drawn-out processes and siloed teams." The firm's non-financial risk management, Gonski said, was "lacking maturity" and complexity impeded swift remedial action.

Recent misconduct challenges at ANZ indicate that these problems may remain at issue. And under the 'Systems Intentionality' perspective offered by Professor Bant, and the Australian High Court's uptake of that perspective, it may well be that ANZ must look to demonstrate that continued bad conduct outcomes are not the intentional outcome of process design.

Pushing past policy and process

If the example at Lloyd's recounted above demonstrates a preoccupation with policy, the example at ANZ perhaps reflects an over-emphasis on process. Its plan for culture risk remediation "does not adequately address the required cultural transformation," APRA warned ANZ leadership in a November 2022 letter.

But in focusing on process, ANZ may be seeking to satisfy demand for such pushed by APRA. In a 2023 letter, the regulator warned, "APRA has observed better practice examples in peer entities that have built high levels of maturity in end-to-end process views have then been able to leverage these to drive risk uplift in a consistent and sustainable way."

Last month, APRA ordered ANZ to retain external expertise to help it determine the root cause of its continuing risk culture challenges. ANZ has reportedly retained two law firms. But rather than helping to demonstrate its commitment to the culture change APRA demands, the decision to turn to lawyers may itself be taken to reflect the firm's culture challenge.

There is little reason to believe that the lawyers retained by ANZ have the skills to support the firm in making culture changes, and there is every reason to believe that this is not their mandate.

In 2019, on the heels of APRA imposing operational risk add-ons among the Big Four, Australian law firm Allens — one of the firms recently retained by ANZ — produced a Corporate Culture Guide. "In the criminal sphere, corporate culture has, for some time, been recognised as a basis for holding corporations accountable for misconduct or failure," Allens notes. And while this is true across the globe, "Australia has gone furthest in making corporate culture a component of an offence."

Culture risk management failures, thus, represent legal risks to firms and their leaders, as can efforts to investigate the root causes of such failures. "Culture assessments can have legal and regulatory consequences for the company and directors," Allens warns.

Legal and compliance leaders within the firm must therefore be closely involved in relevant internal inquiries and subsequent efforts. "Legal and compliance teams have a key role to play because policies, procedures, framework [sic] and the law, and how they are addressed in the corporation, have a profound impact on the culture of a corporation," Allens advises.

And in case the message was not already clear enough, Allens warns board members that they sit in the hot-seat:

The findings of the assessment can also have serious implications for the board and the company under criminal and civil law. For example, if a corporate culture assessment found that a company had a culture that tolerated non?compliance with the law, should an employee or an agent of the company commit a criminal offence under the Criminal Code, a prosecutor might use such an assessment as evidence with which to attribute the company with liability under the corporate culture provisions of the Criminal Code.

The firm has a long history of contending with culture: in 2008, on behalf of the United Nations Special Representative of the Secretary-General on Human Rights and Business, it produced a lengthy study, global in its scope, on "'Corporate Culture' as a Basis for the Criminal Liability of Corporations."?

"Corporate culture provisions may pave the way for challenges to the corporate veil," the firm warned then, "in that they focus attention on the actual process of decision-making and line of authority, rather than to the legal structure of corporate groups." Defense against culture related legal action, then, should focus on making decision-making processes defensible.

People, presumptions, and practices

If ANZ is being advised by Allens in this spirit, then it is likely that its remedial efforts will focus on culture risk governance processes. As with the focus on culture risk policies at Lloyd's, there is some sense in this.

But these two examples illustrate what is perhaps a common approach to 'culture problems.' When troubles arise, remedial efforts look back to policies and processes — what may be considered 'inputs' to risk governance — and leave aside more challenging considerations, like operational 'throughputs.'

Policies and processes are put into effect by people. And, in our experience, firms are rarely sure who in fact these people are.

Formal org charts and 'accountability maps' stipulate those who firms believe to be responsible for effecting policies and running processes. But studies find that those who actually keep the trains-running on time are found to populate informal and often invisible collaborative networks — 'the company behind the chart.'

Moreover, once policies and processes are established, leadership often works with unspoken and usually unrecognized presumptions around how they will be put into effect. For instance, presumptions regarding the people involved, as just noted, are one such. And when problems arise, it is regularly discovered that these presumptions were unfounded, and untested.

Lastly, regardless of policies, processes, people, and presumptions, what ultimately shapes culture-driven outcomes are the day-to-day practices that lead to organizational performance, to include those which are found to be problematic.

The problem with the approach to culture problems at Lloyds, ANZ and countless other firms is that we cycle from problematic performance back to policy and process, and leave out consideration of the essential bit in between: people, presumptions, and practices. I'll have more to say about that next week.

This piece first appeared in Starling Insights' newsletter on September 22, 2024. If you are interested in receiving our thrice-weekly newsletter, among many other benefits, please consider signing up as a Member of Starling Insights.