Weekend Reading: Culture Risk Governance (Part 2) — People, Presumptions, and Practices

By: Stephen J. Scott , Founder & CEO of Starling

"Culture is an inherited ethical habit." - Francis Fukuyama, Trust?(1995)

Over the past several weeks, I've been highlighting how the banking industry struggles with the muddle that invariably surrounds "non-quantifiable" risk management challenges — and most particularly those that involve the word "culture." I have argued that there is a lack of clarity as to whether officialdom believes a 'good' risk culture to be contingent upon good risk governance, or the reverse.

In last weekend's article, I began to describe how we have charted our own path through the muddle. If you missed that, you might want to check out the discussion, found in full here.

To summarize, when seeking to demonstrate that they have achieved an effective non-financial risk management posture — to regulators, among others — bank risk leaders will most often point to alignment between their internal policies and regulatory expectations for such, before highlighting their detailed implementing processes, operated through robust governance structures and systems of control.

When crisis erupts in the wake of risk management failures, nevertheless, attention invariably returns to policy and process.

But between policies and processes (let's call them 'governance inputs'), and the costly outcomes that are later seen ('performance outputs'), much poorly understood activity takes place ('operational throughputs'). This activity is as essential to the success of risk governance, but because it?is less formalized, it is less well recognized.

Contemplated by many in their use of the term 'culture,' these structural if informal governance factors are regularly dismissed as so much "soft stuff."?And, as the former Chair of the Australian Prudential Regulation Authority and past Secretary General of the BCBS Wayne Byres has lamented, although increasingly recognized as critical to successful risk governance outputs, examination of these 'cultural' throughputs is habitually consigned to "the 'too hard' basket" — by regulators and supervisors as well as by firm risk leaders.

Because they are regarded as "non-quantifiable," cultural contributors to risk governance outcomes are accepted as being intractable: 'if you can't measure it, you can't manage it.' The implicit policy posture that follows from this is one of flaccid acceptance that critical aspects of risk governance fall outside our ambit of control, however regrettably.

Rather, we expect these to be nudged along through 'soft' tools, like leadership 'tone from the top,' and to be periodically assessed through employee survey instruments with about as much diagnostic validity as that offered by phrenology, now regarded by modern medicine as laughable, despite a long history during which it successfully masqueraded as 'scientific.'

Firms, and their regulators, spend millions of dollars on these proxies for reliable management insight. And thus is their real purpose served: all can demonstrate that expensive efforts were made. The inefficacy of such measures is, of course, acceptable. Because, after all, 'culture' is "non-quantifiable" and known to be inoperable, beyond the now orthodox management and regulatory pantomime.

Too harsh? Consider the evidence: despite several hundred billions of dollars invested in such kabuki theatre, in the 15 years since the GFC, firms have nevertheless been made to disgorge hundreds of billions more in punitive fines, assessed in the wake of perpetual risk management failures attributed to their ongoing 'culture problems.' Nowhere else in banking do we tolerate such negative ROI.

Frustrated, and perhaps embarrassed by their own evident impotence, regulators have turned to the implementation of "individual accountability regimes" in an effort to force firms to come up with effective measures for culture risk governance that regulators themselves have failed to establish. Firms are thus made to pay twice for culture risk governance: once for trying to devise efforts that will satisfy wooly regulatory mandates, and again for failing to do so sufficiently well.

Adding insult to injury, these same culture risk governance failures are equally in evidence among?regulators themselves: witness the US Federal Deposit Insurance Corporation (FDIC) . And, when pantomime will no longer suffice, they too?turn to lawyers, alternatingly tasked either with conducting 'gotcha!' inquiries aimed at assigning culpability (usually among lower-level staff) or with shielding the very senior leaders looked to for culture-setting 'Tone from the Top.'

Amidst this farce, little attention is given to the operational throughputs that ultimately determine whether efforts aimed at culture change take root — the people, presumptions, and practices in the organization.

People

Every process — at least in part —?is run or effectively maintained by people. Banks spend a lot of time and money trying to automate their processes to remove the 'human element' where it can be made superfluous, or to ensure they are appropriately staffed with skilled, well-trained employees where that is necessary. But taking a process-centered focus on people is a narrow view that treats people as mere 'human capital' inputs.

In reality, people in large organizations operate in a complex, socially networked environment and one that is poorly captured by standard 'org charts' and 'accountability maps.' 美国卡内基梅隆大学 's David Krackhardt has described this as the "company behind the chart" — the system of social networks that represent the informal relationships through which employees engage meaningfully with one another. It is through these often unrecognized yet critical relationships that work is in fact conducted. Ignoring them, we ignore the real operational 'systems' through which all work processes are affected.

To assess an organization's ability to meet its stated risk governance policy goals, we must first treat the "People" component not as an input to processes, but as the throughput layer by which process occurs.

Consider: Michael Arena , in work done at 美国银行 , 通用汽车 , and Amazon Web Services (AWS) , has shown?that highly-integrated social networks in the?workplace?enable effective communication and collaboration. Across a range of circumstances and against a variety of measures, teams collaborating through?more integrated workplace networks produce better results than do?siloed teams, operating through more isolated social network "neighborhoods.”?

Notably, the existence and operation of highly-integrated, high-efficacy networks do not necessarily reflect formal reporting lines or formal teaming structures. Rather, they reflect the force-multiplying power of?informal?networks.?The number of people essential to good process outcomes is far greater than is typically recognized.?

耶鲁大学 professor Nicholas Christakis has found?that behavioral norms are transmitted across social networks, in private and organizational life alike, two and as many as three steps removed from those whom individuals even recognize as forming part of their personal networks. No person, or team, operates in a social vacuum, and no process is conducted absent the social context of the organization. This insight is more important to successful risk management than is immediately obvious.?

Starling found this to be essential to the outcomes achieved across the 'Three Lines of Defense' (3LoD) at a major global bank, for instance. Head-quartered in London, the bank's risk leaders struggled to demonstrate that executives on its First and Second Lines had a firm understanding of their roles and responsibilities — vis-à-vis one another?— and how that ultimately shaped outcomes across risk processes, as observed?in the course of the firm's self-assessment audits and in regulatory examinations.

The bank had documented and identified?1,697 employees?across its 3LoD who held formally assigned risk management roles, as captured in the firm's GRC system. In the course of identifying and analyzing the trusted peer networks through which those employees affected their risk management responsibilities, however, Starling discovered another?446 employees?upon whom?those in formal risk roles relied in order to carry out their work. Though unrecognized, this 'informal risk management network' was critical to the success or failure of the firm's operational risk function.

英国牛津大学 's Robin Dunbar has studied human networks, in both social and work contexts. For our 2022 Compendium, he described how biological limitations impact our ability to manage these trust-based relationships at scale. "We typically devote 40% of our total social time to just five people, and around 60% to just 15 people," he wrote.

If employee behavior is influenced most decisively by their most highly trusted peers and associates, then how much influence do those responsible for designing workplace processes actually have if they reside outside those trust-based peer circles? What about the department head, 5,000 miles away in the home office, for instance, piously promulgating some aspirational 'Tone from the Top'?

Absent an ability to assess these peer influence networks, and how people operate through them, we have a limited view into how work actually gets done. This insight — from the natural sciences — should serve as a wake-up call to those whose work relies on beliefs that prevail in the social sciences, to include those reflected in management science orthodoxies.

According to 美国宾夕法尼亚大学 professor Damon Centola, studying and harnessing these natural social dynamics is essential to effecting lasting organizational change. "My research shows that, as people consider whether to adopt a new belief or behavior, they are guided — much more than anyone realizes — by their social networks," he wrote in our 2021 Compendium.?

When organizational leaders can visualize these social networks, however, they can see the connections that tie different groups of employees together — Centola calls them "bridges." Narrow bridges, or ties between individuals who reside in different social circles, serve well to help transmit information across otherwise siloed groups. But it is to wide bridges that we must look for behavior change initiatives. Where many connections exist between two groups, the repeated exposure to broadly witnessed conduct norms that wide bridges afford make them powerful instruments of sustained operational change.?

"Any attempt to coordinate a large and diverse population should be based on establishing wide bridges that both engender and reflect trust between different subgroups," Centola urged, "among different divisions within an organization, across different communities and regions, and between different political constituencies."

Recent research shows that we regularly intuit these "hidden social structures," that those who share social network proximity are likely to share "psychological states," and that common "neural responses" are successful predictors of friendship. Without an appreciation of the social network dynamics at play, efforts to impose new workplace policies and processes, and to ensure that these are enacted as intended, are unlikely to succeed.

Presumptions

If policies are to be enacted with fidelity, after first discovering the people upon whom enabling processes rely, attention must then turn to the presumptions by which management and teams operate. Moving beyond expectations regarding whom we believe responsible for doing what, management presumptions embody a whole range of expectations regarding how this work should be done, by whomsoever.

Such presumptions originate across all management and business functions. Presumptions at work among operational leaders may emphasize speed and sound decision-making, for instance, while those in risk or compliance functions may instead emphasize process gap-analyses and timely knowledge-sharing.

Often, these presumptions are unrecognized, unclear, and even conflicting.

I spent over 20 years conducting internal investigations into corporate fraud and risk management failures of all sorts, on the ground in over 50 countries. In both circumstances — those characterized by specific mal-intent, and those characterized by spectacular cock-ups — effective 'root cause analysis' began with identifying and challenging the operating presumptions by which events were allowed to unfold.

In every instance, those responsible for leadership were either unaware of the presumptions with which they had been working, or unaware just how inaccurate their presumptions in fact were. And yet, after investigating the circumstances that led to disaster and articulating findings, with the benefit of such hindsight, it was 'obvious' why events had unfolded as they did.

Most leaders will acknowledge that humans?often operate with some form of 'situational blindness.’?But of course it is always?someone else?who suffers from this malady: rarely is it obvious to those afflicted. Though everything is obvious with hindsight, we are blind to our own situational blindness?in the moment. And this is particularly true when judgement — 'management intuition' — is stacked up against hard numbers.

We highlighted this conflict in a 2020 critique of the 3 Lines of Defense model. There, we discussed how short-term profit expectations, tied to quantitative goals, were prioritized over nebulous risk concerns, tied to subjective assessment. "When pressed," we wrote, "such qualitative risk assessments simply cannot compete with quantitative metrics — most particularly, those at the bottom line."?

Boeing offers a telling example of what happens when operating presumptions are not clearly recognized. Once a storied paragon of engineering quality, today's Boeing is a corporate felon, providing a cautionary tale of how short-termism may impair long-term performance.

Boeing's senior leadership consistently emphasized safety and quality control in remarks to investors, regulators, employees, and customers — particularly in the aftermath of the two 737-Max disasters in 2018 - 2019. Even so, when a door blew off of another Boeing jet earlier this year, subsequent investigations revealed that Boeing leaders had made it clear to employees that working with speed was paramount.

We may offer Boeing executives the benefit of the doubt — surely, they did not intend for workers to sacrifice quality in order to achieve their speed targets, and it is likely that they presumed these goals would not result in disastrous conflict. That management did not appreciate how their operational presumptions resulted in misalignment is perhaps the greatest causal contributor to current travails.

Practices

Once we understand who relies upon whom to do the work that needs doing, and identify the operating presumptions at play across an organization, then we can start the more difficult task: developing a 'real-time' understanding of the common?practices?in which employees habitually engage — what they in fact do, rather than what we expect them to do, presume them to do, what they may intend to do, or even what they themselves?report their practice norms to be.

An understanding of culture, and the role of inter-peer trust, instructs us in where to begin this task.

"Culture shapes all aspects of human behavior, including economic behavior" political scientist Francis Fukuyama wrote nearly 30-years ago, in his seminal work, Trust: The Social Virtues and the Creation of Prosperity. The ability to associate productively, he explains, turns on "the degree to which communities share norms and values and are able to subordinate individual interests to those of larger groups."?

"Trust," in Fukuyama's definition, "is the expectation that arises within a community of regular, honest, and cooperative behavior, based on commonly shared norms, on the part of other members of that community." Trust is present when norms and values are shared. Where one is able to maintain trust with the group, so is one able to maintain belongingness with that group.?

Individual belonging is maintained by observing group behavioral norms, and it is?the urge to maintain belonging?that most profoundly shapes behavior in any organizational context — regardless of any 'Tone from the Top,' and often contrary to formal 'incentive systems' or 'rational' self-interests as understood by orthodox economics.?

It is this that determines the practices that prevail among peers. In turn, these practices determine how policies, processes, and presumptions translate into the performance outcomes that people achieve, and the problems that may emerge.

For example, an organization's leaders may presume — and, indeed, their policies may require — that employees speak up when they have concerns, and that managers escalate those concerns when appropriate. They may also put in place processes by which employees and managers are meant to execute that desired behavior. Whistleblower systems, for example.

But despite these well-meaning presumptions on the part of executives, employees may be hesitant to speak up for fear of being retaliated against, as has been reported at Boeing. Or, if employees do speak up, managers may not communicate their concerns upward through the right channels, when doing so may contravene informal behavioral norms that contradict formal proclaimed policy.

In our work at the London-headquartered global bank referenced above, for instance, we analyzed anonymized communications metadata, ignoring message content, to identify communications-related practices as they took place. We could 'see’ implicit changes in collaboration which would otherwise be invisible to senior leadership, and then link such changes to adverse outcomes, sometimes months before traditional risk control systems could detect a problem.

Conclusion?

Much of risk and compliance is focused on policies, processes and formal risk governance measures. But performance outcomes depend more so on the informal elements of culture risk governance.

Policies and processes indicate aspiration and intent. Problematic performance outcomes are a good indication that these aspirations and intentions went unmet. Revisiting policies and processes, therefore, is unlikely to help us to develop an understanding of why operational inputs failed to deliver desired operational outputs. For this, we need to study operational throughputs: the people, presumptions, and practices by which aspirations and intentions are met — or not.

This diagnostic framework represents a fundamentally different way of approaching risk.?

In this model, ownership of risk falls to those responsible for implementing a given policy. Because they own the performance and problems for which their business unit or function is responsible, they must also be expected to recognize and understand how their processes, people, presumptions, and practices deliver on that policy. Hiring lawyers to re-write policies, and consultants to rejigger processes, should be taken as clear indication that leaders have failed to recognize and understand what is truly at issue.?

Examples of such failure abound.

This piece first appeared in Starling Insights' newsletter on September 29, 2024. If you are interested in receiving our thrice-weekly newsletter, among many other benefits, please consider signing up as a Member of Starling Insights.