Weekend Reading: Culture Risk v. Risk Culture

By: Stephen J. Scott , Founder & CEO of Starling

Over the last month, I've used my Weekend Reading posts to mount a sustained argument against our current approach to 'culture problems,' in the financial sector and beyond. I've challenged conventional wisdom regarding the means by which we contemplate 'culture audits,' in the audit sector and beyond. I've criticized the reflexive turn to lawyers when culture problems require redress and subsequent ongoing 'monitorship' thereof. And I've questioned why even regulators who have publicly recognized the value of behavioral science, applied in the context of supervising of culture-driven risks, have nevertheless failed to fully embrace the promise of 'behaviorally informed regulation' that they themselves have articulated.

After raising those various and intertwined criticisms, this week, I'd like to begin plotting a way forward.

The end of the 'Endgame'

But first, last week's Big News: "capitulation" on the Basel III' Endgame'?risk capital proposals. Since announcing the intended regulatory capital regime in July 2023, Michael Barr , the Federal Reserve Board 's Vice Chair for Supervision, has been at the vanguard among those advancing the proposals. This week, Barr sounded the retreat. "Life often gives one the opportunity to learn and relearn the lesson of humility," he said.

Barr is not alone. "Globally, there is a retreat among the financial system's top cops, who have pared back proposals in response to fervent pushback from the very institutions they oversee," the Financial Times observed. The 'Big Question' going forward, the FT now asks, is whether banks should have higher capital requirements. That debate will no doubt continue to rage, once wounds have been sufficiently licked.

Meanwhile, it is worth asking what the proposed regulatory capital regime sought to achieve in the first place. Different interested parties will answer that question differently, but most will agree that, on the surface at least, the proposals were aimed at offsetting "operational risk" among firms of significant size.

A 'Fact Sheet' issued late last year by the Financial Services Forum —?an industry-funded body that opposed the capital proposals —?offered the observation that "operational risk capital requirements account for 78% of the total increase in required capital," under the Endgame proposals. Why?

The Basel Committee on Banking Supervision (BCBS) defines operational risk (OpRisk) as: "the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events." OpRisk, that is, refers to risks that don't readily lend themselves to spreadsheet calculus.

In a recent OpEd, I explained that regulators see OpRisk Management Capability as falling within the ambit of their assessment of 'Management Quality,' under the standard 'CAMELS' risk rating system. And in another recent article, former 瑞信 CRO/CCO Lara Warner and I complained that regulators are trying to assess such OpRisk Management Capability without an established set of metrics by which to do so.

Without an effective means by which to gauge OpRisk Management Capability, regulators have instead sought to throw capital at the problem. "If we can't calculate the risk adequately, then let's just inflate the hell out of the capital cushions," their reasoning seems to have run. But with the failure of their proposed capital regime, perhaps regulators will now look to assess OpRisk more effectively instead?

My Weekend Readings over the last month have sought to illustrate why this is necessary, and overdue, particularly where OpRisk is taken to reflect underlying 'culture problems.'

Checking under the cushions

I'm hardly alone in this view. Many prominent figures within the global regulatory community urged their peers to move away from a myopic focus on capital cushions and instead to ask whether we can't devise some reliable means by which to assess qualitative drivers of operational risk.

In our 2024 Compendium, for instance, former Chair of the European Central Bank (ECB) Supervisory Board, Andrea Enria, argued "across the G20, we should move on from the debate on calibration of capital requirements and focus more on the issue of effective supervision. All the banks that failed during the turmoil of the spring 2023 shared major weaknesses in risk management, internal governance and culture, and the supervisors have not always been able to promptly identify shortcomings and, especially, drive prompt remediation."

International standard setting bodies, such as the Basel Committee on Banking Supervision (BCBS) and the Financial Stability Board (FSB) , are tasked with establishing relevant global best-practices in this direction.

"[T]he goal in the decade ahead must be for banks to improve their risk culture and operational resilience by at least the same margin as they have improved their financial resilience in the decade past," argued Carolyn Rogers, past-BCBS Secretary General, in our 2021 report. "If the last decade of bank supervision was about designing rules that lead to more resilient bank balance sheets, the next will be about designing supervisory tools and strategies that lead to more resilient bank cultures."?

In our 2022 report, FSB Chair Klaas Knot reminded that, "In recent years there has been increasing recognition that governance and culture relating to financial risks cannot be separated from governance and culture of firms' activities considered more broadly." Financial risk and non-financial (or 'operational') risks, that is, are inextricably intertwined. Alas, however, the tools by which we seek to measure and mitigate financial risk do not extend to the measurement and mitigation of non-financial risk.

But that hasn't stopped regulators from trying to make the problem fit their tools. "It is far too easy for many to conclude that additional capital and liquidity are the answer to culture issues," writes former Dubai Financial Services Authority (DFSA) CEO Bryan Stirewalt in our 2024 report. "But increased capital should not permit for a tradeoff that allows bad culture to prosper." We need tools fit for the job.?

Here, Stirewalt returns us to questions of 'Management Capability' in connection with OpRisk and other qualitative management challenges, and he points us again to corporate culture as a critical factor in this regard. "No amount of capital or liquidity saves a bank — even a G-SIB — from weak management and poor corporate culture," Stirewalt rightly argued. But what to do about that?

Culture Risk v. Risk Culture

"It is for firms to ensure that their desired culture is consistent with appropriate conduct outcomes, to identify the drivers of behaviour within the firm and control the risks that these drivers create," argued Bank of England Governor Andrew Bailey in 2017, then leading the UK's Financial Conduct Authority .

In a speech entitled "Culture in financial institutions: it's everywhere and nowhere," Bailey went on to describe culture in terms that suggest it to be a matter of effective corporate governance, "the framework of responsibility that oversees the operations of a firm," as Bailey styled it. On this view, culture risk management is subsumed under the implementation of effective risk governance mechanisms.

Bailey made this view explicit: "Cultural outcomes are the product of a wide range of contributory forces," among them, "the structure and effectiveness of management and governance." As such, a firm's culture "emerges in large part from inputs that are [management's] responsibility." To get culture right, we must look to the formal governance inputs by which management structures operations, in turn producing the outcomes that these operations yield, and the corporate culture that governance structures promote.

But what, then, of so-called "risk culture," defined by the ECB?as "a set of norms, attitudes and behaviours related to awareness, management and controls of risks in a bank."

It is the responsibility of a bank "to define and shape its own risk culture," the ECB argues. In turn, "it is the supervisor's role to assess the dimensions of this risk culture." Agreeing with Bailey, the ECB advises that, to conduct such an assessment, we look to a firm's governance mechanisms. (see Table)?

By using the term "dimensions," the ECB appears to be trying to capture a mix of formal governance mechanisms, like "composition of management bodies" and "incentive schemes," as well as more informal dynamics, like "speak-up culture and the "stature" of risk and control personnel.

The ECB expressly notes that its views regarding risk culture are informed by the European Banking Authority (EBA) 's 2021 "Guidelines on internal governance," which "aim to establish a sound risk culture in institutions." So, internal governance mechanisms set the conditions for culture, the EBA seems to argue.

This is achieved through governance inputs such as "policies, communication and staff training," the EBA instructs. And these should operate to offset "potentially detrimental effects of poorly designed internal governance arrangements on the sound management of risk."

So, in summary, the EBA urges us to turn to good governance mechanisms to in order to offset the results of bad governance mechanisms, thus establishing "a sound risk culture in institutions."

But this leaves us in somewhat of a muddle. Do we expect "risk culture" to determine the efficacy of risk governance, or are risk governance mechanisms meant to enforce the desired precepts of risk culture?

In our 2024 Compendium, BCBS Secretary General Neil Esho seems to suggest the latter: "Effective governance, of which risk culture is an important component, has long been recognised as a key driver of effective risk management at the level of regulated financial institutions and in supervisory authorities themselves." Here again, culture is subsumed under governance, viewed as a "component" thereof.?

But it's not at all clear that formal governance mechanisms serve to produce the informal "norms, attitudes and behaviours related to awareness, management and controls of risks in a bank" that the ECB describes in its definition of "risk culture." Rather, we might expect such norms to be reflected in an organization's governance mechanisms and practices, and elsewhere, we hear precisely this argument.

In a 2023 speech, Frank Elderson, Vice-Chair of the ECB Supervisory Board, reiterated the view that, "Risk culture is the set of norms, attitudes and behaviours related to the awareness, management and control of risks in a bank." Cultural norms shape governance practices, rather than the other way round.

Indeed, Elderson goes on to argue that risk culture "shapes employees' day-to-day decisions and has an impact on the risks they take." These may, or may not, fall within the confines of established governance protocols. And, so, not only does risk culture precede governance processes, but it also precedes governance practices. As such, Elderson explains, the ECB's recent focus on culture "is a crucial component in our understanding of a bank's risk management and governance."

In its July 2024 "Draft Guide on Governance and Risk Culture," the ECB continues to conflate the terms. "Governance and risk culture are essential features of any well-functioning organisation, having an impact on its structure, culture, and people," the ECB offers. So, governance structures have impact upon a firm's structures, and its risk culture impacts its culture? Or is the other way around? Or both? Or neither?

It's just not at all clear. "Since the global financial crisis," the Draft Guide continues, "governance and risk culture have risen to the top of the agenda of regulators and supervisors around the world." Indeed. But we're still unsure what these terms mean, or how they relate to one another, in practical application.

For instance, the ECB says it will test firms for "governance arrangements that effectively foster a sound risk culture at all levels of an institution." So, culture flows from governance. But then it argues that "risk culture relates to a bank's governance and to behavioural and cultural patterns." But how does it relate??

While governance is concerned with "the more formal aspects of risk culture, such as a bank's organisational structure and the procedures, control frameworks and policies that are in place," the ECB seeks to explain, "behavioural and cultural patterns can be found in decision-making, leadership and communication styles." Moreover, "There are different cultural drivers for these behavioural patterns," and "These drivers can also be root causes of a bank's risk culture-related deficiencies."

So, do "behavioural and cultural patterns" precede "formal governance arrangements," or the reverse? And if there are "cultural drivers" of behavioral patterns, and these drivers are behind "culture-related deficiencies," then are we merely saying that poor cultural drivers produce poor cultural outcomes? If so, what redress is called for? Better "formal governance arrangements" that rely on better cultural drivers?

Extending this inquiry, if a firm demonstrates the right "formal governance arrangements" — the "inputs" to which Andrew Bailey points, from whence a firm's culture is said to emerge, then has management done all that is expected of it, and thus absolved of blame when misconduct erupts nevertheless??

Conversely, if management takes all reasonable measures (whatever those may be) to establish desired "cultural patterns" (whatever those may be), but risk governance failures regularly result nevertheless, what then? Does this reflect failures of culture? Of governance? Of both? How are we to say?

By now, I imagine, even the friendliest of readers will be exhausted by watching this dog chase its tail. Pity the poor bank board or risk management team that must seek to put this guidance to practical effect.

Some will argue that I'm being pedantic. It's not so complicated: governance and culture are intertwined, each shaping the other in a dynamic fashion. The ECB even provides a picture to illustrate the "link between risk culture components," which may be trying to suggest that formal governance mechanisms and informal "behavioural and cultural patterns" operate through an infinite feed-back loop of sorts.

As it happens, I think this is largely correct. But the ECB’s discussion does not explain how governance shapes culture and behavior, how culture and behavior shape governance, how management is to assure that the two work in a complementary fashion to drive desired outcomes, how this is to be tested for other than watching for failure, or how a successful dynamic is to be established after failure appears.

I don’t mean to pick on the ECB. Their work on the topic is some of the best I’ve seen among their global peers. But the picture we’re left with is blurry. While perhaps somewhat descriptive, it is not diagnostic, and thus fails to instruct us in what is to be done, or how to test that it’s been done sufficiently well.

More work is needed. I’ll be back next weekend to trace a path out of the muddle.

This piece first appeared in Starling Insights' newsletter on September 15, 2024. If you are interested in receiving our thrice-weekly newsletter, among many other benefits, please consider signing up as a Member of Starling Insights.