Risk Culture: Measuring the Qualitative Jane Walshe Head of Compliance Curriculum, Moody’s Analytics & Director, Compass Compliance 4th November 2015 Agenda » What do regulators mean when they talk about ‘culture’? » Risk Culture: good and bad » Identification, measurement and mitigation 2 What is Culture? What do regulators mean when they talk about “culture”? » The global drive towards good conduct » Fair customer outcomes » Market integrity 3 Financial Stability Board Tone from the top A firm's leadership should promote, monitor and assess risk culture, consider its impact on safety and soundness and make changes where necessary. Board and senior management should make clear staff expected to act with integrity; non-compliance within or outside the organization should be promptly escalated. Accountability Relevant employees at all levels understand the core values of the institution and its approach to risk, are capable of performing their prescribed roles, and are aware that they are held accountable for their actions in relation to the institution's risk-taking behavior. Staff acceptance of risk-related goals and related values is essential Effective communication and challenge A sound risk culture promotes an environment of open communication and effective challenge in which decision-making processes encourage a range of views; allow for testing of current practices; stimulate a positive, critical attitude among employees; and promote an environment of open and constructive engagement. Incentives Performance and talent management encourage and reinforce maintenance of the financial institution's desired risk management behavior. Financial and nonfinancial incentives support the core values and risk culture at all levels of the institution. 4 Conduct Regulation 'the lessons of the last few years illustrate clearly that firms need to take proactive steps to improve conduct. Without a firm foundation in identifying the conduct risks inherent in your businesses, it will be hard to manage conduct, let alone show us and others that it is being managed. We know that most firms now understand the value in getting it right and not simply the cost of getting it wrong, and the benefit of good conduct in terms of building customer trust and analyst confidence. However, there is a long way to go, and it will not happen by regulatory osmosis. Firms and individuals need to take responsibility for their own actions.' Tracy McDermott, acting CEO of the FCA, July 2015, Wholesale Conduct Risk 5 5 Conduct Questions for Firms 1. How are the conduct risks inherent within the business identified? 2. Who is responsible for managing the conduct of the business? 3. What support mechanisms does the business have to enable people to improve the conduct of their business or function? 4. How do the board and executive committees gain oversight of the conduct of the organisation? 5. Finally, do firms have any perverse incentives or other activities that may undermine any strategies put in place to answer the first four questions? Tracy McDermott, July 2015 6 How the FCA Assess Conduct » Having a culture which puts customers and market integrity at the heart of the firm's business is an important component of conduct risk. » No specific definition: FCA said it will be assessed by "joining the dots“ – looking at: » how a firm responds to, and deals with, regulatory issues; » what customers are actually experiencing when they buy a product or service from front-line staff; » how a firm runs its product approval process and what factors it takes into account; » the manner in which decisions are made or escalated; » the behaviour of that firm in certain markets; and even » the remuneration structures. 7 Evaluating a Firm’s Risk Culture » Is there a conduct risk management culture at all levels of the business? » Are staff comfortable questioning existing practices and suggesting more effective ways of doing things? » Are there clear reporting lines? » Are managers authorized to identify opportunities that reinforce, and issues that destabilize their risk appetite? » Do managers feel they can raise risk-related issues? » Do staff feel that they can raise risk » Do existing monitoring and reporting related issues? systems ensure that action will be » Are managers’ ideas supported? taken when issues are raised? » Do they feel that concerns raised » Can the board demonstrate an will be considered and/or acted effective “tone at the top”? upon? » Is conduct risk management part of the established way of planning and executing departmental activities? 8 Warning Signs on Risk Control & Culture I Effectiveness of the Risk Management and Internal Control System Managers who might not see the need for the more formal processes that the board needs if its oversight is to be effective Unclear lines of accountability Defective internal communication flows Mechanical and static processes Organizational complexity Risks associated with major transactions or projects not adequately assessed or discussed at board level 9 Warning Signs on Risk Control & Culture II The Right Culture A culture where people are reluctant to admit mistakes and do not welcome challenge Failure to communicate a consistent attitude to risk and mitigation Inability to assess if employees are listening to or understanding what the board is saying Senior management does not give a clear lead on risk management nor visibly support the risk and internal audit functions Misaligned incentives that encourage either inappropriate risk-taking or excessive risk aversion Risk managers and internal auditors are prevented from addressing risks emanating from the upper echelons of the company An inability to stop bad projects once they have gathered momentum Significant regulatory problems 10 Warning Signs on Risk Control & Culture III Effectiveness of the Board and Committees Insufficient breadth of experience and expertise in the board or board committee Delegating too much responsibility to board committees so that some directors are not involved Lack of clarity about which board committee is responsible for ensuring reward schemes reflect the company’s approach to risk Non-executive directors are not getting out and about enough to really understand the business and its people Board papers and processes that cause time to be used unproductively A lack of understanding of the risks inherent in the company’s business model 11 Poor Culture in Practice Three Lines of Defence to Address IT Risk – Failings Responsible for identifying and managing IT risk across the Banks. Challenged by FAILED TO Devote sufficient time and attention to specific risk management activity, instead reporting risk upward to obtain “sign-off” instead of understanding and managing IT risk AND Did not take the initiative to identify risks, instead reacting and responding to incidents Had limited IT skills Responsible for challenging First Line Independent assessment & review of IT risks including IT infrastructure and systems risks FAILED TO Appropriately challenge the completeness and depth of the First Line of Defence’s coverage of IT risk FAILED TO Explain its different view of IT Risk to the First and Second Lines of Defence Did not understand the breadth and depth of its work because it concentrated on collating and reporting of risk information Did not focus enough on understanding IT risk, instead focusing too much on systems and processes Did not close IT audit issues in a timely fashion, instead it brought forward incomplete IT audit plans from previous years Did not explain in its final audit report that it had lacked the documentation it needed to test fully the controls for backing out the batch scheduler software WEAKNESSES IN COMMUNICATION BETWEEN ALL THREE LINES THIRD LINE: Group Internal Audit SECOND LINE: Business Services Risk FIRST LINE: Technology Services Risk Had a culture of reacting to events, and a team with insufficient experience and skills 12 Tone from the Top, Middle and Bottom “Ultimately this is also about creating what we sometimes call a culture of appropriate escalation, where people can speak up when they observe poor behaviour or are unsure about what to do. Too often people are unwilling to do this, or are penalised if they do.” Tracy McDermott, July 2015 13 Tone from the Top, Middle and Bottom “is for the boards of banks to take responsibility for how the business delivers within this regulatory framework. And it is, more subtly, the responsibility of the board to influence the culture of the whole business – the famous "tone from the top" - AND to take responsibility for making sure that this is both understood and acted on in all parts of the business, from the committed top, through the middle and right across the front line. BSB chair Dame Colette Bowe, June 2015 Moving from "tone at the top" through "action in the middle". By the middle, I mean those hard to reach parts, which are found in any business, not just banking, where messages get lost, communication falters, and "tone from the top" can seem utterly remote from what people are actually doing.” 14 © 2015 Moody’s Analytics, Inc. and/or its licensors and affiliates (collectively, “MOODY’S”). All rights reserved. ALL INFORMATION CONTAINED HEREIN IS PROTECTED BY LAW, INCLUDING BUT NOT LIMITED TO, COPYRIGHT LAW, AND NONE OF SUCH INFORMATION MAY BE COPIED OR OTHERWISE REPRODUCED, REPACKAGED, FURTHER TRANSMITTED, TRANSFERRED, DISSEMINATED, REDISTRIBUTED OR RESOLD, OR STORED FOR SUBSEQUENT USE FOR ANY SUCH PURPOSE, IN WHOLE OR IN PART, IN ANY FORM OR MANNER OR BY ANY MEANS WHATSOEVER, BY ANY PERSON WITHOUT MOODY’S PRIOR WRITTEN CONSENT. All information contained herein is obtained by MOODY’S from sources believed by it to be accurate and reliable. Because of the possibility of human or mechanical error as well as other factors, however, all information contained herein is provided “AS IS” without warranty of any kind. Under no circumstances shall MOODY’S have any liability to any person or entity for (a) any loss or damage in whole or in part caused by, resulting from, or relating to, any error (negligent or otherwise) or other circumstance or contingency within or outside the control of MOODY’S or any of its directors, officers, employees or agents in connection with the procurement, collection, compilation, analysis, interpretation, communication, publication or delivery of any such information, or (b) any direct, indirect, special, consequential, compensatory or incidental damages whatsoever (including without limitation, lost profits), even if MOODY’S is advised in advance of the possibility of such damages, resulting from the use of or inability to use, any such information. The ratings, financial reporting analysis, projections, and other observations, if any, constituting part of the information contained herein are, and must be construed solely as, statements of opinion and not statements of fact or recommendations to purchase, sell or hold any securities. NO WARRANTY, EXPRESS OR IMPLIED, AS TO THE ACCURACY, TIMELINESS, COMPLETENESS, MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OF ANY SUCH RATING OR OTHER OPINION OR INFORMATION IS GIVEN OR MADE BY MOODY’S IN ANY FORM OR MANNER WHATSOEVER. Each rating or other opinion must be weighed solely as one factor in any investment decision made by or on behalf of any user of the information contained herein, and each such user must accordingly make its own study and evaluation of each security and of each issuer and guarantor of, and each provider of credit support for, each security that it may consider purchasing, holding, or selling. Any publication into Australia of this document is pursuant to the Australian Financial Services License of Moody’s Analytics Australia Pty Ltd ABN 94 105 136 972 AFSL 383569. This document is intended to be provided only to “wholesale clients” within the meaning of section 761G of the Corporations Act 2001. By continuing to access this document from within Australia, you represent to MOODY’S that you are, or are accessing the document as a representative of, a “wholesale client” and that neither you nor the entity you represent will directly or indirectly disseminate this document or its contents to “retail clients” within the meaning of section 761G of the Corporations Act 2001. 15