Risk Culture: Measuring the Qualitative Jane Walshe

Risk Culture: Measuring the
Qualitative
Jane Walshe
Head of Compliance Curriculum, Moody’s Analytics &
Director, Compass Compliance
4th November 2015
Agenda
» What do regulators mean when they talk about ‘culture’?
» Risk Culture: good and bad
» Identification, measurement and mitigation
2
What is Culture?
What do regulators mean when they talk about “culture”?
»
The global drive towards good conduct
»
Fair customer outcomes
»
Market integrity
3
Financial Stability Board
Tone from the
top
A firm's leadership should promote, monitor and assess risk culture, consider its
impact on safety and soundness and make changes where necessary. Board
and senior management should make clear staff expected to act with integrity;
non-compliance within or outside the organization should be promptly escalated.
Accountability
Relevant employees at all levels understand the core values of the institution and
its approach to risk, are capable of performing their prescribed roles, and are
aware that they are held accountable for their actions in relation to the institution's
risk-taking behavior. Staff acceptance of risk-related goals and related values is
essential
Effective
communication
and challenge
A sound risk culture promotes an environment of open communication and
effective challenge in which decision-making processes encourage a range of
views; allow for testing of current practices; stimulate a positive, critical attitude
among employees; and promote an environment of open and constructive
engagement.
Incentives
Performance and talent management encourage and reinforce maintenance of
the financial institution's desired risk management behavior. Financial and nonfinancial incentives support the core values and risk culture at all levels of the
institution.
4
Conduct Regulation
'the lessons of the last few years illustrate clearly that
firms need to take proactive steps to improve conduct.
Without a firm foundation in identifying the conduct risks
inherent in your businesses, it will be hard to manage
conduct, let alone show us and others that it is being
managed.
We know that most firms now understand the value in getting it right and
not simply the cost of getting it wrong, and the benefit of good conduct in
terms of building customer trust and analyst confidence. However, there
is a long way to go, and it will not happen by regulatory osmosis. Firms
and individuals need to take responsibility for their own actions.'
Tracy McDermott, acting CEO of the FCA, July 2015, Wholesale Conduct Risk
5
5 Conduct Questions for Firms
1. How are the conduct risks inherent within the business identified?
2. Who is responsible for managing the conduct of the business?
3. What support mechanisms does the business have to enable people
to improve the conduct of their business or function?
4. How do the board and executive committees gain oversight of the
conduct of the organisation?
5. Finally, do firms have any perverse incentives or other activities that
may undermine any strategies put in place to answer the first four
questions?
Tracy McDermott, July 2015
6
How the FCA Assess Conduct
» Having a culture which puts customers and market integrity at the heart of
the firm's business is an important component of conduct risk.
» No specific definition: FCA said it will be assessed by "joining the dots“ –
looking at:
» how a firm responds to, and deals with, regulatory issues;
» what customers are actually experiencing when they buy a product or
service from front-line staff;
» how a firm runs its product approval process and what factors it takes
into account;
» the manner in which decisions are made or escalated;
» the behaviour of that firm in certain markets; and even
» the remuneration structures.
7
Evaluating a Firm’s Risk Culture
» Is there a conduct risk
management culture at all levels of
the business?
» Are staff comfortable questioning
existing practices and suggesting
more effective ways of doing things?
» Are there clear reporting lines?
» Are managers authorized to identify
opportunities that reinforce, and
issues that destabilize their risk
appetite?
» Do managers feel they can raise
risk-related issues?
» Do staff feel that they can raise risk
» Do existing monitoring and reporting
related issues?
systems ensure that action will be
» Are managers’ ideas supported?
taken when issues are raised?
» Do they feel that concerns raised
» Can the board demonstrate an
will be considered and/or acted
effective “tone at the top”?
upon?
» Is conduct risk management part of
the established way of planning and
executing departmental activities?
8
Warning Signs on Risk Control & Culture I
Effectiveness of the Risk Management and Internal Control
System
Managers who might not see the need
for the more formal processes that the
board needs if its oversight is to be
effective
Unclear lines of accountability
Defective internal communication flows
Mechanical and static processes
Organizational complexity
Risks associated with major
transactions or projects not adequately
assessed or discussed at board level
9
Warning Signs on Risk Control & Culture II
The Right Culture
A culture where people are reluctant to admit
mistakes and do not welcome challenge
Failure to communicate a consistent attitude
to risk and mitigation
Inability to assess if employees are listening
to or understanding what the board is saying
Senior management does not give a clear
lead on risk management nor visibly support
the risk and internal audit functions
Misaligned incentives that encourage either
inappropriate risk-taking or excessive risk
aversion
Risk managers and internal auditors are
prevented from addressing risks emanating
from the upper echelons of the company
An inability to stop bad projects once they
have gathered momentum
Significant regulatory problems
10
Warning Signs on Risk Control & Culture III
Effectiveness of the Board and Committees
Insufficient breadth of experience and
expertise in the board or board
committee
Delegating too much responsibility to
board committees so that some
directors are not involved
Lack of clarity about which board
committee is responsible for ensuring
reward schemes reflect the company’s
approach to risk
Non-executive directors are not getting
out and about enough to really
understand the business and its
people
Board papers and processes that
cause time to be used unproductively
A lack of understanding of the risks
inherent in the company’s business
model
11
Poor Culture in Practice
Three Lines of Defence to Address IT Risk – Failings
Responsible for
identifying and
managing IT risk
across the Banks.
Challenged by
FAILED TO
Devote sufficient time and attention
to specific risk management
activity, instead reporting risk
upward to obtain “sign-off” instead
of understanding and managing IT
risk
AND
Did not take the
initiative to
identify risks,
instead reacting
and responding to
incidents
Had limited IT skills
Responsible for
challenging First
Line
Independent
assessment &
review of IT risks
including IT
infrastructure and
systems risks
FAILED TO
Appropriately
challenge the
completeness and
depth of the First
Line of Defence’s
coverage of IT risk
FAILED TO
Explain its different
view of IT Risk to
the First and
Second Lines of
Defence
Did not understand
the breadth and
depth of its work
because it
concentrated on
collating and
reporting of risk
information
Did not focus
enough on
understanding IT
risk, instead
focusing too
much on systems
and processes
Did not close IT
audit issues in a
timely fashion,
instead it brought
forward incomplete
IT audit plans from
previous years
Did not explain in its
final audit report that it
had lacked the
documentation it
needed to test fully the
controls for backing
out the batch
scheduler software
WEAKNESSES IN COMMUNICATION BETWEEN ALL
THREE LINES
THIRD LINE:
Group Internal Audit
SECOND LINE:
Business Services Risk
FIRST LINE:
Technology
Services Risk
Had a culture of reacting to events, and a team with insufficient experience and skills
12
Tone from the Top, Middle and Bottom
“Ultimately this is also about creating what we sometimes
call a culture of appropriate escalation, where people can
speak up when they observe poor behaviour or are
unsure about what to do. Too often people are unwilling
to do this, or are penalised if they do.”
Tracy McDermott,
July 2015
13
Tone from the Top, Middle and Bottom
“is for the boards of banks to take responsibility for
how the business delivers within this regulatory
framework.
And it is, more subtly, the responsibility of the board
to influence the culture of the whole business – the
famous "tone from the top" - AND to take
responsibility for making sure that this is both
understood and acted on in all parts of the business,
from the committed top, through the middle and right
across the front line.
BSB chair Dame Colette
Bowe, June 2015
Moving from "tone at the top" through "action in the
middle".
By the middle, I mean those hard to reach parts,
which are found in any business, not just banking,
where messages get lost, communication falters,
and "tone from the top" can seem utterly remote from
what people are actually doing.”
14
© 2015 Moody’s Analytics, Inc. and/or its licensors and affiliates (collectively, “MOODY’S”). All rights reserved.
ALL INFORMATION CONTAINED HEREIN IS PROTECTED BY LAW, INCLUDING BUT NOT LIMITED TO, COPYRIGHT LAW, AND NONE OF SUCH INFORMATION MAY BE
COPIED OR OTHERWISE REPRODUCED, REPACKAGED, FURTHER TRANSMITTED, TRANSFERRED, DISSEMINATED, REDISTRIBUTED OR RESOLD, OR STORED FOR
SUBSEQUENT USE FOR ANY SUCH PURPOSE, IN WHOLE OR IN PART, IN ANY FORM OR MANNER OR BY ANY MEANS WHATSOEVER, BY ANY PERSON WITHOUT
MOODY’S PRIOR WRITTEN CONSENT.
All information contained herein is obtained by MOODY’S from sources believed by it to be accurate and reliable. Because of the possibility of human or mechanical error as well as
other factors, however, all information contained herein is provided “AS IS” without warranty of any kind. Under no circumstances shall MOODY’S have any liability to any person or
entity for (a) any loss or damage in whole or in part caused by, resulting from, or relating to, any error (negligent or otherwise) or other circumstance or contingency within or outside
the control of MOODY’S or any of its directors, officers, employees or agents in connection with the procurement, collection, compilation, analysis, interpretation, communication,
publication or delivery of any such information, or (b) any direct, indirect, special, consequential, compensatory or incidental damages whatsoever (including without limitation, lost
profits), even if MOODY’S is advised in advance of the possibility of such damages, resulting from the use of or inability to use, any such information. The ratings, financial reporting
analysis, projections, and other observations, if any, constituting part of the information contained herein are, and must be construed solely as, statements of opinion and not
statements of fact or recommendations to purchase, sell or hold any securities.
NO WARRANTY, EXPRESS OR IMPLIED, AS TO THE ACCURACY, TIMELINESS, COMPLETENESS, MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OF
ANY SUCH RATING OR OTHER OPINION OR INFORMATION IS GIVEN OR MADE BY MOODY’S IN ANY FORM OR MANNER WHATSOEVER.
Each rating or other opinion must be weighed solely as one factor in any investment decision made by or on behalf of any user of the information contained herein, and each such
user must accordingly make its own study and evaluation of each security and of each issuer and guarantor of, and each provider of credit support for, each security that it may
consider purchasing, holding, or selling.
Any publication into Australia of this document is pursuant to the Australian Financial Services License of Moody’s Analytics Australia Pty Ltd ABN 94 105 136 972 AFSL 383569.
This document is intended to be provided only to “wholesale clients” within the meaning of section 761G of the Corporations Act 2001. By continuing to access this document from
within Australia, you represent to MOODY’S that you are, or are accessing the document as a representative of, a “wholesale client” and that neither you nor the entity you represent
will directly or indirectly disseminate this document or its contents to “retail clients” within the meaning of section 761G of the Corporations Act 2001.
15