Risk Culture doesn’t come from a memo

Nor from a policy, nor from a speech, nor from a mission statement nor a value statement.

Like all of corporate culture, Risk Culture comes from experiences.  Risk Culture comes from experiences with risk.  Corporate Culture is fundamentally the embedded, unspoken assumptions that underlie behaviors and decisions of the management and staff of the firm.  Risk Culture is fundamentally the embedded, unspoken assumptions and beliefs about risk that underlie behaviors and decisions of the management and staff of the firm.

Corporate culture is formed initially when a company is first started.  The new company tries an approach to risk, usually based upon the prior experiences of the first leaders of the firm.  If those approaches are successful, then they become the Risk Culture.  If they are unsuccessful, then the new company often just fails.

In his book, Fooled by Randomness, Nassim Taleb points out that there is a survivor bias involved here.  Some of the companies that survive the early years are managing their risk correctly and some are simply lucky.  Taleb tells the story of mutual fund managers who either beat the market or not each year.  Looking back over 5 years, a fund manager who was one of 30 out of 1000 who beat the market every one of those five years might believe that their performance and therefore their ability was far above average.  However, Taleb points out that if whether a manager beat the market or not each year was determined by a coin toss, statistics tells us to expect 31 to beat the market.

That was for a situation where we assume that the good results were likely 50% of the time.  For risk management, the event that is being managed is often a 1/100 likelihood.  There is a 95% chance of avoiding a 1/100 loss in any five year period, just by showing up with average risk management.  That makes it fairly likely that poor risk management can be easily overcome by just a little bit of luck.

So by the natural process of experience, Risk Culture is formed based upon what worked in the past.

In banks and hedge funds and other financial firms where risk taking is a fundamental part of the business, the Risk Culture often supports those who take risks and win.  Regardless of whether the amount of risk is within limits or tolerances or risk appetite.

You see, all of those ideas (limits, tolerances, appetites) are based upon an opinion about the future.  And the winner just has a different opinion about the future of his/her risk.  The fact that the winner’s opinion proves itself as experience shows that the bad outcome that those worrying risk people said was the future is not the case.  When the winner suddenly makes a bad call (see London Whale), that shows that their ability to see the future better than the risk department’s models may be done.  You see, there are very very few people who can keep the perspective needed to consistently beat the market.  (RISKVIEWS thinks that the fall off might well follow an exponential decay pattern as predicted by statistics!)

The current ideas of a proper Risk Culture (see FSB consultation paper) are doubtless not what most firms set up as their initial response to risk. That paper focuses on four specific aspects of Risk Culture.

  • Tone from the top: The board of directors11 and senior management are the starting point for setting the financial institution’s core values and risk culture, and their behaviour must reflect the values being espoused. As such, the leadership of the institution should systematically develop, monitor, and assess the culture of the financial institution.
  • Accountability: Successful risk management requires employees at all levels to understand the core values of the institutions’ risk culture and its approach to risk, be capable of performing their prescribed roles, and be aware that they are held accountable for their actions in relation to the institution’s risk-taking behaviour. Staff acceptance of risk-related goals and related values is essential.
  • Effective challenge: A sound risk culture promotes an environment of effective challenge in which decision-making processes promote a range of views, allow for testing of current practices, and stimulate a positive, critical attitude among employees and an environment of open and constructive engagement.
  • Incentives: Performance and talent management should encourage and reinforce maintenance of the financial institution’s desired risk management behaviour. Financial and non-financial incentives should support the core values and risk culture at all levels of the financial institution.

(These descriptions are quotes from the paper)

These practices are supported by the Risk Culture for a few very new firms.  As well as a very few other firms (and we will mention why that is in a few paragraphs).  But for at least 80 percent of financial firms, these items, if they are happening, are not at all supported by the Risk Culture.  The true Risk Culture of a successful firm has evolved based upon the original choices of the firm and the decisions and actions taken by the firm that have been successful over the life of the firm.

These aspects of Risk Culture are a part of one of the three layers of culture (see Edgar Schein, The Corporate Culture Survival Guide).  He calls those layers:

  • Artifacts
  • Espoused Values
  • Shared Assumptions

The four aspects of Risk Culture featured by the FSB can all be considered to be “artifacts”.  Those are the outward signs of the culture, but not the whole thing.  Espoused Values are the Memos, policies, speeches, mission and value statements.

Coercion from outside the organization, such as through regulator edict, can force management to change the Espoused Values.  But the real culture will ignore those values.  Those outside edicts can force behaviors, just as prison guards can force prisoners to certain behaviors.  But as soon as the guards are not looking, the existing behavioral standards based upon the shared assumptions will re-emerge.

When the insiders, including top management of an organization, want to change the culture, they are faced with a difficult and arduous task.

That will be the topic of the next post.

Advertisements
Explore posts in the same categories: Enterprise Risk Management, Regulatory Risk, Risk Culture, Risk Learning

Tags: ,

Both comments and pings are currently closed.


%d bloggers like this: