January 22, 2018

Risk Culture & Governance: A Transformational Leadership Model for Banks

Risk management in banking has been transformed over the past decade, largely in response to regulations that have emerged from the global financial crisis. The result is that nearly all major financial institutions have for some time been working to strengthen their risk governance practices and risk culture.
In this environment, the term risk governance means the board and management oversight of risk and risk management and the risk policies, processes, and practices that govern and support sound risk-taking. Banks have endeavoured to enable their organisations to respond to new regulatory demands and increased scrutiny of risk governance, risk management, and operating cultures.
Additionally, their leaders have been re-defining and designing their governance system, shaping the risk culture that their institution requires, and transforming the way risk is managed across the organisation.
McKinsey & Company has identified six trends that are shaping the role of the risk function and governance of the future.
  • Regulation will continue to broaden and deepen. Much of the impetus comes from public sentiment, which is ever less tolerant of bank failures and the use of public money to salvage them.
  • Customer expectations are rising in line with changing technology. Technological innovation has provided a new set of competitors: financial-technology companies, or ‘fintechs’. They take over the direct customer relationship and tap into the most lucrative part of the value chain – origination and sales.
  • Technology and advanced analytics are evolving, enabling new risk-management techniques and helping the risk function make better risk decisions at a lower cost.
  • New risks are emerging, such as model risk, cybersecurity risk and financial contagion risk.
  • The risk function can remove biases – decisions guided by conscious or unconscious biases.
  • The pressure for cost savings. These are likely to be accomplished by simplification, standardisation, automation and digitisation.
“Risk culture determines the way in which any organisation identifies, understands, discusses and acts on the risks it collectively confronts and takes.”
The Institute of Risk Management describes risk culture as ‘… describing the values, beliefs, knowledge, attitudes and understanding about risk shared by a group of people with a common purpose. Risk culture focuses on social, motivational, and real-time pressures, and applies to all organisations, including private companies, public bodies, governments and not-for-profits’. Effectively, risk culture determines the way in which any organisation identifies, understands, discusses and acts on the risks it collectively confronts and takes.
Any financial organisation has certain values, beliefs, and behaviours it expects and elicits in employees and other stakeholders with regard to risk-related decisions. A strong risk culture in an organisation means that employees know the boundaries within which they and the organisation can operate. They will be motivated by their perceptions of management’s goals. If the risk culture is effective, it enables and rewards them for taking the right risks in an informed manner.
Risk culture varies among institutions. Some banks will select strategies and goals that are naturally riskier or less risky. Given the range of customer needs and paths to creating value, this is to be expected. However, every type of risk culture is shaped by its leaders’ decisions and actions, reinforced by business and organisational systems, and upheld by employee conduct.


What is risk transformation?
One commonly accepted definition is ‘a change programme that improves an organisation’s financial service risk management’. It expands the traditional view of risk.
Risk transformation can enable an organisation to elevate its risk management procedures to a level that infuses the whole organisation. This means embedding risk management in the daily activities of employees in order to align the conduct and practices of the business and of risk management with the business’s strategies. Risk awareness and proper risk-related skills become every individual’s responsibility, no matter what their level of responsibility within the organisation. They are then able to better recognise threats and opportunities associated with social media, cloud computing, cyber, outsourcing strategies, market initiatives, and other developments.
In the current economic, business, and regulatory environment, with a new president in the United States, Brexit, EU, China and other issues risk transformation should be a higher priority than ever. Risk transformation should be seen as an opportunity to strengthen not only the management and governance of risk, but also the management of capital and operations and the supporting IT infrastructure.
Financial institutions constantly evolve to meet the demand created by various drivers within the banking industry. The following drivers may lead to a financial institution re-evaluating its methods of operation and considering risk transformation:
  • Changing customer needs
  • New growth opportunities
  • New operating models
  • Competitors
  • Improved efficiencies
  • Rising costs
  • Performance pressures
  • Changes in technology
  • Industry and regulatory requirements
  • Unpredictable market environment
  • Need for innovation
  • Need for alignment with industry
  • Resistance to change
In order to begin a successful transformation, a clear understanding is needed of how the transformation will support the organisation’s strategic vision and business outcomes.
Deloitte identifies four basic fundamentals of risk transformation which will help to determine a bank’s approach to risk. These fundamentals should underscore and stimulate senior-level discussions regarding risk management, risk governance, and regulatory compliance.
Strategy – putting the organisational vision and mission into action.
Governance and culture – ensuring that strategies are effected appropriately and in alignment with risk and business strategies.
Business and operating model – defining the economic relationships between the organisation and others, and structuring the ways in which activities are carried out with the stakeholders.
Data, analytics and technology – determining the key data for addressing risk management needs and overseeing development of a data management and sourcing strategy to address those needs.
Organisations have varying needs. When responded to appropriately, risk management becomes an integral part of the daily responsibilities of the trader, loan officer, underwriter, portfolio manager, claims manager, HR professional, IT specialist, and all other personnel.
“Financial organisations need a transformative approach to address strategic risks.”
Financial organisations need a transformative approach to address strategic risks. This means finding an integrated, sustainable, strategic response. Deloitte has developed the following three-step approach to scanning, discovering, and preparing for strategic risks:
Employ analytics and human capabilities to identify potential risks and gauge potential outcomes.
Monitor the environment and interpret the signals.
Identify responses that will mitigate impacts or exploit risks for
It is possible for an organisation to drive change in its risk culture. This requires a clear understanding of the current culture and the desired ‘target’ culture. It requires recognition that this is a major change programme and requires discipline to see it through.
Successful change ultimately means the board and the executive management are aware that they are an integral part of the existing risk culture. Sustained change in the risk culture must start at the top and may require a reappraisal of approaches consistent with bringing a greater diversity of thinking into the boardroom.
The Institute of Risk Management has devised a list of ten questions a board should ask itself.
  1. What tone do we set from the top? Are we providing consistent, coherent, sustained and visible leadership in terms of how we expect our people to behave and respond when dealing with risk?
  2. How do we establish sufficiently clear accountabilities for those managing risks and hold them to their accountabilities?
  3. What risks does our current corporate culture create for the organisation, and what risk culture is needed to ensure achievement of our corporate goals? Can people talk openly without fear of consequences or being ignored?
  4. How do we acknowledge and live our stated corporate values when addressing and resolving risk dilemmas? Do we regularly discuss issues in these terms and has it influenced our decisions?
  5. How do the organisation’s structure, processes and reward systems support or detract from the development of our desired risk culture?
  6. How do we actively seek out information on risk events and near misses – both ours and those of others – and ensure key lessons are learnt? Do we have sufficient organisational humility to look at ourselves from the perspective of stakeholders and not just assume we’re getting it right?
  7. How do we respond to whistleblowers and others raising genuine concerns? When was the last time this happened?
  8. How do we reward and encourage appropriate risk-taking behaviours and challenge unbalanced risk behaviours (either overly risk averse or risk seeking)?
  9. How do we satisfy ourselves that new joiners will quickly absorb our desired cultural values and that established staff continue to demonstrate attitudes and behaviours consistent with our expectations?
  10. How do we support learning and development associated with raising awareness and competence in managing risk at all levels? What training have we as a board had in risk?
Banks must now concentrate on building a strong risk-management culture. Real risk transformation can enhance the organisation’s ability to put business strategies into operation and to achieve goals while addressing risks and complying with evolving regulations. The detection, assessment, and mitigation of risk need to become part of the daily job of all bank employees and not only those in risk functions.

Felicity Cooper, General Manager of Technology Risk and Enterprise Services, Commonwealth Bank
Felicity Cooper is an expert in risk management solutions – acting as General Manager responsible for Line 1 Technology Risk across Enterprise Services since May 2016, and as Head of Technology Risk, Retail and Wealth, at the Commonwealth Bank (CBA) for the last four years.
As a board member for WIT (Women in IT) Ms Cooper established the City Series breakfast program for women in leadership in IT in QLD, including engaging high profile speakers to inspire others in becoming positive and courageous leaders like herself.  She was also nominated as a finalist for the 2017 Financial Services Executive of the Year Award.
You can follow her on LinkedIn here >

Where can I get more information?

Want to know more? Then don’t hesitate to get in touch with us >
Be informed of the latest industry news, key updates and our product and version releases, by following us on LinkedInFacebook, and Twitter. You can also get them delivered straight to your mailbox here.