Risk culture in financial institutions has never been more important for their role of supporting steady economic growth. But how do you know good risk culture when you see it? We asked ten of the world’s leading experts what they think the most important signals are. It’s not always what you might think.
The trouble with risk culture is that you see it only when it fails. And even then it can be hard to be sure that the risk culture itself was in some way lacking, or whether it was just plain unlucky. Spotting good – and bad – risk management and risk culture before a crisis hits is even harder. For Crisis Wasted? Leading Risk Managers on Risk Culture, we asked ten global risk managers what they thought the hallmarks of good risk culture are, and what progress has been made since the crisis of 2007-09 to improve it. A revealing, warts-and-all view of how risk management decisions are taken in large financial organisations is the result.
While most agree that a strong risk culture is one that permeates the organisation, the overall verdict is that progress is decidedly mixed. Two questions stand out.
- Chief Risk Officers are commanding more status within organisations, but has this translated into influence and effectiveness?
- It is now commonplace to note the increased emphasis on risk culture, but has this given us better risk management, or just more regulation and longer risk reports?
A corner office does not guarantee good risk culture
The skill of the risk manager is a mix of art and science. Technical competence is a must-have, but so are common sense and street-smarts. John Breit finds that:
“For me it was more about who’s making money, and why is he is making money, and can he explain to me in an intuitive way how he is making it?”
Yet, much new regulation emphasises risk measurement over risk management. Objective, uniform risk indicators have obvious appeal, but statistics can conceal as much as they reveal. Risk managers generally agree that some quantitative risk reporting is essential, but they also agree that it is only a minor component of the much bigger job of managing risk, and it can even have a negative impact on risk culture. The best risk management practitioners agree that people management, the ‘soft’ skills: behaviour, governance and accountability, are key to good risk management. Sir Michael Hintze is clear:
“The point that I think has been missed is the fact that it is probity, it is to do with behaviour rather than models. And I think there is a transparency point that has been missed.”
But this is exactly the part of the risk management job that is being squeezed out. Worse, reducing risk management to a mechanical operation carries the danger of turning it into a box-ticking exercise – the opposite of any sensible understanding of a good risk culture. When statistics displace common sense, risk managers, despite their status, add less real value and can easily be ignored or even shown the door, for example because they voice disagreement with the firm’s strategy.
Regulatory reporting is not risk management
It is both unsurprising and understandable that investors and taxpayers, who pay the price when things go wrong, demand tighter regulation of risk-taking activities. But more regulation by itself is no panacea, and may even make things worse if it is not properly thought through.
Regulators and supervisors, for their part, do the best they can to guard against the worst outcomes. But with limited resources at their disposal, often the most they can do is to mandate more, and more detailed, risk reports.
Ever more extensive stress tests and longer risk reports are thus the most visible of regulatory reforms; and organisations are duly churning out ever more reams of risk data. But much risk reporting is mandated without thought to who will bear the costs of preparing and collating it, how it will actually be used, or indeed, if it is useful at all. Paul Bostok is sceptical:
“I don’t know how many pages of forms would give you the information that you get from meeting somebody face to face and asking some pertinent questions.”
Regulators, who receive the reports, struggle to keep up and make sense of them, often with resources intended for much more limited responsibilities. Richard Meddings sees this as a real weak link in the system:
“The regulatory world is full of very able people, though I do worry there are not enough of them for the scale, size of the agenda they have in front of them.”
One reason why regulators and supervisors rely so heavily on risk reporting is because they find it hard to quantify, and even harder to aggregate, things like behaviour, governance and accountability.
Meanwhile, organisations are devoting more resources to preparing risk reports, while the costs of doing so are inevitably passed on to consumers and investors in the form of higher bank charges and poorer returns. Worse, fewer resources are available actually to manage risk. This diversion of resources from risk management to reporting has real consequences for the economy, as Adrian Blundell-Wignall points out:
“… real investment and the productivity growth, that is needed to make bonds and equities worth something in 50 years’ time, isn’t happening.”
Risk culture affects regulators too
Regulators are doing the best with the resources they have, but to pretend that this is good enough to avert, or even dampen, the effects of a future crisis is to hold one’s head in the sand.
The evidence points to the need for regulators to deploy soft management skills in tandem with selective, targeted risk statistics and to ask pointy questions. Only by deploying that enlightened mix of art and science can they hope to understand properly the risk profiles of organisations.
The danger is that constructive risk culture gives way to risk reporting, which in turn can easily dissolve into box-ticking. The risk experts we interviewed agree that this does nothing to address the pressing issue of restoring the ability of the financial system to meet its social obligation of facilitating economic growth. Indeed, by engendering a false sense of security, it could be doing quite the opposite.
Frances Cowell is a specialist investment risk consultant working with R-Squared Risk Management in Paris and London. Matthew Levins is a risk consultant who directed risk practices for leading firms such as Commonwealth Bank of Australia and Bankers Trust Australia. More details on their website, www.riskculture.today.