Following the 2008 global financial crisis, official inquires, parliamentary reports and the media frequently focused their attention on the flawed risk cultures of financial institutions. In their research report ”, and subsequent publications, Michael Power (ÐÓ°ÉÂÛ̳), Simon Ashby (Vlerick Business School) and Tommaso Palermo (ÐÓ°ÉÂÛ̳) investigated how these risk cultures operate, evolve, and can be improved.
What is risk culture? Can it be defined, audited, and managed? “Risk culture is a rather amorphous kind of thing”, explains Professor Power. “So if you are suddenly told one day that you’ve got to improve it, many practitioners were scratching their heads and saying what do we do?”
Within one organisation there may be different risk cultures operating, with dynamics that shift over time. Therefore, rather than designing a single model of good practice, or a set of tools for managing risk, Power and colleagues investigated risk culture “from the bottom up”, by engaging with the organisational actors charged with operationalising and reporting on it.
Over several years of observation in the field, the team interviewed numerous key people working within UK financial institutions, mostly involved in managing risk culture change programmes, plus senior managers in the safety department of a large by way of comparison. From this work, they identified common themes from which they developed a framework for understanding the trade-offs that define the boundaries of cultures of risk-taking and control.
The swing towards centralisation and measurement
The researchers identified two broad types of approaches to risk culture change: an “engineered” approach, which relies on formal regulatory structures and external advisers, with highly visible toolkits and documentation; and a more informal or “organic” approach, which emphasises developing networks within the organisation, joining the dots between existing internal practices and ethics-based motivations “to do the right thing”.
In the aftermath of the financial crisis, the researchers found that initially organic, informal approaches to changing culture were often favoured by organisational working groups. However, given increased regulatory demands to demonstrate change, there was then a clear shift towards centralising risk functions, and implementing more formal .
As Power explains: “Over time, organisations and the people we spoke to, found these approaches were less satisfactory to boards and regulators, who wanted proof, measurable proof, that something was being done, and something was being changed. There was this transition from an initial attraction to anthropological approaches to culture and then that drifted away to the harder, measurable end of accounting for culture.”
Managing risk culture trade-offs
These two categories – the “organic” and the “engineered” – are ideal types but they helped the researchers to classify risk culture workstreams in financial organisations, as well as mapping organisational dynamics, such as the shift from informal approaches to more centralised and metrics-centred approaches.
Below this high level categorisation, the researchers also organise their detailed field observations in terms of recurrent tensions or trade-offs, showing how organisations either consciously or unconsciously adopt certain positions within them. For example, organisational actors confront decisions such as: how to balance an ambition for gradual internal change with the use of external advisers and their diagnostic toolkits; how to balance formal organisational arrangements with interactive, inter-personal approaches to risk management and communication; and how to balance a focus on ethical renewal and the re-articulation of mission statements with the use of remuneration and incentives systems as levers over behavioural change.
In so doing, the research shows that risk culture, however operationalised, is not a fixed ideal equilibrium for any organisation. It is inevitably dynamic and changing, subject to many different forces. There are risks and drawbacks to leaning too heavily on .
For example, as Dr Palermo : “If you look at the interactions between your risk function and frontline management, you might have an assumption that a lot of interaction is a good thing, and [this] is something that scores quite high in toolkits provided by advisers, but if you have a lot of interaction that can lead to some problems. You might have a loss of independence of the risk function. You might have too much interaction that might be a problem in terms of achieving a decision.”
To stress how too much interaction might counter-intuitively be a symptom of cultural problems, Palermo draws on the lived experience of one senior manager: “One of our interviewees nicely put it that if you don’t want to make a decision then the best way forward would be to put people in a room and have a meeting, and then you have another meeting, and then you have another meeting…up to a point where people forget what they were supposed to decide and you lose accountability.”
Asking the right questions to provide clarity about trade-offs
Given these trade-offs and tensions, which are inherent in any risk culture, the researchers don’t recommend a single model of risk management. Each approach has its merits and drawbacks. But the research provides a conceptual map of risk culture change programmes that can be useful in highlighting some of the design choices that financial organisations must face.
To improve clarity about these design choices and their challenges, the researchers developed a series of “smart questions” for each set of trade-offs for CROs, CEOs and boards to ask themselves when evaluating their approach to risk. The overarching goal is to help organisations develop a greater awareness of how much risk they are prepared to take, and specifically monitor the trade-offs inherent in any attempt to manage and change risk culture, making explicit decisions about them rather than allowing them simply to happen to the organisation.
“One of the big implications for society is the whole idea of risk awareness, of being fully aware of the risk appetite in organisations,” explains Power. “In other words, how much risk are you prepared to take as an organisation, and what controls are you putting in place to manage that risk? That is a much more mature and explicit discussion.
“We want societies to take risk, that’s how they thrive and develop, but if those risks are uncontrolled or reckless, then the damage caused by very, very large organisations is immense. And so it really matters to society that there are mature risk cultures at the centre of which there is knowledgeable and aware risk-taking. These are not just technical issues that sit in the financial services sector, but this whole question of risk culture is societal wide.”
The authors gratefully acknowledge the financial support of the Economic and Social Research Council (ESRC), the Chartered Insurance Institute (CII), the Chartered Institute of Management Accountants (CIMA) and the Lighthill Risk Network.