Risk culture is the set of encouraged and acceptable behaviors, discussions, decisions, and attitudes toward taking and managing risks within an institution. It reflects the shared values, goals, practices and reinforcement mechanisms that embed risk into the institution’s decision-making processes and risk management into its operations. (Risk Management Association and Protiviti, The RMA Journal).
Culture is what people do
…repeatedly, when no one’s watching.
Risk culture is reflected in how people in the organization behave and what their attitudes are towards risks and risk taking. Even if limits, policies, risk appetite frameworks, governance structures, whistleblower systems and risk management trainings are in place, malpractices and negligence can easily take place if the organizational culture does not support adequate risk taking.
The foundation of financial institutions is trust. Since the financial crisis in 2008, public trust in the financial industry suffered and interest of both general public and financial industry in compliance, governance and risk culture has been steadily increasing (Google Trends - Interest over time: Risk culture, risk management & compliance).
Regulators have reacted by increasing guidance on risk management and risk culture. To name a few relevant guidelines, Financial Stability Board has issued a framework for assessing risk culture and the European Central Bank has issued guidelines on sound remuneration policies and a supervisory statement on governance and risk appetite.
It is evident, that risk culture has become a point of interest in the financial industry. Issues in risk management and risk culture bare significant reputational risks and at its worst, might lead to significant loss of trust in the financial sector. A sound risk culture cannot prevent all undesirable behavior, but it can reduce both the frequency and impact of losses generated or influenced by unwanted behavior. A sound risk culture will also lead to increased public trust in financial institutions and the financial sector in general.
In order to manage risk culture and be able to steer it, target risk culture needs to be defined, current state of risk culture needs to be measured and gaps between the target and current state of risk culture should be defined.
Institutions possessing a clear view of desired risk culture, and an understanding of how their current risk culture differs from this target, will be better positioned to create and maintain a sound risk culture. Hence, defining and understanding what type of risk culture the organization is pursuing, is a crucial first step in managing risk culture. Next, current risk culture needs to be assessed and measured to understand where the most important improvement areas are and to track the progress of cultural change. Once the gaps between the target culture and current state have been defined, corrective measures should be designed to lead the transformation towards cultural awareness and desired cultural change.
The old saying goes well with Risk Culture: What you can measure you can manage.