LSE research explored the dynamics and trade-offs involved in managing risk cultures in financial institutions, shaping how the industry understands approaches to risk-taking and control.
What was the problem?
Financial organisations need to take risks, but if those risks are uncontrolled or reckless, then the damage caused by very large organisations is immense. And so it matters that we understand the cultures that shape approaches to risk-taking and control in organisations, and the trade-offs involved.
The Global Financial Crisis of 2008 to 2009 focused new attention on a perceived culture of reckless risk-taking by financial organisations, especially banks. In response, many institutions and policymakers wanted to develop a consolidated understanding of organisations’ efforts to better understand and act on their risk cultures. The financial crisis also raised questions about the influence of financial regulators and consultants on these organisational conceptions of risk culture, and the capacity for and consequences of consciously measuring, managing, changing, and auditing risk cultures.
What did we do?
To understand how risk cultures operate within financial institutions, Professor Michael Power and Dr Tommaso Palermo, along with Dr Simon Ashby (then at the University of Plymouth, now Vlerick Business School), engaged directly with the key actors in the financial sector charged with operationalising ways to assess, manage, and report on organisational risk cultures.
Between 2012 and 2015, the team conducted field-based research, drawing on observations and interviews alongside surveys and documentation analysis. They conducted interviews with 61 individuals in financial institutions, professional associations, regulatory bodies, and consulting firms. They also used survey questionnaires in some participant organisations to explore relevant aspects of business operations, such as interactions between control functions and revenue-generating teams. Focus group discussions, facilitated by the researchers, allowed them to collect additional data by observing senior managers’ reactions to, and interpretation of, assessments of their organisations’ risk cultures.
From this body of research Power, Ashby, and Palermo developed a framework that concisely models different approaches to risk culture assessment and management and their potential trade-offs. The insights, refined in a 2017 paper, make an important contribution to academic understanding of risk culture, while further research compared risk culture in the financial sector with safety culture in high-risk sectors such the airline industry.
The research showed how good practice entails awareness of the trade-offs inherent in the different approaches to managing risk cultures, rather than being prescriptive about how much risk to take. The research also revealed how firms tend to focus for pragmatic reasons on a few key issues, rather than developing a holistic framework to risk culture assessment. They concentrate, for example, on how to foster revenue-generating units’ respect for risk and compliance functions; the creation of new risk oversight units and capabilities; and dealing with new regulatory entities such as the Financial Conduct Authority.
In addition to documenting different approaches to risk culture assessment and management, the longitudinal field study engagement with different organisations helped the researchers to appreciate how risk culture has become more “auditable” over time, with a shift towards organisations adopting formal toolkits and oversight structures. This has significant managerial implications, since it frames corporate risk culture as something that can be inspected and validated by boards of directors and regulators, despite initial scepticism about formal diagnostic toolkits and measurable performance indicators.
The research team used these insights to develop a suite of “smart questions” about risk culture for companies to use either as a stand-alone set or as a follow-up to diagnostic tools such as surveys. The answers to these “smart questions” are specific and targeted, raising awareness about key cultural hotspots to address, but together they provide a useful snapshot of organisational risk culture.
What happened?
These insights on risk cultures have influenced how financial services organisations around the world understand their own practices. Although the aim was not to develop a new tool to measure risk culture, it has supported industry efforts to do so.
The initial report was shared widely among financial organisations, including banks, insurance companies, and industry regulators. It has, along with subsequent publications, become a reference point in the risk culture debate within the sector. Its reach is evident in the wide range of regulators, professional bodies, and advisory firms that cite it in policy and guidance documents and in the invitations the researchers have received to present their evidence to senior staff in regulatory authorities, along with professional bodies, banks, and within academia.
The research has informed new industry guidance aimed at improving understanding, monitoring, and development of risk cultures. In 2014, the Financial Stability Board (FSB), an international body that monitors and makes recommendations about the global financial system, cited the research in their report on assessing risk culture. This new guidance was intended to help supervisors assess the soundness and efficacy of a financial institution’s risk culture. As with other FSB publications, its intended users are the financial institutions of the world’s largest economies, international financial institutions, and international standard-setting organisations. The FSB report has become a central reference point for corporate and regulatory initiatives on risk culture.
Professor Power and Dr Palermo’s work has also been cited in several other policy and guidance documents, such as ones published by the CRO Forum, a group of Chief Risk Officers from multinational insurance companies; the Chartered Institute of Internal Auditors (CIIA); and the Australian Prudential Regulation Authority (APRA), an independent statutory authority supervising banking, insurance, and superannuation institutions.
The collaborative nature of the research has also helped to deliver direct impacts within participating organisations, and organisations that have contacted the research team subsequently to learn about the report findings and to share the results of their own internal risk culture workstreams. One indicative example is a major insurance company, which contacted the researchers in September 2017 leading to an ongoing collaboration with direct impact on corporate practice. Dr Palermo worked with senior members of the company’s internal audit function to develop and refine its method of assessing risk and control culture as part of the audit process.