- SUPERVISION NEWSLETTER
Strong risk culture — sound banks
15 February 2023
Risk culture is a set of norms, attitudes and behaviours related to awareness, management and controls of risks in a bank. It shapes management’s and employees’ day-to-day decisions and has an impact on the risks they take.
Weaknesses in risk culture may signal problems in the future, such as financial losses or misconduct. Conversely, a bank’s strong financial position could be misleading if there is an underlying problem with culture and conduct. Therefore, even in periods of solid financial health, strong risk culture can be essential in preventing future losses which could damage the reputation of a bank.
This is why supervisors thoroughly examine this risk area based on the European Banking Authority’s guidelines on governance. It is each bank’s responsibility to define and shape its own risk culture. In turn, it is the supervisor’s role to assess the dimensions of this risk culture.
Dimensions of risk culture
It is challenging to observe and measure risk culture because it comprises many qualitative elements. However, supervisors have specific tools to examine underlying and more salient factors which may contribute to risk culture. These tools include interviews with board members and business line representatives, sitting in on board meetings, fit and proper assessments, examining documentation like policies, minutes or reports and on-site inspections.
While there are many components of risk culture, this article focusses on three key dimensions: the tone from the top, incentive policies, and risk accountability and ownership.
The observations and sound practices identified here are based on extensive supervisory reviews over the past few years, including bank-specific deep-dives and horizontal analyses.
One of the main duties of banks’ management bodies is to establish an appropriate “tone from the top”, as this plays a crucial role in holding individuals accountable for prudent risk-taking. To set the right tone, the management body needs to collectively possess the relevant skills and expertise, be of good repute, consider diverse viewpoints in discussions and be able to constructively challenge senior management.
Evidence shows that banks need to improve the capacity to challenge board members on the decisions they make in areas related to risk culture. A limited challenging capacity may also hinder follow-up on findings flagged by control functions and supervisors. Moreover, several banks’ management bodies do not explicitly oversee culture or effectively cascade culture and ethical standards to all levels throughout the bank. However, some banks have developed good practices to strengthen the effectiveness of oversight. One such example is firms that have established a rigorous framework for monitoring internal culture and conduct, including full transparency through a dashboard. This allows monitoring of how risk culture is embedded within the bank through indicators to gauge how the code of conduct is implemented across the organisation.
Remuneration schemes are another key dimension of risk culture. These are often based on key performance indicators (KPIs) that determine variable remuneration and should ensure behaviours are properly aligned with prudent risk-taking. However, KPIs are not always clear and transparent. In many instances they rely excessively on financial performance as compared with risk, control and key cultural and behavioural aspects. Surprisingly, this also holds true for employees in internal control functions and even for chief risk officers. Supervisors have also observed weaknesses in KPIs’ alignment with risk appetite, in processes and controls around variable remuneration and in the application of malus and clawback clauses in case of excessive risk taking or misconduct. There is generally room for improvement in this area, which calls for supervisory attention.
A third dimension of sound governance and risk culture is risk accountability and ownership. Some banks do not clearly allocate roles and responsibilities for risk and control-related tasks. Others have risk management and compliance functions, which do not sufficiently challenge business lines or are at times overruled by them. These functions may also have insufficient resources, stature, and practical impact which therefore calls into question their standing within the organisation.
A well-developed risk appetite framework, supported by effective processes deployed across the bank is the cornerstone of a sound risk culture, because it ensures that the risks taken are within a set of acceptable boundaries.
That is why ECB Banking Supervision will continue to assess banks’ progress in improving risk culture through peer benchmarking, sharing good practices and ongoing industry dialogue, with appropriate supervisory escalation where key weaknesses are identified. Additionally, as part of the supervisory priorities for 2023-25, a targeted analysis will assess the tone from the top as well as the quality of banks’ nomination processes and will feed into the Supervisory Review and Evaluation Process (SREP).