Treading softly yet boldly: how culture drives risk in banks and what supervisors can do about it

Speech by Frank Elderson, Member of the Executive Board of the ECB and Vice-Chair of the Supervisory Board of the ECB, at the 10th Conference on the Banking Union organised by Freshfields Bruckhaus Deringer, the Institute for Law and Finance at Goethe University and the Center for Financial Studies

Frankfurt am Main, 19 September 2023

Thank you for the invitation. I am delighted to be here and I applaud the organisers for bringing together academics, industry professionals and supervisors to discuss governance and culture in the banking sector.

As we have heard from other speakers, governance and culture cover many aspects, including the composition of boards and the responsibilities and qualifications of their members. There are also broader issues, such as the factors that shape a strong culture and the relevance of culture in the current industry environment.

I am speaking to you today in my role as a banking supervisor – as Vice-Chair of the ECB’s Supervisory Board. And I want to talk about the role of the supervisor, which has been subject to some debate recently.

The ECB assesses behaviour and culture in the banks it supervises. This forms an important part of our overall supervisory assessment.

First, I will explain why we look at behaviour and culture in banks. Then I will set out how we do so – what tools we use and what we assess – before discussing some of the challenges and sketching out a possible way forward. I will argue that supervising behaviour and culture in banks is sometimes even more challenging than the traditional focus of banking supervisors – quantitative metrics, but it is all the more important that we rise to this challenge. Because while balance sheets are often scrutinised with a hawk’s eye, it is often culture that whispers the first signs of trouble.

Culture drives behaviour

The starting point for talking about culture in banks is one that we should all agree on – acknowledging that banks are not just edifices of glass and steel, like the skyscrapers here in the centre of Frankfurt.

Nor are they just balance sheets, Common Equity Tier 1 ratios and liquidity buffers.

Rather, banks are complex organisms driven by the sum of their human interactions and decisions.

And it is a bank’s culture that flavours these interactions.

Culture encompasses the collective mindset and the shared set of values that shape the everyday behaviour of a bank’s employees. It is not just a trendy buzzword. It is in the DNA of how a bank functions and how it manages risks.

Behaviour, on the other hand, is the tangible manifestation of this invisible culture. It is directly observable in a way that culture is not. Behaviour is the product of the collective ethos, the sum total of attitudes, norms and practices embraced by the denizens of the banks.

I want to suggest today that culture is often the invisible hand that nudges employees towards either prudent risk management or reckless behaviour. It is the undercurrent that determines whether compliance considerations are seen as mere adornments or as important guiding principles.

A healthy culture can spur innovation, nurture customer relationships and foster employee loyalty. But an imprudent culture can propel institutions towards crises that reverberate through financial history. Behaviour is the tell-tale sign of whether a bank is primed for prudent risk management or careening toward recklessness.

Culture shapes behaviour, and behaviour, in turn, shapes the destiny of financial institutions.

I will shortly explain how supervisors can observe behaviour in order to understand a bank’s culture, and how we can ask banks to address the cultural issues we identify. But first I want to give a few examples of what can happen when things go wrong.

Culture shock

There are several examples of banking scandals that highlight the detrimental effects of certain corporate cultures on the performance and reputation of financial institutions.

First, we have the major shocks of the kind we saw during the global financial crisis. The Lehman Brothers bankruptcy showcased how a culture of risk-taking and overleveraging could have catastrophic consequences. Lehman Brothers had a culture of promoting high-risk investments without sufficient risk management in place, and the ensuing financial crisis had far-reaching effects on the global economy.

There are more recent scandals, too. The LIBOR scandal highlighted a culture of collusion and a lack of transparency within banks, as traders and executives collaborated to manipulate the LIBOR rate for personal gain. There was also the ING money laundering scandal in 2018, where the bank was fined heavily by regulators for failing to prevent money laundering and other illicit financial activities. ING’s lax controls and inadequate customer due diligence were attributed to a culture that did not prioritise compliance and risk management. The scandal prompted changes in management and a renewed focus on strengthening the bank’s culture and controls.

And let’s not forget the banking crises of 2023, involving Silicon Valley Bank (SVB) and Credit Suisse.

The Federal Reserve System’s report into the failure of SVB found that the bank suffered from fundamental managerial weaknesses – its board prioritised short-term profits over effective risk management.

Credit Suisse’s downfall and eventual government-orchestrated takeover by UBS was the culmination of a series of events: the bank was fined by US authorities for helping customers evade taxes; it became the first Swiss bank to face criminal charges for failing to prevent money laundering; and it was fined by UK authorities after it was caught up in a bribery scandal in Mozambique. This underscores how the bank’s culture had a bearing on its ultimate collapse.

So corporate culture clearly influences the performance of financial institutions – this should come as no surprise to those familiar with the academic literature on the topic. Research on culture and performance, from fields such as behavioural economics and organisational psychology, widely acknowledges that there is an influence of culture on organisational performance.^[1]

And the industry recognises this, too. Having been dogged by failures of corporate culture, conduct and governance over the last decade, many banks have launched cultural transformation programmes in order to improve their performance.^[2] Some have even introduced behavioural risk teams composed of organisational psychologists to investigate the underlying cultural causes of wrongdoing.^[3]

As a prudential supervisor, the ECB is responsible for ensuring that banks are safe and sound and that the financial system is stable. Naturally, if behaviour and culture is a cause for prudential concern, it is essential for us to look at it and understand it.

Supervising behaviour and culture

So how, exactly, do we do this?

At the ECB, behaviour and culture is part of our supervision of banks’ internal governance – the way in which a bank is organised and how effectively its management bodies conduct business and manage risk.

This means we look at both the “hardware” of banks’ governance – their policies, management body set-up and composition – and, crucially, at the “software” – how people behave within the governance structures.

Our internal governance assessments lead to concrete and targeted qualitative requirements and recommendations that banks need to follow up on and implement over a certain period of time.

A good example is our recent review of management body effectiveness. Our supervisory teams looked at whether the necessary structural elements of management bodies were in place and at the quality of debate and challenge within those structures. A key element we focused on was the culture of constructive challenge. This is when members of the management bodies engage in critical discussions, ask probing questions and challenge assumptions.

So how do we observe whether constructive challenge is taking place? An important method is boardroom observation. We attend board or committee meetings to silently observe the board’s functioning and the culture of challenge in practice.

For instance, we look at which subjects generate tension, which subjects tend to be neglected, and which board members are the most influential when it comes to taking decisions.

Often, we do not see signs of constructive challenge. One reason for this can be that the CEO or Chair has a dominant role, which dissuades other board members from speaking up. There is a big difference between a CEO asking for diverse perspectives, and one who simply says “Thank you for your attention. I take it that we all agree on the direction of travel I just outlined, so let’s move onto the next item on the agenda.”

In some banks’ boards, we have even observed a culture that discourages board members from speaking up and voicing their opinion.

Another way in which we supervise behaviour and culture is by assessing risk culture in banks. Risk culture is the set of norms, attitudes and behaviours related to the awareness, management and control of risks in a bank. It shapes employees’ day-to-day decisions and has an impact on the risks they take. Our supervisors most often identify signals of weak risk culture during ongoing supervision, when looking at both financial and non-financial risks. But they sometimes identify these signals during on-site inspections, too.

One way in which we assess risk culture is to look at the “tone from the top”, as this plays a crucial role in establishing a culture of prudent risk-taking within the institution. We look at whether board members include the bank’s declared set of values and norms in their decision-making. As part of our assessment, we interview board members or business line representatives to inform our supervisory judgement. In some banks, we observed that the culture set at the top is not sufficiently embedded at middle management and staff level. In other cases, we saw that a lack of emphasis on compliance and risk at the top led to risk considerations being given insufficient priority throughout the organisation.

For a small number of banks we have also recently started piloting some risk culture deep dives which allow us to make a more in-depth assessment.

I believe that this focus on behaviour and culture is a crucial component in our understanding of a bank’s risk management and governance. Without it, we would be at risk of seeing only half the picture. If we only looked at the formal set-up, policies and procedures of governing bodies, we wouldn’t understand the dynamics of the human interactions among the members of these bodies that often determine outcomes. And if we only looked at the bank’s official risk management guidelines, often detailed in lengthy internal handbooks, we would be at risk of missing the crucial element of whether staff are encouraged, incentivised and obliged to take these policies seriously, or whether there is an implicit understanding that these are only “nice to have”.

Culture clash

Some may not yet be convinced that banking supervisors have a role to play in assessing behaviour and culture in banks. I have heard a few different arguments from those who are more sceptical of these supervisory activities, and I would like to take a moment to address them.

The first argument is that, in assessing behaviour and culture, this somehow overextends the mandate of prudential supervision, which should remain focused on ensuring the safety and soundness of the financial system and preserving financial stability. The second is that it is for the bank’s leadership, not supervisors, to set the bank’s culture – and supervisors should not be trying to take the steering wheel away from a bank’s management. The third is that culture is such a vague concept that it’s impossible to understand tangibly enough to supervise, and it would be better for supervisors to focus on monitoring hard metrics like capital and liquidity.

Let me address each one of these in turn.

First, on the question of mandate. Let me be clear that for the ECB, as for other banking supervisors around the world, this is not merely an accessory. It is core to our role as supervisors, as enshrined in international standards, EU law and applicable guidelines.

At the level of international standards, the Basel Committee on Banking Supervision’s Corporate governance principles for banks^[4] include a specific principle (Principle 13) on the role of the supervisory authority in assessing corporate governance frameworks. This principle states that supervisors should “endeavour to assess the governance effectiveness of the board and senior management, especially with respect to the risk culture of a bank… This includes consideration of the behavioural dynamic of the board and senior management, such as how the ‘tone at the top’ and the cultural values of the bank are communicated and put into practice”. Moreover, the Basel Committee’s recently revised Core principles for effective banking supervision^[5], which are currently under public consultation, include adjustments to the core principles on corporate governance and on the risk management process that put even greater emphasis on corporate culture and values and risk culture.

At the level of EU law, the Capital Requirements Directive (CRD)^[6] requires banks to have robust governance and risk management arrangements in place. Article 98(7) of the CRD stipulates that “The review and evaluation conducted by competent authorities shall include governance arrangements of institutions, their corporate culture and values, and the ability of members of the management body to perform their duties”.

The European Banking Authority’s Guidelines on internal governance^[7], which all EU banks and supervisors should comply with, also include requirements aimed at ensuring that governance arrangements foster a sound risk culture at all levels of an institution, and this is to be assessed by supervisors.

So I think it should be clear that assessing culture in banks is something that we supervisors have been asked to do, both by international standard-setters and by EU legislators.

Second, on the point that supervisors should not seek to take the steering wheel away from a bank’s management. In part I think this criticism stems from a misunderstanding of the objective of our attending meetings of banks’ boards. As I explained a moment ago, our attendance at board meetings is targeted and limited and is aimed at assessing the board’s dynamic and its ability to effectively challenge the management. We have never looked for regular participation, nor are we seeking to influence boards’ decisions. But by attending board meetings we are better able to assess the “behavioural dynamic of the board” and the “tone at the top” in the banks under our direct supervision, which is something we are required to do. Indeed, although it is for banks themselves to define their culture and values, it is the role of the supervisor to assess whether the culture they define is aligned with prudent risk-taking.

Third, on the point that it is difficult for supervisors to measure culture effectively because it is subjective and intangible, it is true that corporate culture is a nebulous entity that resists quantification. However, it is precisely within these nebulae that supervisors can gain key insights. As I already pointed out, while culture is not directly observable, behaviour is. And supervisors can assess behaviour through a combination of qualitative methods, including employee surveys, interviews, and analysing past behaviour and incidents.

But I do want to acknowledge here that assessing behaviour and culture presents particular challenges for supervisors, particularly when compared with the more traditional focus of prudential supervision. It is more subjective and judgement-based than an assessment of whether a bank is meeting its quantitative requirements, for example. This requires different skills, methodologies and approaches.

Fundamentally, though, I believe supervisors need to embrace this challenge.

And it is still a relatively new area – one in which supervisory authorities around the world are experimenting.

International approaches

People began to give more thought to the supervision of behaviour and culture in the aftermath of the global financial crisis, when supervisory authorities realised that ignoring culture means ignoring a key driver of crises. Let me point out some interesting supervisory approaches taken by other authorities.

De Nederlandsche Bank (DNB) employs organisational psychologists to conduct cultural assessments using surveys, interviews and deep dives to evaluate behavioural drivers and risk culture in financial institutions.^[8]

The Australian Prudential Regulation Authority (APRA) mandates risk culture self-assessments, sets risk governance standards and enforces the Banking Executive Accountability Regime (BEAR) to hold senior executives and directors accountable for decisions.^[9] APRA has identified ten dimensions of risk culture which also connect to expected behaviours.^[10]

Earlier this year, Canada’s Office of the Superintendent of Financial Institutions (OSFI) published a draft guideline on culture and behaviour risk.^[11] This guideline expects federally regulated financial institutions in Canada to define and continually enhance a culture aligned with their purpose, strategy, risk management and resilience. It also requires an evaluation of and response to behaviour risks that might affect the institution’s overall soundness.

And the Federal Reserve Bank of New York’s Governance & Culture Reform initiative has been a key platform to raise awareness of governance, culture and behaviour topics and facilitate exchanges among stakeholders.^[12]

At the ECB, we are reflecting on how we can further incorporate culture and behavioural patterns into our supervisory approach to governance, and we are looking at how we could continue to enhance our supervisory toolkit and develop our expertise in these areas.

In my view, as banking supervisors trying to understand the impact of behaviour and culture on banks’ soundness, we need to tread softly yet boldly, remain intrusive^[13] and forge ahead while acknowledging the complexity of human dynamics. Should we start developing indicators to score and further break down risk culture? Should we start incorporating the insights of organisational psychologists into behavioural assessments like DNB? Should we mandate banks to actively manage the risk of certain corporate cultures like our Canadian and Australian peers? These are only some of the questions we are currently asking ourselves as we review our Guide on governance and risk culture, which we plan to publish at the end of 2024. This Guide will set out in detail our supervisory expectations on governance, risk management and risk culture and will include a set of good practices that we have observed across the industry.

Conclusion

To conclude, the renewed focus on behaviour and culture in supervision is a call for banking supervisors to trade in their monocles for kaleidoscopes and view the complex financial ecosystem from multiple angles. Supervising behaviour and culture signals a shift towards exercising supervisory judgement. It empowers supervisors to probe beyond the numbers, to question often unseen currents that drive behaviour and decisions. Just as a seasoned sailor navigates turbulent seas with skill, supervisors must be equipped to sense the undercurrents of corporate culture that can propel banks towards prosperity or peril.