More financial institutions are now evaluating their risk cultures more regularly, a survey by the Risk Management Association (RMA) and Ncontracts has found.
According to RMA, risk cultures encompass messages, policies, behaviors, and other factors that determine how closely an organization’s decisions match its stated strategy, appetite for risk taking, and principles.
However, the survey also found that moving to remote and hybrid work has caused shifts in operating environments and culture that have prompted institutions to revise risk management incentive programs—and could cause shifts in risk culture in the future.
The survey, which involved 57 community, regional, super-regional, money center, and investment banks headquartered in the US and Canada, showed a rise in the number of respondents that evaluate risk culture has been rising steadily. While around half the respondents regularly evaluated their risk culture five years ago, all do so today. This highlights the growing importance of a robust risk culture for organizations of all sizes, especially financial institutions.
Other findings include:
- Two-thirds of respondents evaluate their risk culture annually, with 10% evaluating more frequently, 10% evaluating less frequently, while the rest of the respondents specified other cadences
- Data used to assess risk culture includes loss and global risk rating trends, industry concentration evaluations, employee surveys and listening sessions, timeliness of risk identification, and other risk awareness measures
- The approach to incentivizing positive risk culture activities is related to asset size. Two-thirds of respondents below US$10 billion in assets had no incentive program specifically for risk management, while 72% of those above US$60 billion agreed that “any employee at any level is recognized or incentivized to participate in risk management.”
- The organizations with the most mature approaches to culture and conduct use a consistent methodology to evaluate bank secrecy/anti-money laundering, information security, ID theft, and other programs—and leverage assessments for business decisions and strategic objectives.
According to Ed DeMarco (pictured above), chief administrative officer and general counsel of RMA, huge upheavals and disruptions caused by COVID-19 and the Russia-Ukraine war provide an opportunity for organizations to evaluate their risk cultures.
“Any time you have events that are unexpected and pose major risks, it’s an opportunity for institutions to assess the strength of their risk culture,” DeMarco told Corporate Risk and Insurance. “In risk, we tend to rely on historical data. Events like the pandemic and the war in Ukraine challenge our assumptions and force us to use new datasets to determine risk and build it into decision-making. This provides a great opportunity to debrief and reassess how we identify, assess, and address risk. Involving the whole organization in this discussion leads to an even stronger risk culture. As a result, I would expect these events to actually strengthen organizations’ risk cultures for those institutions that take the time to really think about the impacts on their organization.”
DeMarco also described how organizations with advanced cultures approach risks, especially in today’s volatile environment.
“Organizations with the most mature risk practices assess the entire risk landscape, identify their risk appetite, and monitor residual risk related to all their risk categories in an ongoing fashion,” he said. “They link these frameworks to specific strategic goals for the institution’s employees to promote an understanding of how risks evolve and the impact of those changes on the institution’s goals and objectives. They also regularly re-evaluate their risk culture and goals (66% of respondents in our survey with Ncontracts said they do so annually), cascade risk messages to the organization broadly (only 37% of respondents in the survey said they do this) and implement new tools and techniques to capture baseline results and track trends. One other thing to note, especially in today’s ultra-competitive talent environment, is that they revise recognition and incentive programs to encourage employees across the organization to prioritize risk management and to help retain the risk management group.”