Crafting a Successful Risk Management Culture

Much has been done in recent years to improve risk management at financial institutions, but more remains to be achieved. Risk management has not matured across the industry to the degree many experts had anticipated – in spite of huge investments – and its future remains unclear.¹ As evidence, there are two questions that bank chief risk officers and regulators ask us repeatedly:

1. How can we provide effective integrated risk training throughout our institution?
2. How can we measure institutional progress toward an optimal risk management regime?

As we have worked to answer these questions, it has become apparent that firms cannot accomplish one in a truly optimal way without the other. That is, to be effective, risk training has to take place within a holistic, measurable change management construct. Conversely, measuring institutional progress means little if employees are not held accountable for modifying their risk behaviors post-training.

What is optimal risk management, and are we there yet?

Risk management can be defined as the “identification, analysis, assessment, control, and avoidance, minimization, or elimination of unacceptable risks.”² Optimizing risk management simply means minimizing losses and protecting investors’ and depositors’ capital while allowing an institution to grow and achieve target profitability.

Since the Lehman Brothers bankruptcy in September 2008, risk management has been the catch phrase of governments and the financial services industry. Regulations upon regulations have been passed, requiring ever more focused and comprehensive risk management activities, and billions of dollars have been spent by institutions globally to meet those requirements. Organizational changes designed to address risk management have been myriad, perhaps best exemplified in the increase in the percentage of banks having chief risk officers, many of whom now report directly to boards of directors.³

Many institutions can show that risk management practices have improved as a result of all the attention and expenditure. And yet, with all that has been done, successful risk management still depends on individual employees behaving in ways that minimize risks and losses. Institutional management, however, is finding it difficult to train employees sufficiently and steer their behaviors. Few institutions know exactly where they are in the process of improving employee behavior – in other words, they do not have an objective, measurable handle on their progress in implementing effective, integrated, and adaptable risk management regimes (and, for their part, most regulators do not know how to measure that progress in the organizations they oversee).

More succinctly, in spite of the money spent to improve risk culture and practices, a risk management regime is not broadly effective unless all employees are aware of it and doing their part to make it happen every day. And unless institutions frame and measure their progress, risk management will not be the formal process they desire going forward.

The role of people: Why upgrading systems is not enough

New and improved systems, protocols, and data handling are all critical to improving risk management across an organization. The move to enterprise risk management has been extremely useful in identifying, managing, and mitigating risks. Many institutions still have a ways to go to optimize their systems, but the industry as a whole has made great strides.

Systems and protocols and data are never enough, however. The best systems, used poorly or insufficiently, do little to fight risk. For example, we have clients who use our RiskAnalyst™ spreading and analysis solution purely to provide consistently formatted balance sheets and income statements to go into borrower files. These banks do not generate any of the numerous analytical reports available in the system, and, therefore, do not accrue the risk-identification benefits they provide. Still, others produce the analytical reports but do not require loan officers to comment on them or address them in their credit writeups. And others do not use the system’s valuable projection capabilities, depriving themselves of the essential insights and analytical discipline that forecasting can provide about a borrower’s ongoing ability to service debt. The failure to use these tools or the rich data they provide unavoidably increases credit risk, right at the frontline employee level.

Ultimately, an institution has to accept that its people must consistently and effectively implement systems and protocols and manage data to optimize risk management. Stated differently, management – with all its controls, money, experience, and motivation – is at the mercy of its staff.

What's more, this dependency increases the farther down you go on the pay scale. A risk unaware clerk can scuttle a bank’s best risk management plans just as surely as a small hole in the hull can sink a formidable ship – hence the case for top-to-bottom integrated risk management and for providing training to all employees so they can participate fully. The best institutions are taking this theme a step further: They see every employee as a risk manager, not just as someone who does a job and hopefully does not cause too much damage along the way.

How to drive and sustain improving risk performance

How can upper management transform all employees into risk managers, so that their conduct and behavior every day can enhance organizational risk performance? Is it just a matter of training them once? Or does it involve a broader look and a more pliable approach? And is training alone the answer?

Training is crucial, but only providing it once or solely in a formal format is insufficient in a world with dynamic risk. Further, training alone is never the perfect prescription. Indeed, decisions, actions, and improving knowledge at all levels is essential to ongoing, sustainable improvement in risk behavior. Figure 1 provides one way of looking at this multi-tiered approach, along with detailed steps to take at each level.

The three levels shown in Figure 1 – Organization, Social (Team), and Individual – are borrowed from a discipline promulgated by Grenny, McMillan, Switzler, and Patterson, in their book, The Balancing Act: Mastering the Competing Demands of Leadership.⁴ In it, they look at motivation and capacity at all three levels:

1. The individual level
2. The social or team level (the small group of people with whom the individual works every day)
3. The organization level

Figure 1. Multidimensional approach to risk management improvement

Source: Moody’s Analytics, created from information in the book: The Balancing Act: Mastering the Competing Demands of Leadership

The sequence is inverted in Figure 1 simply because an institution’s management is, of necessity, the place where organizational change begins. Management is ultimately responsible for how the organization, its work teams, and its individual employees perform.

That said, any initiative can be either elevated or scuttled at the social level if small teams do not reinforce desired behaviors and hold individuals accountable. And individuals can contribute to either success or failure depending on whether or not they change their behaviors in prescribed ways.

As Figure 1 also shows, different kinds of actions are required at different levels.

Organization

At this level, C-level executives have to first define what an optimal risk culture is and what effective risk management looks like. Additionally, they have to identify the gap between the ideal and their present status. From there, they have to both communicate and demonstrate commitment to the proposition to move the organization forward – and push for that commitment from the board and all other key stakeholders. This commitment takes shape through decisions about the nature, degree, timing, and the implementation of change. From there, management has to add “concreteness” and decide on the necessary actions to take.

One of the first ways to start making meaningful change at the employee level – where it matters most – is by adding risk management responsibilities to job descriptions. This may be a laborious and seemingly trivial step, but it can do more to effect desired behaviors than anything else management can do. There is no better way to get an employee’s attention than to make a certain task a formal part of his or her job.

Once this is done, management will have the means by which it can hold employees accountable for specific risk behaviors; it will also have the foundation for assigning recognition (and even reward) to those who demonstrate exemplary risk performance at any level. Job descriptions also provide a standard and a core structure against which training can be designed and delivered – that is, instead of providing training at just a general level, management can provide training to help employees master and use skills that match up precisely with their required responsibilities. Beyond initial formal training, management should establish an environment in which ongoing learning on both a formal and informal basis will thrive, such that employees have the permission and means to keep themselves up-to-date on best risk practices. Having all of these elements in place constitutes a foundation on which management can make necessary adjustments as risk needs evolve.

Social (team)

At the team level, both mid-level managers and every single employee work together to adopt the direction, protocols, and performance standards set by the organization. More than giving lip service and sharing information, it means supporting one another in carrying out assigned tasks and holding each other accountable for job activities and decisions. Enforcement happens both formally, as lower-level managers hold their employees responsible for their actions, and informally, as colleagues watch out for and remind each other about risk-aware conduct. Finally, teammates form a highly useful pool of individuals who can readily share ideas, recommending adjustments in risk practice both up and down the line.

Individual

Employees, first and foremost, are responsible for being aware of the business in which they work and the general set of risks associated with it. Beyond that, they must be aware of any new formal duties or competencies management requires of them, and do all they can to understand and implement them. This means completing formal risk-related training and then immediately and consistently applying what they have learned on the job. Over time, this process of learning and doing should lead to internalization at the employee level, so that enhanced risk-related tasks become second nature. Critically, because no organization can create, pay for, and deliver formal training on every possible risk practice right at the moment it is needed, individuals must take responsibility for their own professional currency. This means staying abreast of issues and trends in risk and related regulation. Finally, because they constitute the front line of many risk activities, individual employees should adjust their risk behaviors, and communicate the need for, and nature of, changes up to the team and organization levels.

You may wonder why the previous paragraphs focus so much on adjustment. The answer is that requirements, regulations, market dynamics, and customer needs change constantly, increasing complexity and resulting in the demand for ever more rigor. Without building the ability to make adjustments into the risk management regime at every level, you run the risk of spending large sums of money on solutions that become outdated before they’re even fully installed. Lack of nimbleness can stymie even the most concerted investment in money, time, and energy.

The good news is that adjustment can be one of the most organic, least expensive parts of the whole scheme. Simply listening to all parties up and down the organization and providing a means and structure that allows for readily communicating changes are all that is really required, along with constant attentiveness. Building these features into your risk management model will get employees – your most important risk asset – the information they need when they need it, minimizing risks and losses along the way.

Measuring organizational progress

Once you start down the path of creating a formal risk management improvement process, having a mechanism in place for measuring progress is essential, or the whole effort can become abstract, unwieldy, and, ultimately, unsuccessful. The multi-dimensional approach introduced in Figure 1 provides a workable structure for tracking progress, so we’ll stick with that theme. Such a monitoring approach is articulated in the “RiskPulse scorecard” (Figure 2).

The scorecard is a straightforward approach that can be broadened into a far more detailed tracker if desired. In its current form, however, it serves an important purpose – providing a high-level view of key areas in the risk management improvement process.

Very simply, each of the areas in the left-hand column is given a score: 0 (no progress), 1 (in-progress, at an early stage), 2 (in-progress, at a late stage), or 5 (in-place and working). These points are then totaled in the far right-hand column for a comparison to the highest scores possible. There is no industry standard to discuss at this point, but that is not the primary value of the scorecard; its value lies in the ability to track your organization’s performance over time and see which areas need attention. Ideally, scores will rise significantly year-after-year and then remain high. Used in combination with other risk management performance reporting, it can become a useful tool for tracking and measuring progress.

Figure 2. RiskPulse scorecard – measuring progress toward optimal risk performance

Source: Moody's Analytics

The future of successful risk management: What it will look like

Below are 10 observations on what successful risk management should look like in the future. These have been culled and refined from conversations with chief risk offers and those responsible for providing risk-related training to the rank and file in large banks. A top-10 list such as this is a fitting conclusion to this article, because it reflects legitimate risk management aspirations.

The future of successful risk management is:

1. Many more employees better understanding risk, identifying it on the fly, responding to it, and mitigating it – all of this happening in an integrated, intentional way throughout the organization.
2. Declining risks and losses – and everyone in the organization knowing why.
3. Ensuring that everybody has the right data – on time and all the time.
4. Creating, promoting, and maintaining a risk mitigation ecosystem in which every conversation about growth and profits addresses risk, and every conversation about risk addresses growth and profits.
5. Both evolutionary and revolutionary, where the fit survive and the visionary thrive.
6. Employees continuously learning and sharing information, both formally and informally, so that everyone is current, consistent, and persistent in their risk management practices.
7. Improving risk behavior and keeping up with change, entailing not only compliance exercises, but also feedback, accountability, transparency, and adjustment.
8. All employees being risk managers, be they tellers, clerks, relationship managers, credit analysts, underwriters, middle managers, policy setters, or C-level executives.
9. The institution itself becoming a dynamic, self-aware, and adaptive risk managing organism.
10. The future of successful risk management is successful management.

Structured, intentional, and measured progress toward these ends will yield positive results, as will empowering all of an institution’s employees and holding them accountable. Executive commitment and effective processes, supported by an increasingly capable staff that has been both led and listened to, will inevitably result in improving risk outcomes over time.