April 26 - Deputy Comptroller for Operational Risk Carolyn DuChene discussed the importance of a healthy risk culture in banks of all sizes during her speech before the American Bankers Association Risk Management Forum in Baltimore on April 25, 2013. Her speech is below.
Thank you. It’s a pleasure to be here today as part of this ABA program and have the opportunity to speak before so many professionals interested in operational risk, security, governance, and enterprise risk management. I’ve been in bank supervision and regulation for nearly three decades. In that time, I’ve have had the opportunity to witness several economic cycles, some of which affected local regions, some of which affected the entire country, and, most recently, the global economy.
During the 1980s, the economic cycle involved the agricultural communities in the midwest and the energy sector in the southwest. In the 1990s it was the commercial and residential real estate booms both in the northeast and California. Most recently, we’ve experienced a financial crisis that has severely tested domestic and international economies. After each crisis, bankers, supervisors, and policy makers try to understand the vulnerabilities that led to the event, rebuild balance sheets, and take stock of lessons learned.
In the aftermath of this most recent crisis, the industry and the regulators have been engaged in important work to understand the causes and to find ways to strengthen the industry and the supervisory process. We have made significant progress. The Dodd Frank Act will result in structural changes to the industry and the supervisory process—such as stress testing and resolution planning—that should help reduce the potential for a future similarly severe crisis. In addition, Basel III reforms currently underway will materially strengthen the levels of liquidity and capital that banks hold, which will help them weather stressful environments. And many of you here today are doing significant work to enhance risk management systems at your institution. Examples include strengthening the internal control environment, increasing your focus on operational risk management, and enhancing the quality and effectiveness of risk analysis, forecasting and reporting. In addition, many institutions are appropriately revisiting or implementing more granular risk tolerances or exposure limits as a percentage of total capital and cascading them down through the organization to more effectively manage their enterprise wide risk profile.
But there’s more work to be done. Even in the wake of the crisis there have been some high profile events that resulted from breakdowns in internal controls and operational processes, and lapses of oversight and control functions—events involving inappropriate sales of products, noncompliance with anti-money laundering laws, and losses from complex hedging and investment strategies. These events have increased the attention and emphasis on the need for effective board and committee oversight. Always—but more-so in difficult times and during periods of change—bank directors must be sure that they fully understand the significant risks involved in implementing the institution’s strategic goals. It’s only when directors are appropriately informed that they can pose credible challenges to management’s risk assessments, decisions, execution, and contingency planning.
So as I reflect on all that has transpired—where we’ve been and the lessons we’ve learned—it strikes me that the regulators and the banks are certainly focused on many of the right things. But I wonder if it’s enough? Or are there areas we may need to pay more attention to, so that collectively we can enhance our overall success and perhaps minimize the impact of the next, inevitable, economic downturn?
In fact, I believe that there is one very important area we should be focusing on, and it is what I want to talk with you about today. Because, at the end of the day, no matter how good the controls are, no matter what risk management framework you have in place, no matter how much capital and liquidity you hold, it’s an organization’s risk culture, that most determines success in identifying and mitigating risk.
Every organization has a unique risk culture. You might think of it as the organization’s “DNA.” The risk culture consists of the core values that drive business practices and that shape of executive decision-making as well as employee actions. Whether you represent a community bank with a rich history of serving its community and weathering decades of economic booms and busts or a large and complex bank with diverse operating environments and broad geographical reach; a strong risk culture is more than formal policies. Risk culture is the navigational beacon by which the board, the officers, and the employees make sound decisions that are aligned with long-term strategy. It is the guiding light that helps each person take prudent actions knowing that he or she owns and is responsible for the results. When that beacon or isn’t working, an organization can lose direction and may chart the wrong course, entering markets and introducing new products without appropriate due diligence, or aggressively pursuing earnings and growth at “any cost.” The navigational beacon can also guide appropriate risk taking and actively discourage inappropriate risk taking.
So, what exactly do we mean by risk culture and why is it important? Risk culture is important because it has an incredibly powerful influence on the risk decisions and behaviors at all levels of an organization. An institution’s risk culture has both structural and human elements. It affects the processes that define a risk environment and the expectations of the individuals who are critical to implementing those processes.
The structural elements of that environment include the risk management framework. This framework of organizational structure and reporting lines, policies and procedures, and oversight accountability and reporting can vary greatly in design and complexity from organization to organization. But the framework is there to guide decision-making, provide a means to ensure a proper set of “checks and balances” exists and consistent and desired outcomes are achieved. I think of this framework as the guardrails that keep the car on the road. A strong risk culture has solid guardrails that are thoughtfully placed at the riskiest bends of the road.
There also is a human element that comes into play. Disregard of this human element—and failing to ensure that the institution’s employees understand and embrace the risk culture—can undermine even the most well-designed risk management framework and reduce the likelihood of consistent and desired outcomes. If the car is being driven too fast, or the driver is talking on the phone, if the passengers are distracting instead of helping the driver … well, the car can go off the road and into the ditch despite the presence of guard rails. A strong risk culture creates and continually reinforces expectations for prudent driving behavior.
So what are some of the key components or significant pieces of a risk culture? I will say that I think it is much easier for those inside an organization to see and experience a risk culture than outside observers such as a banking regulator or a external auditor.
But from my perspective and vantage point, I want to highlight a few important elements that I’ve observed about risk cultures over the years. To keep it simple, I am going to highlight just five of them today; and to make them easy to remember, they all begin with the letter “E.”
1. Enterprise: Enterprise represents the structure and complexity of an entity. We know that larger and more complex organizational structures make governance and risk management extremely challenging, but there can be organizational complexity in community banks, too. Complexity can arise because banks may choose to manage risk-taking and decision-making by product lines or separate lines of business without having insight into the cumulative affect of decisions; or they may choose to manage by structural mechanisms tied to geography, failing to recognize concentrations that arise across similar products; or they may create structures purely for tax and legal reasons. Complexity of both legal entity and administrative structures can make it very challenging for risk groups or oversight committees to effectively coordinate and communicate, and to maintain a common, consistent risk culture.
All banks, whether large or small, want to make decisions that protect the entire organization and enhance its reputation. Over the years, we’ve all seen examples in which certain units or divisions within an organization operated with lax oversight or controls, unconventional behavior, or elevated risk taking, while larger and more visible parts of the organization were closely monitored and scrutinized. Was it organizational complexity that allowed the business unit to operate outside of the established boundaries? Or, was there another cause? Which leads me to my second item.
2. Ethics: This is a topic that usually needs little definition or context. Ethics are an important means of establishing organizational values. They are the business standards, or code of conduct, that guide employees in determining what is right or wrong; legal or illegal; and appropriate or inappropriate behavior. The ethics of an organization influence not only what products and services your bank offers, it also determines how your employees treat each other and your customers. Within the organization, ethics also establish what is considered appropriate transparency and collaboration and can affect how individuals communicate freely across business units. Finally, ethics play a role in setting the foundation for relationships and behaviors with other important stakeholders, such as shareholders and banking regulators. To be effective, ethical standards must be clear, comprehensive, well-understood, and consistently re-enforced throughout the institution. Which leads to my third point.
3. Education/Expertise: Sound risk cultures don’t just happen. They result from training, reinforcement, and shared objectives. Cultural nurturing also has to be coupled with technical learning and personal development, if employees are to make sound decisions and execute properly. Looking across this large audience today, it is clear that your organizations have supported your attendance at risk forums such as this one to build skills, knowledge, and expertise. In sound risk cultures, a strong ethical foundation and well-developed technical skills are combined with my fourth point.
4. Empowered and Engaged Employees: As a manager, you know you have a sound risk culture when employees understand what risk they own and what it means to own that risk. Whether it is just a little piece here or there, or the entirety of all the risks, employees own the risks when they have a level of authority and empowerment to make risk decisions consistent with the stated mission, strategy, and risk appetite of the organization. In a sound risk culture, risk isn’t owned only by the first line of defense, the line of business that makes the risk-taking decision. It’s also owned by independent risk management professionals, such as many of you in this room today, who have the necessary stature and authority to rein in risk-taking when necessary. You, along with the audit and loan review functions, are the next lines of defense. Empowerment throughout these “lines of defense” is critically important for a safe and sound banking operation—and thus empowerment is a critical component of a bank’s risk culture.
A multitude of business and academic surveys and studies have shown that there is a strong correlation between a highly engaged workforce and strong performance. This means that each and every employee—well trained, ethically grounded, and empowered to own and manage risk—contributes to a strong defense, and to your success. Highly engaged staffs improve customer service, generate more innovation, and advocate more support for their organization.
And the fifth one, which I believe is the most critical element affecting risk culture:
5. Executive Expectations: This is often referred to as the “Tone at the Top.” It involves the clarity and consistency of the communication and actions from executives or senior management of the organization that set expectations for employee behavior. The tone at the top signals and reinforces how employees are expected to behave. It signals how employees are expected to manage, escalate, and communicate risks. Employees watch how executives reinforce or reward expected behavior. They watch and take note on how management responds when employees tell the truth, even when it is bad news.
They observe how management and the board handles lessons learned from bad experiences, and decisions that did not turn out well. When misjudgments are covered up, when legitimate warnings are brushed aside, when no one owns the responsibility for managing risk; the message is unmistakable. Equally unmistakable is the message when these misjudgments and lessons learned are leveraged to reinforce organizational values, strengthen risk management, improve systems and controls, and enhance decision-making practices going forward.
The establishment and cultivation of a risk culture is, in the end, all about good stewardship, and the recognition that a firm and its reputation prosper across the economic cycles when the human element is in sync with the risk management environment.
In closing, regulators and the industry should be paying attention to the influence of a bank’s risk culture on the entire risk equation. Risk culture is an issue that is independent of size. In community banks, it can be the single most important element that guides them through economic cycles. Along with sound risk management and solid well-developed business strategies and capital plans, a healthy risk culture contributes to success. I believe banks that continually improve on these elements have a competitive advantage. Strong banks realize the goal is not to avoid risk, but rather to ensure that they understand it, and can earn an appropriate return for accepting and managing it.
As we emerge from this crisis with a set of specific lessons learned, and set about building stronger balance sheets with increased capital and liquidity, and improving governance and risk management frameworks, let’s also be sure we don’t overlook the importance of risk culture. It may be challenging to define, difficult to measure, and “hard stuff” to get our arms around. But it is what binds together and makes cohesive all of the other tools we use to manage risk and be successful.
Thank you for your attention today. I hope you enjoy the remainder of the conference. Now, I can take some of your questions.